FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:26945
core dump dir: /var/tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x559e01bd7988 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7cd8 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7dd8 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x559e01c5cd68 size 56
| libevent_malloc: new ptr-libevent@0x559e01c00718 size 664
| libevent_malloc: new ptr-libevent@0x559e01c5cdd8 size 24
| libevent_malloc: new ptr-libevent@0x559e01c5ce28 size 384
| libevent_malloc: new ptr-libevent@0x559e01c5cd28 size 16
| libevent_malloc: new ptr-libevent@0x559e01bd7908 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7d38 size 48
| libevent_realloc: new ptr-libevent@0x559e01c003a8 size 256
| libevent_malloc: new ptr-libevent@0x559e01c5cfd8 size 16
| libevent_free: release ptr-libevent@0x559e01c5cd68
| libevent initialized
| libevent_realloc: new ptr-libevent@0x559e01c5cd68 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac
NULL IKEv1: ESP IKEv2: ESP []
CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Hash algorithms:
MD5 IKEv1: IKE IKEv2:
SHA1 IKEv1: IKE IKEv2: FIPS sha
SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
PRF algorithms:
HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc
Integrity algorithms:
HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512
HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384
HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96
AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
DH algorithms:
NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519
testing CAMELLIA_CBC:
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 256-bit key
Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
empty string
one block
two blocks
two blocks with associated data
testing AES_CTR:
Encrypting 16 octets using AES-CTR with 128-bit key
Encrypting 32 octets using AES-CTR with 128-bit key
Encrypting 36 octets using AES-CTR with 128-bit key
Encrypting 16 octets using AES-CTR with 192-bit key
Encrypting 32 octets using AES-CTR with 192-bit key
Encrypting 36 octets using AES-CTR with 192-bit key
Encrypting 16 octets using AES-CTR with 256-bit key
Encrypting 32 octets using AES-CTR with 256-bit key
Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
RFC 2104: MD5_HMAC test 1
RFC 2104: MD5_HMAC test 2
RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 1
started thread for crypto helper 2
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 4
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
started thread for crypto helper 5
| crypto helper 2 waiting (nothing to do)
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| starting up helper thread 1
started thread for crypto helper 6
| crypto helper 6 waiting (nothing to do)
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
| checking IKEv1 state table
| MAIN_R0: category: half-open IKE SA flags: 0:
| -> MAIN_R1 EVENT_SO_DISCARD
| MAIN_I1: category: half-open IKE SA flags: 0:
| -> MAIN_I2 EVENT_RETRANSMIT
| MAIN_R1: category: open IKE SA flags: 200:
| -> MAIN_R2 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_I2: category: open IKE SA flags: 0:
| -> MAIN_I3 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_R2: category: open IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| -> MAIN_R3 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_I3: category: open IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| -> MAIN_I4 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_R3: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| MAIN_I4: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| AGGR_R0: category: half-open IKE SA flags: 0:
| -> AGGR_R1 EVENT_SO_DISCARD
| AGGR_I1: category: half-open IKE SA flags: 0:
| -> AGGR_I2 EVENT_SA_REPLACE
| -> AGGR_I2 EVENT_SA_REPLACE
| AGGR_R1: category: open IKE SA flags: 200:
| -> AGGR_R2 EVENT_SA_REPLACE
| -> AGGR_R2 EVENT_SA_REPLACE
| AGGR_I2: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| AGGR_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| QUICK_R0: category: established CHILD SA flags: 0:
| -> QUICK_R1 EVENT_RETRANSMIT
| QUICK_I1: category: established CHILD SA flags: 0:
| -> QUICK_I2 EVENT_SA_REPLACE
| QUICK_R1: category: established CHILD SA flags: 0:
| -> QUICK_R2 EVENT_SA_REPLACE
| QUICK_I2: category: established CHILD SA flags: 200:
| -> UNDEFINED EVENT_NULL
| QUICK_R2: category: established CHILD SA flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO_PROTECTED: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| XAUTH_R0: category: established IKE SA flags: 0:
| -> XAUTH_R1 EVENT_NULL
| XAUTH_R1: category: established IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| MODE_CFG_R0: category: informational flags: 0:
| -> MODE_CFG_R1 EVENT_SA_REPLACE
| MODE_CFG_R1: category: established IKE SA flags: 0:
| -> MODE_CFG_R2 EVENT_SA_REPLACE
| MODE_CFG_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| MODE_CFG_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| XAUTH_I0: category: established IKE SA flags: 0:
| -> XAUTH_I1 EVENT_RETRANSMIT
| XAUTH_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
| PARENT_I0: category: ignore flags: 0:
| -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
| PARENT_I1: category: half-open IKE SA flags: 0:
| -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
| -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
| PARENT_I2: category: open IKE SA flags: 0:
| -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
| -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
| -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
| PARENT_I3: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
| PARENT_R0: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
| PARENT_R1: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
| PARENT_R2: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
| V2_CREATE_I0: category: established IKE SA flags: 0:
| -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
| V2_CREATE_I: category: established IKE SA flags: 0:
| -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
| V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_IKE_I: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
| V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
| V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
| V2_CREATE_R: category: established IKE SA flags: 0:
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
| V2_REKEY_IKE_R: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
| V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
| V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
| IKESA_DEL: category: established IKE SA flags: 0:
| -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
| CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x559e01c61ae8
| libevent_malloc: new ptr-libevent@0x559e01c01ed8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c61bf8 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x559e01c62608
| libevent_malloc: new ptr-libevent@0x559e01c03918 size 128
| libevent_malloc: new ptr-libevent@0x559e01c625c8 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x559e01c62678
| libevent_malloc: new ptr-libevent@0x559e01c6e808 size 128
| libevent_malloc: new ptr-libevent@0x559e01c79a58 size 16
| libevent_realloc: new ptr-libevent@0x559e01c79a98 size 256
| libevent_malloc: new ptr-libevent@0x559e01c79bc8 size 8
| libevent_realloc: new ptr-libevent@0x559e01c01288 size 144
| libevent_malloc: new ptr-libevent@0x559e01c0d288 size 152
| libevent_malloc: new ptr-libevent@0x559e01c79c08 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x559e01c79c48 size 8
| libevent_malloc: new ptr-libevent@0x559e01c04e98 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x559e01c79c88 size 8
| libevent_malloc: new ptr-libevent@0x559e01c79cc8 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x559e01c79d98 size 8
| libevent_realloc: release ptr-libevent@0x559e01c01288
| libevent_realloc: new ptr-libevent@0x559e01c79dd8 size 256
| libevent_malloc: new ptr-libevent@0x559e01c79f08 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:27043) using fork+execve
| forked child 27043
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.0.2.254
| Inspecting interface eth1
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a468
| libevent_malloc: new ptr-libevent@0x559e01c6e758 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a4d8 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a518
| libevent_malloc: new ptr-libevent@0x559e01c00bb8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a588 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a5c8
| libevent_malloc: new ptr-libevent@0x559e01c00b08 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a638 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a678
| libevent_malloc: new ptr-libevent@0x559e01c04dc8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a6e8 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a728
| libevent_malloc: new ptr-libevent@0x559e01bddba8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a798 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a7d8
| libevent_malloc: new ptr-libevent@0x559e01bd81d8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a848 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1
| computed rsa CKAID 8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.757 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.0.2.254
| Inspecting interface eth1
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x559e01c6e758
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a468
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a468
| libevent_malloc: new ptr-libevent@0x559e01c6e758 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x559e01c00bb8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a518
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a518
| libevent_malloc: new ptr-libevent@0x559e01c00bb8 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x559e01c00b08
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a5c8
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a5c8
| libevent_malloc: new ptr-libevent@0x559e01c00b08 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x559e01c04dc8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a678
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a678
| libevent_malloc: new ptr-libevent@0x559e01c04dc8 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x559e01bddba8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a728
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a728
| libevent_malloc: new ptr-libevent@0x559e01bddba8 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x559e01bd81d8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a7d8
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a7d8
| libevent_malloc: new ptr-libevent@0x559e01bd81d8 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1
| computed rsa CKAID 8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.248 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 27043 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0151 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection road-eastnet-nonat with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| No AUTH policy was set - defaulting to RSASIG
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| counting wild cards for @road is 0
| counting wild cards for @east is 0
| based upon policy, the connection is a template.
