Aug 26 18:24:46.300831: FIPS Product: YES Aug 26 18:24:46.300961: FIPS Kernel: NO Aug 26 18:24:46.300964: FIPS Mode: NO Aug 26 18:24:46.300967: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:24:46.301125: Initializing NSS Aug 26 18:24:46.301132: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:24:46.331065: NSS initialized Aug 26 18:24:46.331079: NSS crypto library initialized Aug 26 18:24:46.331083: FIPS HMAC integrity support [enabled] Aug 26 18:24:46.331086: FIPS mode disabled for pluto daemon Aug 26 18:24:46.358143: FIPS HMAC integrity verification self-test FAILED Aug 26 18:24:46.358285: libcap-ng support [enabled] Aug 26 18:24:46.358311: Linux audit support [enabled] Aug 26 18:24:46.358330: Linux audit activated Aug 26 18:24:46.358337: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:23471 Aug 26 18:24:46.358339: core dump dir: /tmp Aug 26 18:24:46.358341: secrets file: /etc/ipsec.secrets Aug 26 18:24:46.358342: leak-detective enabled Aug 26 18:24:46.358343: NSS crypto [enabled] Aug 26 18:24:46.358345: XAUTH PAM support [enabled] Aug 26 18:24:46.358407: | libevent is using pluto's memory allocator Aug 26 18:24:46.358416: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:24:46.358432: | libevent_malloc: new ptr-libevent@0x55c00a5d5a48 size 40 Aug 26 18:24:46.358442: | libevent_malloc: new ptr-libevent@0x55c00a5d0cd8 size 40 Aug 26 18:24:46.358446: | libevent_malloc: new ptr-libevent@0x55c00a5d0dd8 size 40 Aug 26 18:24:46.358448: | creating event base Aug 26 18:24:46.358452: | libevent_malloc: new ptr-libevent@0x55c00a655498 size 56 Aug 26 18:24:46.358456: | libevent_malloc: new ptr-libevent@0x55c00a5f9bf8 size 664 Aug 26 18:24:46.358468: | libevent_malloc: new ptr-libevent@0x55c00a655508 size 24 Aug 26 18:24:46.358472: | libevent_malloc: new ptr-libevent@0x55c00a655558 size 384 Aug 26 18:24:46.358482: | libevent_malloc: new ptr-libevent@0x55c00a655458 size 16 Aug 26 18:24:46.358486: | libevent_malloc: new ptr-libevent@0x55c00a5d0908 size 40 Aug 26 18:24:46.358489: | libevent_malloc: new ptr-libevent@0x55c00a5d0d38 size 48 Aug 26 18:24:46.358494: | libevent_realloc: new ptr-libevent@0x55c00a5f9888 size 256 Aug 26 18:24:46.358498: | libevent_malloc: new ptr-libevent@0x55c00a655708 size 16 Aug 26 18:24:46.358504: | libevent_free: release ptr-libevent@0x55c00a655498 Aug 26 18:24:46.358508: | libevent initialized Aug 26 18:24:46.358512: | libevent_realloc: new ptr-libevent@0x55c00a655498 size 64 Aug 26 18:24:46.358519: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:24:46.358533: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:24:46.358536: NAT-Traversal support [enabled] Aug 26 18:24:46.358540: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:24:46.358546: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:24:46.358551: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:24:46.358587: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:24:46.358592: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:24:46.358595: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:24:46.358640: Encryption algorithms: Aug 26 18:24:46.358651: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:24:46.358656: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:24:46.358661: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:24:46.358665: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:24:46.358668: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:24:46.358678: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:24:46.358683: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:24:46.358687: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:24:46.358691: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:24:46.358694: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:24:46.358697: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:24:46.358699: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:24:46.358701: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:24:46.358704: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:24:46.358706: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:24:46.358708: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:24:46.358710: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:24:46.358715: Hash algorithms: Aug 26 18:24:46.358717: MD5 IKEv1: IKE IKEv2: Aug 26 18:24:46.358718: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:24:46.358721: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:24:46.358722: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:24:46.358724: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:24:46.358733: PRF algorithms: Aug 26 18:24:46.358735: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:24:46.358737: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:24:46.358739: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:24:46.358741: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:24:46.358743: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:24:46.358745: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:24:46.358761: Integrity algorithms: Aug 26 18:24:46.358763: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:24:46.358765: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:24:46.358768: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:24:46.358770: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:24:46.358773: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:24:46.358774: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:24:46.358777: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:24:46.358779: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:24:46.358780: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:24:46.358788: DH algorithms: Aug 26 18:24:46.358790: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:24:46.358792: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:24:46.358794: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:24:46.358798: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:24:46.358800: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:24:46.358802: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:24:46.358803: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:24:46.358805: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:24:46.358807: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:24:46.358809: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:24:46.358811: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:24:46.358813: testing CAMELLIA_CBC: Aug 26 18:24:46.358815: Camellia: 16 bytes with 128-bit key Aug 26 18:24:46.358902: Camellia: 16 bytes with 128-bit key Aug 26 18:24:46.358921: Camellia: 16 bytes with 256-bit key Aug 26 18:24:46.358940: Camellia: 16 bytes with 256-bit key Aug 26 18:24:46.358957: testing AES_GCM_16: Aug 26 18:24:46.358959: empty string Aug 26 18:24:46.358978: one block Aug 26 18:24:46.358994: two blocks Aug 26 18:24:46.359010: two blocks with associated data Aug 26 18:24:46.359026: testing AES_CTR: Aug 26 18:24:46.359029: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:24:46.359045: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:24:46.359062: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:24:46.359081: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:24:46.359098: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:24:46.359114: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:24:46.359131: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:24:46.359147: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:24:46.359164: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:24:46.359181: testing AES_CBC: Aug 26 18:24:46.359183: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:24:46.359200: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:24:46.359217: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:24:46.359234: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:24:46.359255: testing AES_XCBC: Aug 26 