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x559e01c7ce98
added connection description "road-eastnet-nonat"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]---192.1.2.254...%any[@road]===192.0.2.219/32
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.189 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
add keyid @road
| add pubkey 01 03 c7 15 fa 72 27 70 a4 e1 f3 0a 70 21 f9 0c
| add pubkey 3f e2 65 12 87 d9 fd 12 cb af d4 e0 c2 e3 dd 77
| add pubkey a0 ef aa c7 d6 a2 b2 30 f2 64 b0 c5 e6 c7 a7 27
| add pubkey 17 54 7a 8e 32 c9 ac fd bf 8f b3 33 b9 74 74 73
| add pubkey dd 23 83 11 53 d6 d4 91 0e 36 7e 67 fc 89 1e 48
| add pubkey ac e9 da 2e 66 9d 6e 4f e2 98 a7 dc 41 b3 a4 37
| add pubkey f5 07 a9 9c 23 69 83 54 87 7b ea 00 a7 5b ab 2d
| add pubkey 41 34 d1 a3 17 1e a7 64 2d 7f ff 45 7a 5d 85 5c
| add pubkey 73 dd 63 e7 40 ad eb 71 e6 5f 21 43 80 f5 23 4c
| add pubkey 3d 4a 11 2c ca 9a d6 79 c5 c2 51 6e af c3 6e 99
| add pubkey f5 26 1c 67 ee 8a 3e 30 4b c1 93 a7 92 34 36 8c
| add pubkey bf e6 d0 d3 fe 78 0b 0a 64 04 44 ca 8c 83 fd f1
| add pubkey 2e b5 00 76 61 a6 de f1 59 67 2b 6d c2 57 e0 f2
| add pubkey 7d 6b 9f d3 46 41 8c 31 c2 fd c4 60 72 08 3b bb
| add pubkey 56 fb 01 fc 1d 57 4e cf 7c 0f c4 6f 72 6f 2a 0e
| add pubkey f3 30 db a0 80 f9 70 cc bb 07 a9 f9 d7 76 99 63
| add pubkey 4b 6a 0f 1a 37 95 cb 9b ea 17 f7 55 62 6b 8a 83
| add pubkey 05 ff 43 78 57 dd bd 08 85 9c f1 62 35 6e 69 c7
| add pubkey 04 0b 4b c4 1b d2 38 89 8c de 56 d0 c8 2c 51 54
| add pubkey 32 1b 7d 27 dc cd 37 7a 4e cb 1a ec d2 ce 48 ed
| add pubkey 43 48 9c 8a fc 30 9f b1 57 1c a9 98 e5 84 93 6c
| add pubkey da 4d cc 95 e3 f5 f2 a5 b3 9d 70 ae 24 8d 08 3b
| add pubkey 0f 8c e9 5a a5 f0 4d 9c 3c 2f 7f bc 10 95 34 1c
| add pubkey 96 74 29 fc ab fb 8f 4b 71 aa 0b 26 b5 f0 32 98
| add pubkey 90 6a fd 31 f5 ab
| computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2
| computed rsa CKAID 59 b0 ef 45
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.105 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
add keyid @east
| add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b
| add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03
| add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c
| add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0
| add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d
| add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6
| add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce
| add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e
| add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d
| add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce
| add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a
| add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43
| add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0
| add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7
| add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c
| add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5
| add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5
| add pubkey 51 51 48 ef
| computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1
| computed rsa CKAID 8a 82 25 f1
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0581 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.26 milliseconds in whack
| spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 828 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| f5 24 5f 61 40 70 2b d5 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4
| 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08
| 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08
| 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08
| 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08
| 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08
| 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c
| 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07
| 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e
| 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10
| 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13
| 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15
| 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d
| 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08
| 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08
| 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08
| 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08
| 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08
| 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08
| 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74
| 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80
| 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05
| 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f
| 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12
| 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14
| 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f
| 28 00 01 08 00 0e 00 00 68 29 7e 9e b1 9f 26 93
| 6a 9a 52 78 5e bb b3 05 b1 6f 0f 54 a8 73 60 98
| e5 6c cf 6a 21 e7 ad a4 87 18 62 0b 73 f2 e7 6c
| b6 8d 1e 93 e9 bb e7 d7 18 fc 26 8f cf 9f 4e 89
| 6c 5e 20 a7 36 17 a4 fc ba 60 87 74 e2 4f 90 15
| c3 1a ce 11 15 65 8a 85 25 4e ae 40 bc 20 6c 3d
| 3e a0 53 b3 4b 08 6b c4 60 6f 9d 81 ff d8 51 5d
| c8 e2 fa 55 de a2 10 33 ea 8b 6b d7 39 be 04 1c
| 7a 8b b5 b5 fc 3a d5 f9 51 e1 42 e2 98 4c 89 43
| 19 92 04 db e1 68 87 a2 4e 99 ce 54 c6 ca 01 a8
| 4b 32 9c 98 33 bc a3 51 29 a7 ea 06 45 62 dc ae
| 66 cc 8e af b3 39 a0 04 6e e4 eb 27 ad 73 42 64
| f4 31 62 94 e4 4f f5 8d d1 31 1b 38 5b 85 d9 0c
| b1 fc ee 54 d9 7e d2 be 50 6a 77 49 8f 47 5b 27