18:24:46.359257: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:24:46.359335: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:24:46.359419: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:24:46.359494: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:24:46.359570: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:24:46.359647: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:24:46.359725: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:24:46.359894: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:24:46.359971: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:24:46.360054: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:24:46.360197: testing HMAC_MD5: Aug 26 18:24:46.360200: RFC 2104: MD5_HMAC test 1 Aug 26 18:24:46.360313: RFC 2104: MD5_HMAC test 2 Aug 26 18:24:46.360409: RFC 2104: MD5_HMAC test 3 Aug 26 18:24:46.360562: 8 CPU cores online Aug 26 18:24:46.360566: starting up 7 crypto helpers Aug 26 18:24:46.360591: started thread for crypto helper 0 Aug 26 18:24:46.360607: started thread for crypto helper 1 Aug 26 18:24:46.360611: | starting up helper thread 1 Aug 26 18:24:46.360623: | starting up helper thread 0 Aug 26 18:24:46.360634: | starting up helper thread 2 Aug 26 18:24:46.360645: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:24:46.360651: | crypto helper 2 waiting (nothing to do) Aug 26 18:24:46.360628: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:24:46.360687: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:46.360640: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:24:46.360729: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:46.360630: started thread for crypto helper 2 Aug 26 18:24:46.360785: started thread for crypto helper 3 Aug 26 18:24:46.360787: | starting up helper thread 3 Aug 26 18:24:46.360797: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:24:46.360800: | crypto helper 3 waiting (nothing to do) Aug 26 18:24:46.360808: started thread for crypto helper 4 Aug 26 18:24:46.360809: | starting up helper thread 4 Aug 26 18:24:46.360815: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:24:46.360818: | crypto helper 4 waiting (nothing to do) Aug 26 18:24:46.360826: started thread for crypto helper 5 Aug 26 18:24:46.360828: | starting up helper thread 5 Aug 26 18:24:46.360837: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:24:46.360840: | crypto helper 5 waiting (nothing to do) Aug 26 18:24:46.360848: started thread for crypto helper 6 Aug 26 18:24:46.360855: | checking IKEv1 state table Aug 26 18:24:46.360860: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:46.360862: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:24:46.360864: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:46.360866: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:24:46.360868: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:24:46.360869: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:24:46.360871: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:46.360872: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:46.360874: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:24:46.360875: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:24:46.360877: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:46.360878: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:46.360880: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:24:46.360882: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:46.360883: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:46.360884: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:46.360886: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:24:46.360888: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:46.360889: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:46.360890: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:46.360892: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:24:46.360894: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360896: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:24:46.360897: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360899: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:46.360900: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:24:46.360902: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:46.360903: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:46.360905: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:46.360907: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:24:46.360908: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:46.360909: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:46.360911: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:24:46.360913: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360914: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:24:46.360916: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360918: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:24:46.360919: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:24:46.360921: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:24:46.360922: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:24:46.360924: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:24:46.360928: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:24:46.360930: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:24:46.360932: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360933: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:24:46.360935: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360936: | INFO: category: informational flags: 0: Aug 26 18:24:46.360938: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360940: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:24:46.360941: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360943: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:24:46.360944: | -> XAUTH_R1 EVENT_NULL Aug 26 18:24:46.360946: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:24:46.360947: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:46.360949: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:24:46.360951: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:24:46.360952: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:24:46.360954: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:24:46.360956: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:24:46.360957: | -> UNDEFINED EVENT_NULL Aug 26 18:24:46.360959: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:24:46.360960: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:46.360962: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:24:46.360964: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:24:46.360965: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:24:46.360967: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:24:46.360971: | checking IKEv2 state table Aug 26 18:24:46.360975: | PARENT_I0: category: ignore flags: 0: Aug 26 18:24:46.360977: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:24:46.360979: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:46.360981: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:24:46.360983: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:24:46.360985: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:24:46.360987: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:24:46.360989: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:24:46.360990: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:24:46.360992: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:24:46.360994: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:24:46.360996: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:24:46.360998: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:24:46.360999: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:24:46.361001: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:24:46.361003: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:24:46.361004: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:46.361006: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:24:46.361008: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:24:46.361010: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:24:46.361012: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:24:46.361013: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