| 01 3d 2d 19 62 b4 6f 7f 62 f5 a6 ee 93 4f eb f8
| bd 9c e8 18 ea 28 62 79 a3 78 05 b5 58 f9 1d 9a
| 18 e6 44 24 3d 18 00 af 29 00 00 24 e8 28 cf b3
| 91 a8 2f ba 16 fd db b9 86 92 6c b9 df aa fc 6e
| 92 2b c7 12 f0 1c f7 52 09 92 dd aa 29 00 00 08
| 00 00 40 2e 29 00 00 1c 00 00 40 04 f1 08 01 1d
| 21 c2 88 9a 9e 6e 1e 6d 7b 80 de e6 06 a4 15 71
| 00 00 00 1c 00 00 40 05 03 3e c9 13 e1 80 91 05
| 8e c9 f9 ed 8c 74 4c 82 97 ae 6f 5d
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 0 (0x0)
| length: 828 (0x33c)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request
| State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE (0x22)
| flags: none (0x0)
| length: 436 (0x1b4)
| processing payload: ISAKMP_NEXT_v2SA (len=432)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni (0x28)
| flags: none (0x0)
| length: 264 (0x108)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| DDOS disabled and no cookie sent, continuing
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-nonat)
| find_next_host_connection returns empty
| initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-nonat)
| find_next_host_connection returns road-eastnet-nonat
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| rw_instantiate
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x559e01c7f368
| rw_instantiate() instantiated "road-eastnet-nonat"[1] 192.1.3.209 for 192.1.3.209
| found connection: road-eastnet-nonat[1] 192.1.3.209 with policy RSASIG+IKEV2_ALLOW
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| creating state object #1 at 0x559e01c7f778
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1
| Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0
| #1 in state PARENT_R0: processing SA_INIT request
| selected state microcode Respond to IKE_SA_INIT
| Now let's proceed with state specific processing
| calling processor Respond to IKE_SA_INIT
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| constructing local IKE proposals for road-eastnet-nonat (IKE SA responder matching remote proposals)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"road-eastnet-nonat"[1] 192.1.3.209: constructed local IKE proposals for road-eastnet-nonat (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE responder 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 100 (0x64)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 100 (0x64)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH
| remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 116 (0x74)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| length: 116 (0x74)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
"road-eastnet-nonat"[1] 192.1.3.209 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
| accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048
| converting proposal to internal trans attrs
| natd_hash: rcookie is zero
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie= f5 24 5f 61 40 70 2b d5
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= 03 3e c9 13 e1 80 91 05 8e c9 f9 ed 8c 74 4c 82
| natd_hash: hash= 97 ae 6f 5d
| natd_hash: rcookie is zero
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie= f5 24 5f 61 40 70 2b d5
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= f1 08 01 1d 21 c2 88 9a 9e 6e 1e 6d 7b 80 de e6
| natd_hash: hash= 06 a4 15 71
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| adding ikev2_inI1outR1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7d2f8 size 128
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1
| crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000978 seconds
| (#1) spent 0.978 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f6658002888 size 128
| crypto helper 0 waiting (nothing to do)
| #1 spent 0.759 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| "road-eastnet-nonat"[1] 192.1.3.209 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 1.18 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 1.19 milliseconds in comm_handle_cb() reading and processing packet
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x559e002c3b50
| ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1
| **emit ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| Emitting ikev2_proposal ...
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 3 (0x3)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 36
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 40
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x 90 7c ea 65 9b df 1f 11 fc 0a 4a d6 b9 46 5a e4
| ikev2 g^x 96 4e 45 1a c2 9e 2a 37 82 a3 69 99 3d e4 30 09
| ikev2 g^x 5a 01 d1 85 20 70 79 b1 52 0e 87 95 a9 78 ea df
| ikev2 g^x 28 a0 88 96 79 c8 bd c8 92 21 93 9d 85 a4 26 2b
| ikev2 g^x 88 b4 4b 37 8c cc da 7d 29 f2 58 66 0d 9a 9d 2e
| ikev2 g^x eb 87 dc ed 6c c0 1d 83 fa c3 71 d5 76 c0 0d f3
| ikev2 g^x 9f 8d f9 e0 07 bc 36 2e aa cc 3a a6 95 ff 7d ec
| ikev2 g^x 9d 6a be 82 ad 12 c8 91 14 69 5b 89 74 a8 42 03
| ikev2 g^x a0 ca 3b 99 74 ce 0f 00 b3 a4 15 82 3b 79 cf b1
| ikev2 g^x e0 17 22 a0 06 b6 5c a8 42 77 52 46 76 fc 73 e5
| ikev2 g^x 9a e6 55 a1 a4 89 fb 1f 49 db 51 c1 4b b9 87 ba
| ikev2 g^x e2 7c 2b 3f 02 a4 f2 07 e6 82 5e ef 59 a2 9f 87
| ikev2 g^x d2 4e 5e 53 4a 24 8b 56 21 a6 eb 6a d1 fb 8f 95
| ikev2 g^x de 77 26 98 d3 d0 3d 7d d2 81 82 88 b4 93 71 b9
| ikev2 g^x 89 b5 84 a0 d5 f2 d0 af 4b b0 6b 3c c9 3f bd b2
| ikev2 g^x 40 9c e4 67 96 7d 4a 31 12 38 98 9a f5 32 7b 1f
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce 56 99 82 72 70 90 b5 be 91 73 1e 81 5d 54 b7 61
| IKEv2 nonce 4e 5e 31 6b 56 10 9c a2 06 3d d8 84 87 27 47 36
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
| NAT-Traversal support [enabled] add v2N payloads.