:24:46.361015: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:24:46.361017: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:24:46.361019: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:24:46.361022: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:24:46.361024: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:24:46.361025: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:24:46.361027: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:24:46.361029: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:24:46.361031: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:24:46.361033: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:46.361035: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:24:46.361036: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:24:46.361038: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:24:46.361040: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:24:46.361042: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:24:46.361044: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:24:46.361046: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:24:46.361048: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:24:46.361049: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:46.361051: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:24:46.361053: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:24:46.361055: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:24:46.361057: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:24:46.361059: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:24:46.361061: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:24:46.361070: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:24:46.361364: | Hard-wiring algorithms Aug 26 18:24:46.361369: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:24:46.361373: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:24:46.361374: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:24:46.361376: | adding 3DES_CBC to kernel algorithm db Aug 26 18:24:46.361378: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:24:46.361379: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:24:46.361381: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:24:46.361382: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:24:46.361384: | adding AES_CTR to kernel algorithm db Aug 26 18:24:46.361386: | adding AES_CBC to kernel algorithm db Aug 26 18:24:46.361387: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:24:46.361389: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:24:46.361391: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:24:46.361394: | adding NULL to kernel algorithm db Aug 26 18:24:46.361397: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:24:46.361400: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:24:46.361402: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:24:46.361405: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:24:46.361408: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:24:46.361410: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:24:46.361413: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:24:46.361416: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:24:46.361418: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:24:46.361421: | adding NONE to kernel algorithm db Aug 26 18:24:46.361444: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:24:46.361450: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:24:46.361452: | setup kernel fd callback Aug 26 18:24:46.361459: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55c00a65a0d8 Aug 26 18:24:46.361464: | libevent_malloc: new ptr-libevent@0x55c00a63e578 size 128 Aug 26 18:24:46.361468: | libevent_malloc: new ptr-libevent@0x55c00a65a1e8 size 16 Aug 26 18:24:46.361474: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55c00a65ac18 Aug 26 18:24:46.361479: | libevent_malloc: new ptr-libevent@0x55c00a5fcc58 size 128 Aug 26 18:24:46.361482: | libevent_malloc: new ptr-libevent@0x55c00a65abd8 size 16 Aug 26 18:24:46.361623: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:24:46.361629: selinux support is enabled. Aug 26 18:24:46.362103: | unbound context created - setting debug level to 5 Aug 26 18:24:46.362124: | /etc/hosts lookups activated Aug 26 18:24:46.362136: | /etc/resolv.conf usage activated Aug 26 18:24:46.362172: | outgoing-port-avoid set 0-65535 Aug 26 18:24:46.362189: | outgoing-port-permit set 32768-60999 Aug 26 18:24:46.362191: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:24:46.362193: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:24:46.362196: | Setting up events, loop start Aug 26 18:24:46.362198: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55c00a65ac88 Aug 26 18:24:46.362200: | libevent_malloc: new ptr-libevent@0x55c00a666f18 size 128 Aug 26 18:24:46.362202: | libevent_malloc: new ptr-libevent@0x55c00a6721e8 size 16 Aug 26 18:24:46.362207: | libevent_realloc: new ptr-libevent@0x55c00a672228 size 256 Aug 26 18:24:46.362209: | libevent_malloc: new ptr-libevent@0x55c00a672358 size 8 Aug 26 18:24:46.362211: | libevent_realloc: new ptr-libevent@0x55c00a5fc528 size 144 Aug 26 18:24:46.362213: | libevent_malloc: new ptr-libevent@0x55c00a605888 size 152 Aug 26 18:24:46.362216: | libevent_malloc: new ptr-libevent@0x55c00a672398 size 16 Aug 26 18:24:46.362219: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:24:46.362221: | libevent_malloc: new ptr-libevent@0x55c00a6723d8 size 8 Aug 26 18:24:46.362224: | libevent_malloc: new ptr-libevent@0x55c00a5fd658 size 152 Aug 26 18:24:46.362226: | signal event handler PLUTO_SIGTERM installed Aug 26 18:24:46.362227: | libevent_malloc: new ptr-libevent@0x55c00a672418 size 8 Aug 26 18:24:46.362229: | libevent_malloc: new ptr-libevent@0x55c00a672458 size 152 Aug 26 18:24:46.362231: | signal event handler PLUTO_SIGHUP installed Aug 26 18:24:46.362233: | libevent_malloc: new ptr-libevent@0x55c00a672528 size 8 Aug 26 18:24:46.362235: | libevent_realloc: release ptr-libevent@0x55c00a5fc528 Aug 26 18:24:46.362237: | libevent_realloc: new ptr-libevent@0x55c00a672568 size 256 Aug 26 18:24:46.362238: | libevent_malloc: new ptr-libevent@0x55c00a672698 size 152 Aug 26 18:24:46.362240: | signal event handler PLUTO_SIGSYS installed Aug 26 18:24:46.362508: | created addconn helper (pid:23531) using fork+execve Aug 26 18:24:46.362524: | forked child 23531 Aug 26 18:24:46.362561: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.362572: listening for IKE messages Aug 26 18:24:46.362648: | Inspecting interface lo Aug 26 18:24:46.362653: | found lo with address 127.0.0.1 Aug 26 18:24:46.362655: | Inspecting interface eth0 Aug 26 18:24:46.362658: | found eth0 with address 192.0.2.254 Aug 26 18:24:46.362659: | Inspecting interface eth0 Aug 26 18:24:46.362662: | found eth0 with address 192.0.22.251 Aug 26 18:24:46.362664: | Inspecting interface eth0 Aug 26 18:24:46.362668: | found eth0 with address 192.0.22.254 Aug 26 18:24:46.362671: | Inspecting interface eth0 Aug 26 18:24:46.362675: | found eth0 with address 192.0.2.251 Aug 26 18:24:46.362677: | Inspecting interface eth1 Aug 26 18:24:46.362679: | starting up helper thread 6 Aug 26 18:24:46.362682: | found eth1 with address 192.1.2.23 Aug 26 18:24:46.362693: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:24:46.362709: | crypto helper 6 waiting (nothing to do) Aug 26 18:24:46.362810: Kernel supports NIC esp-hw-offload Aug 26 18:24:46.362828: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:24:46.362883: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.362890: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.362894: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:46.362924: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.251:500 Aug 26 18:24:46.362948: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.362953: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.362958: adding interface eth0/eth0 192.0.2.251:4500 Aug 26 18:24:46.362982: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.254:500 Aug 26 18:24:46.363005: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.363009: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.363013: adding interface eth0/eth0 192.0.22.254:4500 Aug 26 18:24:46.363036: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.251:500 Aug 26 18:24:46.363057: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.363062: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.363066: adding interface eth0/eth0 192.0.22.251:4500 Aug 26 18:24:46.363092: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:24:46.363113: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.363117: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.363121: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:46.363147: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:24:46.363167: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:46.363172: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:46.363176: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:24:46.363268: | no interfaces to sort Aug 26 18:24:46.363273: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:46.363304: | add_fd_read_event_handler: new ethX-pe@0x55c00a672f88 Aug 26 18:24:46.363312: | libevent_malloc: new ptr-libevent@0x55c00a666e68 size 128 Aug 26 18:24:46.363315: | libevent_malloc: new ptr-libevent@0x55c00a672ff8 size 16 Aug 26 18:24:46.363323: | setup callback for interface lo 127.0.0.1:4500 fd 28 Aug 26 18:24:46.363326: | add_fd_read_event_handler: new ethX-pe@0x55c00a673038 Aug 26 18:24:46.363330: | libevent_malloc: new ptr-libevent@0x55c00a5fcba8 size 128 Aug 26 18:24:46.363333: | libevent_malloc: new ptr-libevent@0x55c00a6730a8 size 16 Aug 26 18:24:46.363339: | setup callback for interface lo 127.0.0.1:500 fd 27 Aug 26 18:24:46.363342: | add_fd_read_event_handler: new ethX-pe@0x55c00a6730e8 Aug 26 18:24:46.363345: | libevent_malloc: new ptr-libevent@0x55c00a5fc428 size 128 Aug 26 18:24:46.363348: | libevent_malloc: new ptr-libevent@0x55c00a673158 size 16 Aug 26 18:24:46.363354: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Aug 26 18:24:46.363357: | add_fd_read_event_handler: new ethX-pe@0x55c00a673808 Aug 26 18:24:46.363362: | libevent_malloc: new ptr-libevent@0x55c00a5fd588 size 128 Aug 26 18:24:46.363365: | libevent_malloc: new ptr-libevent@0x55c00a673878 size 16 Aug 26 18:24:46.363370: | setup callback for interface eth0 192.0.2.254:500 fd 25 Aug 26 18:24:46.363374: | add_fd_read_event_handler: new ethX-pe@0x55c00a6738b8 Aug 26 18:24:46.363377: | libevent_malloc: new ptr-libevent@0x55c00a5d14e8 size 128 Aug 26 18:24:46.363380: | libevent_malloc: new ptr-libevent@0x55c00a673928 size 16 Aug 26 18:24:46.363386: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Aug 26 18:24:46.363389: | add_fd_read_event_handler: new ethX-pe@0x55c00a673968 Aug 26 18:24:46.363392: | libevent_malloc: new ptr-libevent@0x55c00a5d11d8 size 128 Aug 26 18:24:46.363395: | libevent_malloc: new ptr-libevent@0x55c00a6739d8 size 16 Aug 26 18:24:46.363405: | setup callback for interface eth0 192.0.22.251:500 fd 23 Aug 26 18:24:46.363408: | add_fd_read_event_handler: new ethX-pe@0x55c00a673a18 Aug 26 18:24:46.363412: | libevent_malloc: new ptr-libevent@0x55c00a673a88 size 128 Aug 26 18:24:46.363415: | libevent_malloc: new ptr-libevent@0x55c00a673b38 size 16 Aug 26 18:24:46.363420: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Aug 26 18:24:46.363423: | add_fd_read_event_handler: new ethX-pe@0x55c00a673b78 Aug 26 18:24:46.363426: | libevent_malloc: new ptr-libevent@0x55c00a673be8 size 128 Aug 26 18:24:46.363429: | libevent_malloc: new ptr-libevent@0x55c00a673c98 size 16 Aug 26 18:24:46.363434: | setup callback for interface eth0 192.0.22.254:500 fd 21 Aug 26 18:24:46.363437: | add_fd_read_event_handler: new ethX-pe@0x55c00a673cd8 Aug 26 18:24:46.363440: | libevent_malloc: new ptr-libevent@0x55c00a673d48 size 128 Aug 26 18:24:46.363444: | libevent_malloc: new ptr-libevent@0x55c00a673df8 size 16 Aug 26 18:24:46.363449: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Aug 26 18:24:46.363452: | add_fd_read_event_handler: new ethX-pe@0x55c00a673e38 Aug 26 18:24:46.363455: | libevent_malloc: new ptr-libevent@0x55c00a673ea8 size 128 Aug 26 18:24:46.363458: | libevent_malloc: new ptr-libevent@0x55c00a673f58 size 16 Aug 26 18:24:46.363464: | setup callback for interface eth0 192.0.2.251:500 fd 19 Aug 26 18:24:46.363467: | add_fd_read_event_handler: new ethX-pe@0x55c00a673f98 Aug 26 18:24:46.363472: | libevent_malloc: new ptr-libevent@0x55c00a674008 size 128 Aug 26 18:24:46.363475: | libevent_malloc: new ptr-libevent@0x55c00a6740b8 size 16 Aug 26 18:24:46.363481: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:46.363484: | add_fd_read_event_handler: new ethX-pe@0x55c00a6740f8 Aug 26 18:24:46.363487: | libevent_malloc: new ptr-libevent@0x55c00a674168 size 128 Aug 26 18:24:46.363490: | libevent_malloc: new ptr-libevent@0x55c00a674218 size 16 Aug 26 18:24:46.363495: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:46.363500: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:46.363503: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:46.363524: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:46.363544: | saving Modulus Aug 26 18:24:46.363549: | saving PublicExponent Aug 26 18:24:46.363553: | ignoring PrivateExponent Aug 26 18:24:46.363557: | ignoring Prime1 Aug 26 18:24:46.363560: | ignoring Prime2 Aug 26 18:24:46.363563: | ignoring Exponent1 Aug 26 18:24:46.363566: | ignoring Exponent2 Aug 26 18:24:46.363570: | ignoring Coefficient Aug 26 18:24:46.363573: | ignoring CKAIDNSS Aug 26 18:24:46.363606: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:46.363610: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:46.363615: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Aug 26 18:24:46.363622: | certs and keys locked by 'process_secret' Aug 26 18:24:46.363624: | certs and keys unlocked by 'process_secret' Aug 26 18:24:46.363634: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.363641: | spent 1.07 milliseconds in whack Aug 26 18:24:46.382999: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383021: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383024: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:46.383026: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383027: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:46.383031: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383037: | Added new connection north-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:46.383039: | No AUTH policy was set - defaulting to RSASIG Aug 26 18:24:46.383058: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Aug 26 18:24:46.383060: | from whack: got --esp=aes128-sha2_512;modp3072 Aug 26 18:24:46.383075: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Aug 26 18:24:46.383078: | counting wild cards for @north is 0 Aug 26 18:24:46.383081: | counting wild cards for @east is 0 Aug 26 18:24:46.383088: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 18:24:46.383090: | new hp@0x55c00a674d78 Aug 26 18:24:46.383094: added connection description "north-eastnets/0x1" Aug 26 18:24:46.383102: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:46.383110: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Aug 26 18:24:46.383116: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383121: | spent 0.13 milliseconds in whack Aug 26 18:24:46.383146: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383153: add keyid @north Aug 26 18:24:46.383155: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 18:24:46.383157: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 18:24:46.383158: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 18:24:46.383160: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 18:24:46.383161: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 18:24:46.383163: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 18:24:46.383164: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 18:24:46.383166: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 18:24:46.383168: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 18:24:46.383169: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 