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie= f5 24 5f 61 40 70 2b d5
| natd_hash: rcookie= ae d8 70 55 7a d7 61 61
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= 62 d2 f8 5f 69 df d9 80 ce aa 8b 7e 9e 95 f6 c4
| natd_hash: hash= 2c 80 7f 78
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data 62 d2 f8 5f 69 df d9 80 ce aa 8b 7e 9e 95 f6 c4
| Notify data 2c 80 7f 78
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie= f5 24 5f 61 40 70 2b d5
| natd_hash: rcookie= ae d8 70 55 7a d7 61 61
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= 9d 84 5b 9e 42 69 28 3d ee 40 b4 d7 98 64 8a 4a
| natd_hash: hash= 88 8c 03 bd
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data 9d 84 5b 9e 42 69 28 3d ee 40 b4 d7 98 64 8a 4a
| Notify data 88 8c 03 bd
| emitting length of IKEv2 Notify Payload: 28
| going to send a certreq
| connection->kind is not CK_PERMANENT (instance), so collect CAs
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| Not a roadwarrior instance, sending empty CA in CERTREQ
| ***emit IKEv2 Certificate Request Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ)
| next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Certificate Request Payload: 5
| emitting length of ISAKMP Message: 437
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1
| parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA)
| Message ID: updating counters for #1 to 0 after switching state
| Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1
| Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1
"road-eastnet-nonat"[1] 192.1.3.209 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28
| 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08
| 04 00 00 0e 28 00 01 08 00 0e 00 00 90 7c ea 65
| 9b df 1f 11 fc 0a 4a d6 b9 46 5a e4 96 4e 45 1a
| c2 9e 2a 37 82 a3 69 99 3d e4 30 09 5a 01 d1 85
| 20 70 79 b1 52 0e 87 95 a9 78 ea df 28 a0 88 96
| 79 c8 bd c8 92 21 93 9d 85 a4 26 2b 88 b4 4b 37
| 8c cc da 7d 29 f2 58 66 0d 9a 9d 2e eb 87 dc ed
| 6c c0 1d 83 fa c3 71 d5 76 c0 0d f3 9f 8d f9 e0
| 07 bc 36 2e aa cc 3a a6 95 ff 7d ec 9d 6a be 82
| ad 12 c8 91 14 69 5b 89 74 a8 42 03 a0 ca 3b 99
| 74 ce 0f 00 b3 a4 15 82 3b 79 cf b1 e0 17 22 a0
| 06 b6 5c a8 42 77 52 46 76 fc 73 e5 9a e6 55 a1
| a4 89 fb 1f 49 db 51 c1 4b b9 87 ba e2 7c 2b 3f
| 02 a4 f2 07 e6 82 5e ef 59 a2 9f 87 d2 4e 5e 53
| 4a 24 8b 56 21 a6 eb 6a d1 fb 8f 95 de 77 26 98
| d3 d0 3d 7d d2 81 82 88 b4 93 71 b9 89 b5 84 a0
| d5 f2 d0 af 4b b0 6b 3c c9 3f bd b2 40 9c e4 67
| 96 7d 4a 31 12 38 98 9a f5 32 7b 1f 29 00 00 24
| 56 99 82 72 70 90 b5 be 91 73 1e 81 5d 54 b7 61
| 4e 5e 31 6b 56 10 9c a2 06 3d d8 84 87 27 47 36
| 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04
| 62 d2 f8 5f 69 df d9 80 ce aa 8b 7e 9e 95 f6 c4
| 2c 80 7f 78 26 00 00 1c 00 00 40 05 9d 84 5b 9e
| 42 69 28 3d ee 40 b4 d7 98 64 8a 4a 88 8c 03 bd
| 00 00 00 05 04
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x559e01c7d2f8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| event_schedule: new EVENT_SO_DISCARD-pe@0x559e01c7cf78
| inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7f548 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 0.383 milliseconds in resume sending helper answer
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f6658002888
| spent 0.00312 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff
| 00 01 00 02 45 90 f0 71 d9 a2 1b bc 93 11 b2 c2
| 58 e3 dd 42 9a 0d db 34 fc 04 7c 1f 15 f4 2f 97
| 32 03 c2 70 a3 95 f1 27 c7 4c 80 f3 54 24 0d 16
| b5 c4 ed 35 53 fb 16 1b 78 27 2f 8f 91 ca c3 cd
| 1e d5 d5 0e 04 99 bd 6d 8f 46 46 0f f3 54 8c 4a
| d7 d4 72 8e b4 d4 bf d6 aa 47 78 a7 bf 6a 76 a4
| 88 88 78 3e 52 a1 fa 23 11 c8 fe 39 44 23 4d 3a
| 83 61 10 30 b5 9a d8 3c 1f b8 95 ce b9 85 50 32
| b3 c7 d7 37 a4 97 2c 59 55 e2 15 d5 60 c2 25 73
| 7c 44 1d f9 b6 6d f2 0f ec 67 d5 0c 16 41 48 ec
| 10 36 37 b8 48 e2 8a 2d 74 ec 57 30 8c cd 8f 59
| e0 23 e9 32 a6 36 ed 75 ee 6f 44 e4 8e 3f 28 99
| e6 e4 de d0 54 85 c8 05 0b 07 a3 51 b1 85 cc dc
| 9e 00 1d e0 a4 d0 8c 06 16 64 04 55 b6 5b 48 b7
| f0 48 51 8b 72 d9 a8 67 1d 5b 48 d5 46 0e fd b2
| a7 d0 ad db 55 ea 64 4d 0f 0a 34 94 f6 b9 04 9d
| 7f ce f2 ca 6d 9d ca c7 8a d6 09 5f e5 be b1 e8
| c5 de 40 85 50 82 dd fd 1e b3 08 f7 52 44 3e 5a
| e4 77 70 ed ee 82 c5 d1 35 ad 6a 0f f1 52 75 61
| 63 9d 1c 96 dc 8e 5f b9 fe 73 74 05 04 4d fa 28
| ab 99 80 ae bb 01 f3 a1 bd d8 73 00 eb 19 8e a5
| 3a 60 53 23 a0 50 24 ad 72 dc f5 08 b9 06 37 1b
| 2a 1b 16 a6 11 3a b7 1b bd f9 21 17 f5 bf 17 f0
| 65 b5 84 4d e1 cc 7b 2f 08 40 1b c2 93 40 9c c4
| a2 7b f0 52 11 ee f0 6d 97 4c a9 ef 7e 81 a4 ea
| 49 f7 3c ee 7f 82 5f 7d 2f 91 f3 4d 44 ab 4f 0c
| f7 51 cd 4b de c5 be 72 10 e8 18 12 cb 17 48 e7
| 1f 77 df 7f d4 17 df 79 c7 ff 16 32 57 6a 8a 24
| dd c2 b0 5c fa 30 97 55 ef 38 99 6f 7a fd 56 0a
| d9 a4 e5 96 ed 41 31 8c a5 ce f2 f0 ba bc 13 08
| b6 41 49 21 53 b9 38 05 79 f4 a5 71 1a f0 7d 1d
| 47 cd 74 c1 57 46 ad 09 40 b8 ff
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 539 (0x21b)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| length: 511 (0x1ff)
| fragment number: 1 (0x1)
| total fragments: 2 (0x2)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '1', total number '2', next payload '35'
| updated IKE fragment state to respond using fragments without waiting for re-transmits
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.167 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.182 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00133 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 215 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 35 20 23 08 00 00 00 01 00 00 00 d7 00 00 00 bb
| 00 02 00 02 43 6d d1 f2 c6 a4 7d c6 91 e3 9b e6
| 6f 8d c3 db 4a 99 1c b5 a6 5c 36 1a 47 38 8a fb
| dc 9d 5d 69 93 98 d8 3c 3a 49 ad b6 80 6f 64 ef
| e1 6d 58 42 70 fa fa c1 5f 55 ed b8 cf 12 cf 40
| e7 cf 91 2c f8 2b 54 93 59 90 36 8d cf 78 2c fe
| 2d f8 b3 20 29 4b 67 29 2b f6 19 a2 b4 66 7d 18
| 2b c3 e5 f9 ee e0 62 a2 c6 93 ee 3d 28 01 21 32
| f2 ec 0e 37 5b ab 6e 17 d4 fe 79 ba 84 eb 97 40
| 18 08 04 e0 10 be 7d 77 ec 67 24 02 39 04 40 97
| fe 7a cc 47 59 8a 7a d0 74 90 05 7e 25 0a 91 e1
| 90 cb 08 81 a7 86 88 c7 00 5e 85 1f 4d 08 ca 8d
| ec f6 a6 32 aa 43 79
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 215 (0xd7)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 187 (0xbb)
| fragment number: 2 (0x2)
| total fragments: 2 (0x2)
| processing payload: ISAKMP_NEXT_v2SKF (len=179)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '2', total number '2', next payload '0'
| selected state microcode Responder: process IKE_AUTH request (no SKEYSEED)
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request (no SKEYSEED)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inI2outR2 KE work-order 2 for state #1