18:24:46.383171: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 18:24:46.383172: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 18:24:46.383174: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 18:24:46.383175: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 18:24:46.383177: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 18:24:46.383178: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 18:24:46.383180: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 18:24:46.383181: | add pubkey c7 5e a5 99 Aug 26 18:24:46.383199: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 18:24:46.383201: | computed rsa CKAID 88 aa 7c 5d Aug 26 18:24:46.383208: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383211: | spent 0.0673 milliseconds in whack Aug 26 18:24:46.383236: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383242: add keyid @east Aug 26 18:24:46.383244: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 18:24:46.383246: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 18:24:46.383247: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 18:24:46.383249: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 18:24:46.383250: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 18:24:46.383252: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 18:24:46.383253: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 18:24:46.383255: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 18:24:46.383256: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 18:24:46.383258: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 18:24:46.383259: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 18:24:46.383263: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 18:24:46.383265: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 18:24:46.383267: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 18:24:46.383268: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 18:24:46.383270: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 18:24:46.383271: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 18:24:46.383273: | add pubkey 51 51 48 ef Aug 26 18:24:46.383278: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:46.383280: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:46.383285: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383292: | spent 0.0563 milliseconds in whack Aug 26 18:24:46.383362: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383375: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383377: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:46.383379: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383381: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:46.383383: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.383387: | Added new connection north-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:46.383389: | No AUTH policy was set - defaulting to RSASIG Aug 26 18:24:46.383404: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Aug 26 18:24:46.383406: | from whack: got --esp=aes128-sha2_512;modp3072 Aug 26 18:24:46.383415: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Aug 26 18:24:46.383418: | counting wild cards for @north is 0 Aug 26 18:24:46.383420: | counting wild cards for @east is 0 Aug 26 18:24:46.383424: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:46.383427: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x55c00a674d78: north-eastnets/0x1 Aug 26 18:24:46.383429: added connection description "north-eastnets/0x2" Aug 26 18:24:46.383436: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:46.383442: | 192.0.22.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Aug 26 18:24:46.383448: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383452: | spent 0.095 milliseconds in whack Aug 26 18:24:46.383512: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383524: add keyid @north Aug 26 18:24:46.383528: | unreference key: 0x55c00a5ccc48 @north cnt 1-- Aug 26 18:24:46.383531: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 18:24:46.383533: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 18:24:46.383534: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 18:24:46.383536: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 18:24:46.383537: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 18:24:46.383539: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 18:24:46.383540: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 18:24:46.383542: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 18:24:46.383543: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 18:24:46.383545: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 18:24:46.383546: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 18:24:46.383548: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 18:24:46.383549: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 18:24:46.383554: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 18:24:46.383555: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 18:24:46.383557: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 18:24:46.383558: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 18:24:46.383560: | add pubkey c7 5e a5 99 Aug 26 18:24:46.383569: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 18:24:46.383571: | computed rsa CKAID 88 aa 7c 5d Aug 26 18:24:46.383578: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383582: | spent 0.0758 milliseconds in whack Aug 26 18:24:46.383641: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383653: add keyid @east Aug 26 18:24:46.383657: | unreference key: 0x55c00a6750e8 @east cnt 1-- Aug 26 18:24:46.383660: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 18:24:46.383662: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 18:24:46.383664: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 18:24:46.383665: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 18:24:46.383667: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 18:24:46.383668: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 18:24:46.383670: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 18:24:46.383671: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 18:24:46.383673: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 18:24:46.383675: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 18:24:46.383676: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 18:24:46.383678: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 18:24:46.383679: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 18:24:46.383681: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 18:24:46.383682: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 18:24:46.383684: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 18:24:46.383685: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 18:24:46.383687: | add pubkey 51 51 48 ef Aug 26 18:24:46.383694: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:46.383695: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:46.383703: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.383707: | spent 0.0708 milliseconds in whack Aug 26 18:24:46.383757: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.383765: listening for IKE messages Aug 26 18:24:46.391701: | Inspecting interface lo Aug 26 18:24:46.391727: | found lo with address 127.0.0.1 Aug 26 18:24:46.391732: | Inspecting interface eth0 Aug 26 18:24:46.391737: | found eth0 with address 192.0.2.254 Aug 26 18:24:46.391739: | Inspecting interface eth0 Aug 26 18:24:46.391744: | found eth0 with address 192.0.22.251 Aug 26 18:24:46.391747: | Inspecting interface eth0 Aug 26 18:24:46.391751: | found eth0 with address 192.0.22.254 Aug 26 18:24:46.391753: | Inspecting interface eth0 Aug 26 18:24:46.391757: | found eth0 with address 192.0.2.251 Aug 26 18:24:46.391759: | Inspecting interface eth1 Aug 26 18:24:46.391763: | found eth1 with address 192.1.2.23 Aug 26 18:24:46.391841: | no interfaces to sort Aug 26 18:24:46.391853: | libevent_free: release ptr-libevent@0x55c00a666e68 Aug 26 18:24:46.391856: | free_event_entry: release EVENT_NULL-pe@0x55c00a672f88 Aug 26 18:24:46.391859: | add_fd_read_event_handler: new ethX-pe@0x55c00a672f88 Aug 26 18:24:46.391863: | libevent_malloc: new ptr-libevent@0x55c00a676358 size 128 Aug 26 18:24:46.391876: | setup callback for interface lo 127.0.0.1:4500 fd 28 Aug 26 18:24:46.391880: | libevent_free: release ptr-libevent@0x55c00a5fcba8 Aug 26 18:24:46.391883: | free_event_entry: release EVENT_NULL-pe@0x55c00a673038 Aug 26 18:24:46.391885: | add_fd_read_event_handler: new ethX-pe@0x55c00a673038 Aug 26 18:24:46.391888: | libevent_malloc: new ptr-libevent@0x55c00a5fcba8 size 128 Aug 26 18:24:46.391893: | setup callback for interface lo 127.0.0.1:500 fd 27 Aug 26 18:24:46.391897: | libevent_free: release ptr-libevent@0x55c00a5fc428 Aug 26 18:24:46.391900: | free_event_entry: release EVENT_NULL-pe@0x55c00a6730e8 Aug 26 18:24:46.391903: | add_fd_read_event_handler: new ethX-pe@0x55c00a6730e8 Aug 26 18:24:46.391906: | libevent_malloc: new ptr-libevent@0x55c00a5fc428 size 128 Aug 26 18:24:46.391911: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Aug 26 18:24:46.391914: | libevent_free: release ptr-libevent@0x55c00a5fd588 Aug 26 18:24:46.391918: | free_event_entry: release EVENT_NULL-pe@0x55c00a673808 Aug 26 18:24:46.391921: | add_fd_read_event_handler: new ethX-pe@0x55c00a673808 Aug 26 18:24:46.391924: | libevent_malloc: new ptr-libevent@0x55c00a5fd588 size 128 Aug 26 18:24:46.391928: | setup callback for interface eth0 192.0.2.254:500 fd 25 Aug 26 18:24:46.391933: | libevent_free: release ptr-libevent@0x55c00a5d14e8 Aug 26 18:24:46.391936: | free_event_entry: release EVENT_NULL-pe@0x55c00a6738b8 Aug 26 18:24:46.391938: | add_fd_read_event_handler: new ethX-pe@0x55c00a6738b8 Aug 26 18:24:46.391941: | libevent_malloc: new ptr-libevent@0x55c00a5d14e8 size 128 Aug 26 18:24:46.391946: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Aug 26 18:24:46.391951: | libevent_free: release ptr-libevent@0x55c00a5d11d8 Aug 26 18:24:46.391954: | free_event_entry: release EVENT_NULL-pe@0x55c00a673968 Aug 26 18:24:46.391956: | add_fd_read_event_handler: new ethX-pe@0x55c00a673968 Aug 26 18:24:46.391959: | libevent_malloc: new ptr-libevent@0x55c00a5d11d8 size 128 Aug 26 18:24:46.391965: | setup callback for interface eth0 192.0.22.251:500 fd 23 Aug 26 18:24:46.391969: | libevent_free: release ptr-libevent@0x55c00a673a88 Aug 26 18:24:46.391971: | free_event_entry: release EVENT_NULL-pe@0x55c00a673a18 Aug 26 18:24:46.391974: | add_fd_read_event_handler: new ethX-pe@0x55c00a673a18 Aug 26 18:24:46.391977: | libevent_malloc: new ptr-libevent@0x55c00a673a88 size 128 Aug 26 18:24:46.391982: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Aug 26 18:24:46.391987: | libevent_free: release ptr-libevent@0x55c00a673be8 Aug 26 18:24:46.391989: | free_event_entry: release EVENT_NULL-pe@0x55c00a673b78 Aug 26 18:24:46.391993: | add_fd_read_event_handler: new ethX-pe@0x55c00a673b78 Aug 26 18:24:46.391995: | libevent_malloc: new ptr-libevent@0x55c00a673be8 size 128 Aug 26 18:24:46.392001: | setup callback for interface eth0 192.0.22.254:500 fd 21 Aug 26 18:24:46.392004: | libevent_free: release ptr-libevent@0x55c00a673d48 Aug 26 18:24:46.392007: | free_event_entry: release EVENT_NULL-pe@0x55c00a673cd8 Aug 26 18:24:46.392009: | add_fd_read_event_handler: new ethX-pe@0x55c00a673cd8 Aug 26 18:24:46.392012: | libevent_malloc: new ptr-libevent@0x55c00a673d48 size 128 Aug 26 18:24:46.392018: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Aug 26 18:24:46.392021: | libevent_free: release ptr-libevent@0x55c00a673ea8 Aug 26 18:24:46.392024: | free_event_entry: release EVENT_NULL-pe@0x55c00a673e38 Aug 26 18:24:46.392027: | add_fd_read_event_handler: new ethX-pe@0x55c00a673e38 Aug 26 18:24:46.392030: | libevent_malloc: new ptr-libevent@0x55c00a673ea8 size 128 Aug 26 18:24:46.392035: | setup callback for interface eth0 192.0.2.251:500 fd 19 Aug 26 18:24:46.392038: | libevent_free: release ptr-libevent@0x55c00a674008 Aug 26 18:24:46.392041: | free_event_entry: release EVENT_NULL-pe@0x55c00a673f98 Aug 26 18:24:46.392044: | add_fd_read_event_handler: new ethX-pe@0x55c00a673f98 Aug 26 18:24:46.392047: | libevent_malloc: new ptr-libevent@0x55c00a674008 size 128 Aug 26 18:24:46.392055: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:46.392059: | libevent_free: release ptr-libevent@0x55c00a674168 Aug 26 18:24:46.392062: | free_event_entry: release EVENT_NULL-pe@0x55c00a6740f8 Aug 26 18:24:46.392065: | add_fd_read_event_handler: new ethX-pe@0x55c00a6740f8 Aug 26 18:24:46.392068: | libevent_malloc: new ptr-libevent@0x55c00a674168 size 128 Aug 26 18:24:46.392073: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:46.392076: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:46.392078: forgetting secrets Aug 26 18:24:46.392089: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:46.392106: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:46.392119: | saving Modulus Aug 26 18:24:46.392123: | saving PublicExponent Aug 26 18:24:46.392127: | ignoring PrivateExponent Aug 26 18:24:46.392131: | ignoring Prime1 Aug 26 18:24:46.392133: | ignoring Prime2 Aug 26 18:24:46.392137: | ignoring Exponent1 Aug 26 18:24:46.392140: | ignoring Exponent2 Aug 26 18:24:46.392143: | ignoring Coefficient Aug 26 18:24:46.392146: | ignoring CKAIDNSS Aug 26 18:24:46.392169: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:46.392172: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:46.392175: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Aug 26 18:24:46.392181: | certs and keys locked by 'process_secret' Aug 26 18:24:46.392184: | certs and keys unlocked by 'process_secret' Aug 26 18:24:46.392193: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.392202: | spent 0.568 milliseconds in whack Aug 26 18:24:46.392352: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.392368: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:46.392372: initiating all conns with alias='north-eastnets' Aug 26 18:24:46.392380: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:46.392385: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Aug 26 18:24:46.392388: | connection 'north-eastnets/0x2' +POLICY_UP Aug 26 18:24:46.392391: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Aug 26 18:24:46.392393: | FOR_EACH_STATE_... in find_phase1_state Aug 26 18:24:46.392407: | creating state object #1 at 0x55c00a676408 Aug 26 18:24:46.392410: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:24:46.392418: | pstats #1 ikev2.ike started Aug 26 18:24:46.392421: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:24:46.392424: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Aug 26 18:24:46.392429: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:46.392436: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 18:24:46.392441: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 18:24:46.392444: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Aug 26 18:24:46.392447: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x2" IKE SA #1 "north-eastnets/0x2" Aug 26 18:24:46.392451: "north-eastnets/0x2" #1: initiating v2 parent SA Aug 26 18:24:46.392464: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE) Aug 26 18:24:46.392469: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Aug 26 18:24:46.392475: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 18:24:46.392479: "north-eastnets/0x2": constructed local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 18:24:46.392487: | adding ikev2_outI1 KE work-order 1 for state #1 Aug 26 18:24:46.392493: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c00a674e58 Aug 26 18:24:46.392496: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:24:46.392499: | libevent_malloc: new ptr-libevent@0x55c00a666e68 size 128 Aug 26 18:24:46.392524: | crypto helper 2 resuming Aug 26 18:24:46.392529: | crypto helper 2 starting work-order 1 for state #1 Aug 26 18:24:46.392532: | crypto helper 2 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Aug 26 18:24:46.393316: | crypto helper 2 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.000781 seconds Aug 26 18:24:46.393331: | (#1) spent 0.792 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Aug 26 18:24:46.393336: | crypto helper 2 sending results from work-order 