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x559e01c7f548
| free_event_entry: release EVENT_SO_DISCARD-pe@0x559e01c7cf78
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f6658002888 size 128
| #1 spent 0.0334 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| crypto helper 3 resuming
| #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| crypto helper 3 starting work-order 2 for state #1
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2
| "road-eastnet-nonat"[1] 192.1.3.209 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.19 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.2 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001389 seconds
| (#1) spent 1.38 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr)
| crypto helper 3 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f6650000f48 size 128
| crypto helper 3 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 3 replies to request ID 2
| calling continuation function 0x559e002c3b50
| ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2
| #1 in state PARENT_R1: received v2I1, sent v2R1
| already have all fragments, skipping fragment collection
| already have all fragments, skipping fragment collection
| #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2IDi)
| **parse IKEv2 Identification - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2IDr (0x24)
| flags: none (0x0)
| length: 12 (0xc)
| ID type: ID_FQDN (0x2)
| processing payload: ISAKMP_NEXT_v2IDi (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2IDr)
| **parse IKEv2 Identification - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2AUTH (0x27)
| flags: none (0x0)
| length: 12 (0xc)
| ID type: ID_FQDN (0x2)
| processing payload: ISAKMP_NEXT_v2IDr (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
| **parse IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| flags: none (0x0)
| length: 396 (0x18c)
| auth method: IKEv2_AUTH_RSA (0x1)
| processing payload: ISAKMP_NEXT_v2AUTH (len=388)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| **parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2TSi (0x2c)
| flags: none (0x0)
| length: 164 (0xa4)
| processing payload: ISAKMP_NEXT_v2SA (len=160)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSi)
| **parse IKEv2 Traffic Selector - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2TSr (0x2d)
| flags: none (0x0)
| length: 24 (0x18)
| number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSi (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSr)
| **parse IKEv2 Traffic Selector - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 24 (0x18)
| number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSr (len=16)
| selected state microcode Responder: process IKE_AUTH request
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request
"road-eastnet-nonat"[1] 192.1.3.209 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr}
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| received IDr payload - extracting our alleged ID
| refine_host_connection for IKEv2: starting with "road-eastnet-nonat"[1] 192.1.3.209
| match_id a=@road
| b=@road
| results matched
| refine_host_connection: checking "road-eastnet-nonat"[1] 192.1.3.209 against "road-eastnet-nonat"[1] 192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| Peer expects us to be @east (ID_FQDN) according to its IDr payload
| This connection's local id is @east (ID_FQDN)
| refine_host_connection: checked road-eastnet-nonat[1] 192.1.3.209 against road-eastnet-nonat[1] 192.1.3.209, now for see if best
| started looking for secret for @east->@road of kind PKK_RSA
| actually looking for secret for @east->@road of kind PKK_RSA
| line 1: key type PKK_RSA(@east) to type PKK_RSA
| 1: compared key (none) to @east / @road -> 002
| 2: compared key (none) to @east / @road -> 002
| line 1: match=002
| match 002 beats previous best_match 000 match=0x559e01bd3b58 (line=1)
| concluding with best_match=002 best=0x559e01bd3b58 (lineno=1)
| returning because exact peer id match
| offered CA: '%none'
"road-eastnet-nonat"[1] 192.1.3.209 #1: IKEv2 mode peer ID is ID_FQDN: '@road'
| verifying AUTH payload
| required RSA CA is '%any'
| checking RSA keyid '@east' for match with '@road'
| checking RSA keyid '@road' for match with '@road'
| key issuer CA is '%any'
| an RSA Sig check passed with *AQPHFfpyJ [preloaded key]
| #1 spent 0.0972 milliseconds in try_all_RSA_keys() trying a pubkey
"road-eastnet-nonat"[1] 192.1.3.209 #1: Authenticated using RSA
| #1 spent 0.125 milliseconds in ikev2_verify_rsa_hash()
| parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA)
| #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key)
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7f6658002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| event_schedule: new EVENT_SA_REKEY-pe@0x559e01c7cf78
| inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7f548 size 128
| pstats #1 ikev2.ike established
| **emit ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: no certificate to send
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| ****emit IKEv2 Identification - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ID type: ID_FQDN (0x2)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr)
| next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload
| my identity 65 61 73 74
| emitting length of IKEv2 Identification - Responder - Payload: 12
| assembled IDr payload
| CHILD SA proposals received
| going to assemble AUTH payload
| ****emit IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| flags: none (0x0)
| auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA
| next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for @east->@road of kind PKK_RSA
| actually looking for secret for @east->@road of kind PKK_RSA
| line 1: key type PKK_RSA(@east) to type PKK_RSA
| 1: compared key (none) to @east / @road -> 002
| 2: compared key (none) to @east / @road -> 002
| line 1: match=002
| match 002 beats previous best_match 000 match=0x559e01bd3b58 (line=1)
| concluding with best_match=002 best=0x559e01bd3b58 (lineno=1)
| #1 spent 4.91 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature 3f b2 04 a0 0f 95 67 fc 5a 74 67 84 eb 18 cd a5
| rsa signature db 6a 1c 02 fb c5 b5 73 64 10 32 93 47 dc ba e0
| rsa signature b3 f8 63 83 2f d2 06 47 5b da 8b 24 04 bc 6d 1f
| rsa signature e0 c5 05 d4 10 70 61 a5 1c ad ba 23 2d f7 71 fc
| rsa signature bd 09 d9 43 31 ed f0 ad 71 f3 a6 bc af ef c5 3f
| rsa signature c6 fa 73 84 98 de d9 db 61 0c 04 e1 9b 5b 99 42
| rsa signature 79 96 35 75 7a 0b f9 15 f9 e4 5b 98 01 8b b6 f5
| rsa signature 18 64 7f 50 4b dd 1e 02 55 2a 5e 8d 93 b3 c6 96
| rsa signature 89 91 7a fc c9 22 a7 87 c7 2d 4c 61 ca 00 98 6b
| rsa signature cb 0f ac bb 6d cc ce 00 a6 1a 09 0e 36 f6 e1 54