1 for state #1 to event queue Aug 26 18:24:46.393339: | scheduling resume sending helper answer for #1 Aug 26 18:24:46.393344: | libevent_malloc: new ptr-libevent@0x7f55dc002888 size 128 Aug 26 18:24:46.393349: | crypto helper 2 waiting (nothing to do) Aug 26 18:24:46.393362: | #1 spent 0.13 milliseconds in ikev2_parent_outI1() Aug 26 18:24:46.393369: | processing: RESET whack log_fd (was fd@16) (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 18:24:46.393380: | RESET processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 18:24:46.393385: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 18:24:46.393389: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Aug 26 18:24:46.393396: | start processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:186) Aug 26 18:24:46.393399: | connection 'north-eastnets/0x1' +POLICY_UP Aug 26 18:24:46.393403: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Aug 26 18:24:46.393406: | FOR_EACH_STATE_... in find_phase1_state Aug 26 18:24:46.393413: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x1" IKE SA #1 "north-eastnets/0x2" Aug 26 18:24:46.393419: | stop processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:349) Aug 26 18:24:46.393431: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.393438: | spent 0.244 milliseconds in whack Aug 26 18:24:46.393447: | processing resume sending helper answer for #1 Aug 26 18:24:46.393454: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in resume_handler() at server.c:797) Aug 26 18:24:46.393458: | crypto helper 2 replies to request ID 1 Aug 26 18:24:46.393461: | calling continuation function 0x55c0090b4b50 Aug 26 18:24:46.393464: | ikev2_parent_outI1_continue for #1 Aug 26 18:24:46.393492: | **emit ISAKMP Message: Aug 26 18:24:46.393496: | initiator cookie: Aug 26 18:24:46.393498: | 1d 87 e1 c9 95 80 71 a7 Aug 26 18:24:46.393501: | responder cookie: Aug 26 18:24:46.393503: | 00 00 00 00 00 00 00 00 Aug 26 18:24:46.393507: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:46.393509: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:46.393512: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:46.393516: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:46.393519: | Message ID: 0 (0x0) Aug 26 18:24:46.393522: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:46.393529: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 18:24:46.393531: | Emitting ikev2_proposals ... Aug 26 18:24:46.393534: | ***emit IKEv2 Security Association Payload: Aug 26 18:24:46.393537: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:46.393539: | flags: none (0x0) Aug 26 18:24:46.393543: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:46.393549: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393553: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:46.393555: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:46.393558: | prop #: 1 (0x1) Aug 26 18:24:46.393560: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:46.393562: | spi size: 0 (0x0) Aug 26 18:24:46.393564: | # transforms: 4 (0x4) Aug 26 18:24:46.393567: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:46.393570: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:46.393573: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393575: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:46.393577: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:46.393580: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:46.393583: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:46.393586: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:46.393588: | length/value: 256 (0x100) Aug 26 18:24:46.393591: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:46.393593: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:46.393596: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393598: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:46.393601: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:46.393604: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393607: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:46.393610: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:46.393612: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:46.393615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393617: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:46.393620: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:46.393623: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393626: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:46.393629: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:46.393631: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:46.393634: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:46.393636: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:46.393639: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:46.393642: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:46.393644: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:46.393647: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:46.393650: | emitting length of IKEv2 Proposal Substructure Payload: 44 Aug 26 18:24:46.393653: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:46.393655: | emitting length of IKEv2 Security Association Payload: 48 Aug 26 18:24:46.393658: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:46.393660: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:24:46.393667: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:46.393670: | flags: none (0x0) Aug 26 18:24:46.393672: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:46.393675: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:24:46.393678: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393681: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:24:46.393684: | ikev2 g^x 32 a4 24 8a 88 7d 93 81 be 17 eb ae d5 fa f1 c0 Aug 26 18:24:46.393687: | ikev2 g^x 0c d7 f7 3e e0 e0 e6 c6 c4 47 a7 9b bb a6 f7 21 Aug 26 18:24:46.393689: | ikev2 g^x d8 a7 06 b0 38 59 bf 1a 50 05 64 0a 96 f7 5d a2 Aug 26 18:24:46.393692: | ikev2 g^x ba 32 80 30 7b 7e 2b 7a 85 a6 cc 40 b2 ec fd a5 Aug 26 18:24:46.393694: | ikev2 g^x 4a 7d ae 09 eb ab 37 4d f4 72 38 05 3a c4 71 82 Aug 26 18:24:46.393697: | ikev2 g^x 14 82 f3 a8 0d ae f6 ed 73 33 47 2d 3c 07 6c e5 Aug 26 18:24:46.393699: | ikev2 g^x a3 ea ea 6b bb 10 a2 74 ca d8 4a 9e 7b 68 fa 47 Aug 26 18:24:46.393702: | ikev2 g^x bb 65 29 c9 0a e0 44 b2 0b 8a 7d 61 6b 3d 78 97 Aug 26 18:24:46.393704: | ikev2 g^x e3 d4 7d 5a f8 44 03 3c cd ac e2 fc 18 3e d0 df Aug 26 18:24:46.393706: | ikev2 g^x 25 53 3c 40 28 f4 95 f6 68 88 32 ce ff 34 88 1a Aug 26 18:24:46.393709: | ikev2 g^x a2 de a2 8c 30 c2 4a 8f c9 11 e5 6d c1 28 2b a6 Aug 26 18:24:46.393712: | ikev2 g^x b9 d3 ba ff 53 f7 ff 01 1c 82 35 e3 84 5d fc 16 Aug 26 18:24:46.393714: | ikev2 g^x 0c 0f 69 50 09 a6 92 ab f8 f1 da c7 6d 19 63 94 Aug 26 18:24:46.393716: | ikev2 g^x 5b 49 df 49 75 36 50 55 d8 2c 4b fe d8 02 76 84 Aug 26 18:24:46.393719: | ikev2 g^x b2 d2 97 be 7f 5e 7d a6 86 22 81 de 58 80 d1 3a Aug 26 18:24:46.393722: | ikev2 g^x 7b 9b 1f 79 a1 f9 fe 54 37 52 d8 90 ac 3b c9 b8 Aug 26 18:24:46.393724: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:24:46.393727: | ***emit IKEv2 Nonce Payload: Aug 26 18:24:46.393730: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:46.393732: | flags: none (0x0) Aug 26 18:24:46.393735: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:24:46.393739: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:24:46.393741: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393744: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:24:46.393746: | IKEv2 nonce 75 00 1b 1d 80 d3 03 ab b6 b9 db d8 a1 03 1c ed Aug 26 18:24:46.393748: | IKEv2 nonce 77 23 cb 2b 85 4e 93 36 22 a2 56 cd c0 ce 30 8d Aug 26 18:24:46.393750: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:24:46.393753: | Adding a v2N Payload Aug 26 18:24:46.393755: | ***emit IKEv2 Notify Payload: Aug 26 18:24:46.393757: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:46.393760: | flags: none (0x0) Aug 26 18:24:46.393762: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:46.393764: | SPI size: 0 (0x0) Aug 26 