| rsa signature 35 4d 94 c3 5b 8a a6 c0 55 5b cf 21 f4 01 38 56
| rsa signature fc 28 c0 a7 ad a0 bf 89 1e 5b 7d 03 05 e3 12 20
| rsa signature ae 2f 81 f7 1e 2f 52 45 a0 1c 46 4b 44 32 54 3e
| rsa signature 21 fb 87 68 53 96 d4 3d 41 36 20 46 d7 21 ea 7f
| rsa signature 80 d1 91 42 c4 0e 03 ce 95 fa d6 43 eb 8e 81 39
| rsa signature 3b 08 a5 a0 35 d5 4d 70 06 58 4c 9d e9 4c 5b e5
| rsa signature 2d 1f b3 6c e0 10 67 0e e2 83 0c a0 f4 e0 c5 80
| rsa signature f6 f9
| #1 spent 4.99 milliseconds in ikev2_calculate_rsa_hash()
| emitting length of IKEv2 Authentication Payload: 282
| creating state object #2 at 0x559e01c8abd8
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.child started
| duplicating state object #1 "road-eastnet-nonat"[1] 192.1.3.209 as #2 for IPSEC SA
| #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1
| Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1
| Child SA TS Request has ike->sa == md->st; so using parent connection
| TSi: parsing 1 traffic selectors
| ***parse IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| length: 16 (0x10)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS low
| TS low c0 00 02 db
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS high
| TS high c0 00 02 db
| TSi: parsed 1 traffic selectors
| TSr: parsing 1 traffic selectors
| ***parse IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| length: 16 (0x10)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS low
| TS low c0 00 02 00
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS high
| TS high c0 00 02 ff
| TSr: parsed 1 traffic selectors
| looking for best SPD in current connection
| evaluating our conn="road-eastnet-nonat"[1] 192.1.3.209 I=192.0.2.219/32:0/0 R=192.0.2.0/24:0/0 to their:
| TSi[0] .net=192.0.2.219-192.0.2.219 .iporotoid=0 .{start,end}port=0..65535
| match address end->client=192.0.2.219/32 == TSi[0]net=192.0.2.219-192.0.2.219: YES fitness 32
| narrow port end=0..65535 == TSi[0]=0..65535: 0
| TSi[0] port match: YES fitness 65536
| narrow protocol end=*0 == TSi[0]=*0: 0
| match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255
| TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535
| match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32
| narrow port end=0..65535 == TSr[0]=0..65535: 0
| TSr[0] port match: YES fitness 65536
| narrow protocol end=*0 == TSr[0]=*0: 0
| match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255
| best fit so far: TSi[0] TSr[0]
| found better spd route for TSi[0],TSr[0]
| looking for better host pair
| find_host_pair: comparing 192.1.2.23:500 to 192.1.3.209:500 but ignoring ports
| checking hostpair 192.0.2.0/24 -> 192.0.2.219/32 is found
| investigating connection "road-eastnet-nonat" as a better match
| match_id a=@road
| b=@road
| results matched
| evaluating our conn="road-eastnet-nonat"[1] 192.1.3.209 I=192.0.2.219/32:0/0 R=192.0.2.0/24:0/0 to their:
| TSi[0] .net=192.0.2.219-192.0.2.219 .iporotoid=0 .{start,end}port=0..65535
| match address end->client=192.0.2.219/32 == TSi[0]net=192.0.2.219-192.0.2.219: YES fitness 32
| narrow port end=0..65535 == TSi[0]=0..65535: 0
| TSi[0] port match: YES fitness 65536
| narrow protocol end=*0 == TSi[0]=*0: 0
| match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255
| TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535
| match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32
| narrow port end=0..65535 == TSr[0]=0..65535: 0
| TSr[0] port match: YES fitness 65536
| narrow protocol end=*0 == TSr[0]=*0: 0
| match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255
| best fit so far: TSi[0] TSr[0]
| did not find a better connection using host pair
| printing contents struct traffic_selector
| ts_type: IKEv2_TS_IPV4_ADDR_RANGE
| ipprotoid: 0
| port range: 0-65535
| ip range: 192.0.2.0-192.0.2.255
| printing contents struct traffic_selector
| ts_type: IKEv2_TS_IPV4_ADDR_RANGE
| ipprotoid: 0
| port range: 0-65535
| ip range: 192.0.2.219-192.0.2.219
| constructing ESP/AH proposals with all DH removed for road-eastnet-nonat (IKE_AUTH responder matching remote ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"road-eastnet-nonat"[1] 192.1.3.209: constructed local ESP/AH proposals for road-eastnet-nonat (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 0 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 1 transforms
| local proposal 1 type ESN has 1 transforms
| local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 0 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 1 transforms
| local proposal 2 type ESN has 1 transforms
| local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 0 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 1 transforms
| local proposal 3 type ESN has 1 transforms
| local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 0 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 1 transforms
| local proposal 4 type ESN has 1 transforms
| local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH
| ***parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 32 (0x20)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI dc 90 fe 8d
| Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| *****parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0
| remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none
| comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN
| remote proposal 1 matches local proposal 1
| ***parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 32 (0x20)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI dc 90 fe 8d
| Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| *****parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN
| remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN
| ***parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 48 (0x30)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI dc 90 fe 8d
| Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| *****parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN
| remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN
| ***parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| length: 48 (0x30)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI dc 90 fe 8d
| Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| *****parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| ****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN
| remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN
"road-eastnet-nonat"[1] 192.1.3.209 #1: proposal 1:ESP:SPI=dc90fe8d;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
| IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=dc90fe8d;ENCR=AES_GCM_C_256;ESN=DISABLED
| converting proposal to internal trans attrs
| netlink_get_spi: allocated 0xc47cdd66 for esp.0@192.1.2.23
| Emitting ikev2_proposal ...
| ****emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi c4 7c dd 66
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 36
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 00 02 db
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 00 02 db
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 00 02 00
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 00 02 ff
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36
| FOR_EACH_CONNECTION_... in ISAKMP_SA_established
| install_ipsec_sa() for #2: inbound and outbound
| could_route called for road-eastnet-nonat (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE
| encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20
| AES_GCM_16 requires 4 salt bytes
| st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-nonat' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.dc90fe8d@192.1.3.209 included non-error error
| set up outgoing SA, ref=0/0
| looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE
| encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20
| AES_GCM_16 requires 4 salt bytes
| st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-nonat' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.c47cdd66@192.1.2.23 included non-error error
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| add inbound eroute 192.0.2.219/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| set up incoming SA, ref=0/0
| sr for #2: unrouted
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: road-eastnet-nonat (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.2.219/32:0 => tun.0@192.1.3.209 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| running updown command "ipsec _updown" for verb up
| command executing up-client
| executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=
| popen cmd is 1044 chars long
| cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat':
| cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO:
| cmd( 160):_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PL:
| cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO:
| cmd( 320):_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@r:
| cmd( 400):oad' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUT:
| cmd( 480):O_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0':
| cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSAS:
| cmd( 640):IG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_:
| cmd( 720):KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS:
| cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU:
| cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_:
| cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _updown :
| cmd(1040):2>&1:
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-client
| executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n
| popen cmd is 1049 chars long
| cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-n:
| cmd( 80):onat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.:
| cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' :
| cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_I:
| cmd( 400):D='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219':
| cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO:
| cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=:
| cmd( 640):'RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_:
| cmd( 720):CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE:
| cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=':
| cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='':
| cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _up:
| cmd(1040):down 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-client
| executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' S
| popen cmd is 1047 chars long
| cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-non:
| cmd( 80):at' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0':
| cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL:
| cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=:
| cmd( 400):'@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' P:
| cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=:
| cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='R:
| cmd( 640):SASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CO:
| cmd( 720):NN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_:
| cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' :
| cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V:
| cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _updo:
| cmd(1040):wn 2>&1:
| route_and_eroute: instance "road-eastnet-nonat"[1] 192.1.3.209, setting eroute_owner {spd=0x559e01c7ed78,sr=0x559e01c7ed78} to #2 (was #0) (newest_ipsec_sa=#0)
| #1 spent 1.8 milliseconds in install_ipsec_sa()
| ISAKMP_v2_IKE_AUTH: instance road-eastnet-nonat[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 407
| emitting length of ISAKMP Message: 435
| ikev2_parent_inI2outR2_continue_tail returned STF_OK
| #1 spent 8.23 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet()
| suspend processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK
| IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R
| child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA)
| Message ID: updating counters for #2 to 1 after switching state
| Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1
| Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1
| pstats #2 ikev2.child established
"road-eastnet-nonat"[1] 192.1.3.209 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.2.219-192.0.2.219:0-65535 0]
| NAT-T: encaps is 'auto'
"road-eastnet-nonat"[1] 192.1.3.209 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xdc90fe8d <0xc47cdd66 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 435 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 2e 20 23 20 00 00 00 01 00 00 01 b3 24 00 01 97
| da cf de 59 a2 21 3c a4 29 83 05 56 46 34 aa 09
| 19 27 1e 2c 1b 5a dc 6b fc 10 f7 b3 3a f7 e4 9e
| 03 2b 3b 0d d9 9c f7 64 d4 cf 18 09 fc af 8b f1
| c5 58 47 34 ef b8 b1 63 53 57 a3 68 c9 38 9b c6
| 35 72 93 17 9e f6 ff 5d e0 13 ab 0e 86 a7 9e 47
| b0 85 e0 2b 22 0d 6c f8 15 b4 6e 1d 44 c9 f4 b0
| 70 eb 18 ab c6 39 27 66 d7 53 78 59 76 4e 38 a3
| 2f ac e6 6c 06 b4 49 fb f0 6d 64 65 d9 fd 63 22
| ed e7 4d 76 d1 97 4c 4e 9b 4e 8d 55 16 9a c3 c3
| 65 b7 82 e5 e0 19 fc 1e f5 80 6d 0e 67 46 01 59
| c0 a2 da c7 11 5c d8 1b 9c 03 5a fc 18 03 e8 18
| c5 31 f6 86 bb c2 2c 5b 5c 68 ac c6 90 f8 c6 12
| 63 3b 79 6c 4a 55 28 13 30 62 2c 56 a0 1a 0b 44
| b8 44 72 fc c7 42 ce f2 e0 7c e2 47 a9 39 89 00
| a7 8a 5d 60 dc 28 5a db 6d d5 ec 59 0f 2e fd 4f
| 02 65 cd 33 9e 89 28 c7 db f1 48 18 53 bf e7 ab
| 6c 59 b6 8d 6b 3e c8 d2 c1 39 f0 99 81 54 34 d6
| 9d 85 5e 7c 42 89 64 c7 97 5c b0 29 df 6b cd 9b
| bb 8a f1 91 b5 ff ec 89 ac 45 2a 31 73 b9 b5 49
| 66 4d 8d 36 c8 6a cd 7b 12 6f d0 97 59 cf c2 1e
| b4 9a 20 5c da 07 54 a5 81 60 08 3c 47 7e 9f a3
| 87 e6 51 86 d7 07 44 5b 3e 76 8e 59 ee 29 78 c0
| 80 f6 05 41 0f 47 2f a7 bc 59 a1 12 b7 18 cb c4
| 5d 75 ba 3d 92 bf 14 96 04 55 6a 33 b3 5e a1 d8
| 8d a9 a6 55 96 95 47 80 4e 07 34 35 7f f2 a4 ed
| 72 79 24
| releasing whack for #2 (sock=fd@-1)
| releasing whack and unpending for parent #1
| unpending state #1 connection "road-eastnet-nonat"[1] 192.1.3.209
| #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key)
| event_schedule: new EVENT_SA_REKEY-pe@0x7f6658002b78
| inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2
| libevent_malloc: new ptr-libevent@0x559e01c83a08 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 8.53 milliseconds in resume sending helper answer
| stop processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f6650000f48
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00423 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00267 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00266 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| get_sa_info esp.c47cdd66@192.1.2.23
| get_sa_info esp.dc90fe8d@192.1.3.209
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.95 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x559e01c7d208 @east cnt 1--
| unreference key: 0x559e01bd3c48 @road cnt 2--
| start processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (in delete_connection() at connections.c:189)
"road-eastnet-nonat"[1] 192.1.3.209: deleting connection "road-eastnet-nonat"[1] 192.1.3.209 instance with peer 192.1.3.209 {isakmp=#1/ipsec=#2}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #2
| suspend processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.child deleted completed
| [RE]START processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-nonat"[1] 192.1.3.209 #2: deleting state (STATE_V2_IPSEC_R) aged 5.198s and sending notification
| child state #2: V2_IPSEC_R(established CHILD SA) => delete
| get_sa_info esp.dc90fe8d@192.1.3.209
| get_sa_info esp.c47cdd66@192.1.2.23
"road-eastnet-nonat"[1] 192.1.3.209 #2: ESP traffic information: in=336B out=336B
| #2 send IKEv2 delete notification for STATE_V2_IPSEC_R
| Opening output PBS informational exchange delete request
| **emit ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
| flags: none (0x0)
| Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| ****emit IKEv2 Delete Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| protocol ID: PROTO_v2_ESP (0x3)
| SPI size: 4 (0x4)
| number of SPIs: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D)
| next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request'
| emitting 4 raw bytes of local spis into IKEv2 Delete Payload
| local spis c4 7c dd 66
| emitting length of IKEv2 Delete Payload: 12
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 41
| emitting length of ISAKMP Message: 69
| sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29
| 3d c9 6c 74 6d df ce ae 66 c2 f0 fe fb 3c 52 92
| 34 9d 33 9d ef d5 0e 59 a5 ed 51 60 c0 40 d4 76
| cd a6 99 e8 60
| Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0
| Message ID: IKE #1 sender #2 in send_delete hacking around record ' send
| Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1
| state #2 requesting EVENT_SA_REKEY to be deleted
| libevent_free: release ptr-libevent@0x559e01c83a08
| free_event_entry: release EVENT_SA_REKEY-pe@0x7f6658002b78
| running updown command "ipsec _updown" for verb down
| command executing down-client
| executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843854' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR
| popen cmd is 1057 chars long
| cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nona:
| cmd( 80):t' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLU:
| cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' :
| cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU:
| cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=':
| cmd( 400):@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PL:
| cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=':
| cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843854' PLUTO_CONN_P:
| cmd( 640):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' :
| cmd( 720):PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT:
| cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_:
| cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_:
| cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 i:
| cmd(1040):psec _updown 2>&1:
| shunt_eroute() called for connection 'road-eastnet-nonat' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| IPsec Sa SPD priority set to 1042399
| delete esp.dc90fe8d@192.1.3.209
| netlink response for Del SA esp.dc90fe8d@192.1.3.209 included non-error error
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| delete inbound eroute 192.0.2.219/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute)
| raw_eroute result=success
| delete esp.c47cdd66@192.1.2.23
| netlink response for Del SA esp.c47cdd66@192.1.2.23 included non-error error
| stop processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection road-eastnet-nonat
| State DB: deleting IKEv2 state #2 in V2_IPSEC_R
| child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #1 ikev2.ike deleted completed
| #1 spent 12.8 milliseconds in total
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-nonat"[1] 192.1.3.209 #1: deleting state (STATE_PARENT_R2) aged 5.233s and sending notification
| parent state #1: PARENT_R2(established IKE SA) => delete
| #1 send IKEv2 delete notification for STATE_PARENT_R2
| Opening output PBS informational exchange delete request
| **emit ISAKMP Message:
| initiator cookie:
| f5 24 5f 61 40 70 2b d5
| responder cookie:
| ae d8 70 55 7a d7 61 61
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
| flags: none (0x0)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| ****emit IKEv2 Delete Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| protocol ID: PROTO_v2_IKE (0x1)
| SPI size: 0 (0x0)
| number of SPIs: 0 (0x0)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D)
| next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request'
| emitting length of IKEv2 Delete Payload: 8
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 37
| emitting length of ISAKMP Message: 65
| sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
| f5 24 5f 61 40 70 2b d5 ae d8 70 55 7a d7 61 61
| 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25
| 4b c2 11 1e e2 c3 63 ba a0 85 58 f1 d6 bc 5c ba
| 33 92 bf dc ef 14 b7 f4 f4 a0 58 6b 06 0c 7f 47
| 00
| Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1
| Message ID: IKE #1 sender #1 in send_delete hacking around record ' send
| Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1
| Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1
| state #1 requesting EVENT_SA_REKEY to be deleted
| libevent_free: release ptr-libevent@0x559e01c7f548
| free_event_entry: release EVENT_SA_REKEY-pe@0x559e01c7cf78
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection road-eastnet-nonat
| State DB: deleting IKEv2 state #1 in PARENT_R2
| parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore)
| unreference key: 0x559e01bd3c48 @road cnt 1--
| stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| shunt_eroute() called for connection 'road-eastnet-nonat' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| FOR_EACH_CONNECTION_... in route_owner
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
| conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-client
| executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED
| popen cmd is 1038 chars long
| cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-n:
| cmd( 80):onat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.:
| cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' :
| cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_:
| cmd( 400):ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219:
| cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC:
| cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY:
| cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO:
| cmd( 720):_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_:
| cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE:
| cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE:
| cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
| free hp@0x559e01c7f368
| flush revival: connection 'road-eastnet-nonat' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "road-eastnet-nonat" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x559e01c7ce98
| flush revival: connection 'road-eastnet-nonat' wasn't on the list
| stop processing: connection "road-eastnet-nonat" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x559e01c6e758
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a468
| libevent_free: release ptr-libevent@0x559e01c00bb8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a518
| libevent_free: release ptr-libevent@0x559e01c00b08
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a5c8
| libevent_free: release ptr-libevent@0x559e01c04dc8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a678
| libevent_free: release ptr-libevent@0x559e01bddba8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a728
| libevent_free: release ptr-libevent@0x559e01bd81d8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a7d8
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x559e01c6e808
| free_event_entry: release EVENT_NULL-pe@0x559e01c62678
| libevent_free: release ptr-libevent@0x559e01c03918
| free_event_entry: release EVENT_NULL-pe@0x559e01c62608
| libevent_free: release ptr-libevent@0x559e01c01ed8
| free_event_entry: release EVENT_NULL-pe@0x559e01c61ae8
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x559e01c0d288
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x559e01c04e98
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x559e01c79cc8
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x559e01c79f08
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x559e01c79dd8
| libevent_free: release ptr-libevent@0x559e01c5ce28
| libevent_free: release ptr-libevent@0x559e01c5cdd8
| libevent_free: release ptr-libevent@0x559e01c5cd68
| libevent_free: release ptr-libevent@0x559e01c5cd28
| libevent_free: release ptr-libevent@0x559e01c79a58
| libevent_free: release ptr-libevent@0x559e01c79c08
| libevent_free: release ptr-libevent@0x559e01c5cfd8
| libevent_free: release ptr-libevent@0x559e01c61bf8
| libevent_free: release ptr-libevent@0x559e01c625c8
| libevent_free: release ptr-libevent@0x559e01c7a848
| libevent_free: release ptr-libevent@0x559e01c7a798
| libevent_free: release ptr-libevent@0x559e01c7a6e8
| libevent_free: release ptr-libevent@0x559e01c7a638
| libevent_free: release ptr-libevent@0x559e01c7a588
| libevent_free: release ptr-libevent@0x559e01c7a4d8
| libevent_free: release ptr-libevent@0x559e01c003a8
| libevent_free: release ptr-libevent@0x559e01c79c88
| libevent_free: release ptr-libevent@0x559e01c79c48
| libevent_free: release ptr-libevent@0x559e01c79bc8
| libevent_free: release ptr-libevent@0x559e01c79d98
| libevent_free: release ptr-libevent@0x559e01c79a98
| libevent_free: release ptr-libevent@0x559e01bd7908
| libevent_free: release ptr-libevent@0x559e01bd7d38
| libevent_free: release ptr-libevent@0x559e01c00718
| releasing global libevent data
| libevent_free: release ptr-libevent@0x559e01bd7988
| libevent_free: release ptr-libevent@0x559e01bd7cd8
| libevent_free: release ptr-libevent@0x559e01bd7dd8
leak detective found no leaks