18:24:46.393767: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:46.393770: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:46.393773: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393776: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:24:46.393779: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:24:46.393782: | natd_hash: rcookie is zero Aug 26 18:24:46.393793: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:46.393796: | natd_hash: icookie= 1d 87 e1 c9 95 80 71 a7 Aug 26 18:24:46.393799: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:46.393803: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:46.393805: | natd_hash: port=500 Aug 26 18:24:46.393808: | natd_hash: hash= b7 b1 a1 e1 5c 09 28 1a 25 49 a1 68 a4 6c 29 a5 Aug 26 18:24:46.393810: | natd_hash: hash= 76 8d 9d 06 Aug 26 18:24:46.393813: | Adding a v2N Payload Aug 26 18:24:46.393815: | ***emit IKEv2 Notify Payload: Aug 26 18:24:46.393818: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:46.393820: | flags: none (0x0) Aug 26 18:24:46.393823: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:46.393825: | SPI size: 0 (0x0) Aug 26 18:24:46.393828: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:46.393831: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:46.393834: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393837: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:46.393840: | Notify data b7 b1 a1 e1 5c 09 28 1a 25 49 a1 68 a4 6c 29 a5 Aug 26 18:24:46.393842: | Notify data 76 8d 9d 06 Aug 26 18:24:46.393844: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:46.393846: | natd_hash: rcookie is zero Aug 26 18:24:46.393853: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:46.393855: | natd_hash: icookie= 1d 87 e1 c9 95 80 71 a7 Aug 26 18:24:46.393857: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:46.393860: | natd_hash: ip= c0 01 03 21 Aug 26 18:24:46.393862: | natd_hash: port=500 Aug 26 18:24:46.393864: | natd_hash: hash= 29 e6 d1 3b 01 7d 08 a4 29 58 21 73 48 2a 04 6a Aug 26 18:24:46.393866: | natd_hash: hash= 64 6e 6d 2f Aug 26 18:24:46.393868: | Adding a v2N Payload Aug 26 18:24:46.393871: | ***emit IKEv2 Notify Payload: Aug 26 18:24:46.393873: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:46.393876: | flags: none (0x0) Aug 26 18:24:46.393878: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:46.393880: | SPI size: 0 (0x0) Aug 26 18:24:46.393883: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:46.393886: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:46.393888: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:46.393891: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:46.393894: | Notify data 29 e6 d1 3b 01 7d 08 a4 29 58 21 73 48 2a 04 6a Aug 26 18:24:46.393896: | Notify data 64 6e 6d 2f Aug 26 18:24:46.393898: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:46.393900: | emitting length of ISAKMP Message: 440 Aug 26 18:24:46.393907: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Aug 26 18:24:46.393917: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:46.393921: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Aug 26 18:24:46.393925: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Aug 26 18:24:46.393928: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Aug 26 18:24:46.393931: | Message ID: updating counters for #1 to 4294967295 after switching state Aug 26 18:24:46.393934: | Message ID: IKE #1 skipping update_recv as MD is fake Aug 26 18:24:46.393939: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:24:46.393942: "north-eastnets/0x2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Aug 26 18:24:46.393947: | sending V2 reply packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:46.393959: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:46.393963: | 1d 87 e1 c9 95 80 71 a7 00 00 00 00 00 00 00 00 Aug 26 18:24:46.393965: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 18:24:46.393968: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 18:24:46.393970: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:46.393972: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 18:24:46.393975: | 00 0e 00 00 32 a4 24 8a 88 7d 93 81 be 17 eb ae Aug 26 18:24:46.393977: | d5 fa f1 c0 0c d7 f7 3e e0 e0 e6 c6 c4 47 a7 9b Aug 26 18:24:46.393979: | bb a6 f7 21 d8 a7 06 b0 38 59 bf 1a 50 05 64 0a Aug 26 18:24:46.393981: | 96 f7 5d a2 ba 32 80 30 7b 7e 2b 7a 85 a6 cc 40 Aug 26 18:24:46.393984: | b2 ec fd a5 4a 7d ae 09 eb ab 37 4d f4 72 38 05 Aug 26 18:24:46.393986: | 3a c4 71 82 14 82 f3 a8 0d ae f6 ed 73 33 47 2d Aug 26 18:24:46.393988: | 3c 07 6c e5 a3 ea ea 6b bb 10 a2 74 ca d8 4a 9e Aug 26 18:24:46.393990: | 7b 68 fa 47 bb 65 29 c9 0a e0 44 b2 0b 8a 7d 61 Aug 26 18:24:46.393992: | 6b 3d 78 97 e3 d4 7d 5a f8 44 03 3c cd ac e2 fc Aug 26 18:24:46.393995: | 18 3e d0 df 25 53 3c 40 28 f4 95 f6 68 88 32 ce Aug 26 18:24:46.393997: | ff 34 88 1a a2 de a2 8c 30 c2 4a 8f c9 11 e5 6d Aug 26 18:24:46.393999: | c1 28 2b a6 b9 d3 ba ff 53 f7 ff 01 1c 82 35 e3 Aug 26 18:24:46.394001: | 84 5d fc 16 0c 0f 69 50 09 a6 92 ab f8 f1 da c7 Aug 26 18:24:46.394003: | 6d 19 63 94 5b 49 df 49 75 36 50 55 d8 2c 4b fe Aug 26 18:24:46.394006: | d8 02 76 84 b2 d2 97 be 7f 5e 7d a6 86 22 81 de Aug 26 18:24:46.394008: | 58 80 d1 3a 7b 9b 1f 79 a1 f9 fe 54 37 52 d8 90 Aug 26 18:24:46.394010: | ac 3b c9 b8 29 00 00 24 75 00 1b 1d 80 d3 03 ab Aug 26 18:24:46.394013: | b6 b9 db d8 a1 03 1c ed 77 23 cb 2b 85 4e 93 36 Aug 26 18:24:46.394015: | 22 a2 56 cd c0 ce 30 8d 29 00 00 08 00 00 40 2e Aug 26 18:24:46.394017: | 29 00 00 1c 00 00 40 04 b7 b1 a1 e1 5c 09 28 1a Aug 26 18:24:46.394019: | 25 49 a1 68 a4 6c 29 a5 76 8d 9d 06 00 00 00 1c Aug 26 18:24:46.394022: | 00 00 40 05 29 e6 d1 3b 01 7d 08 a4 29 58 21 73 Aug 26 18:24:46.394024: | 48 2a 04 6a 64 6e 6d 2f Aug 26 18:24:46.394080: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:46.394085: | libevent_free: release ptr-libevent@0x55c00a666e68 Aug 26 18:24:46.394089: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c00a674e58 Aug 26 18:24:46.394092: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Aug 26 18:24:46.394096: | event_schedule: new EVENT_RETRANSMIT-pe@0x55c00a674e58 Aug 26 18:24:46.394100: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Aug 26 18:24:46.394103: | libevent_malloc: new ptr-libevent@0x55c00a677048 size 128 Aug 26 18:24:46.394109: | #1 STATE_PARENT_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29172.136562 Aug 26 18:24:46.394113: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Aug 26 18:24:46.394118: | #1 spent 0.628 milliseconds in resume sending helper answer Aug 26 18:24:46.394123: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in resume_handler() at server.c:833) Aug 26 18:24:46.394127: | libevent_free: release ptr-libevent@0x7f55dc002888 Aug 26 18:24:46.394148: | processing signal PLUTO_SIGCHLD Aug 26 18:24:46.394157: | waitpid returned pid 23531 (exited with status 0) Aug 26 18:24:46.394159: | reaped addconn helper child (status 0) Aug 26 18:24:46.394162: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:46.394165: | spent 0.0123 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:46.428870: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:46.429103: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:46.429111: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:46.429225: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:24:46.429233: | FOR_EACH_STATE_... in sort_states Aug 26 18:24:46.429253: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:46.429259: | spent 0.4 milliseconds in whack Aug 26 18:24:46.895327: | timer_event_cb: processing event@0x55c00a674e58 Aug 26 18:24:46.895340: | handling event EVENT_RETRANSMIT for parent state #1 Aug 26 18:24:46.895346: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in timer_event_cb() at timer.c:250) Aug 26 18:24:46.895349: | IKEv2 retransmit event Aug 26 18:24:46.895352: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in retransmit_v2_msg() at retry.c:144) Aug 26 18:24:46.895355: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x2" #1 attempt 2 of 0 Aug 26 18:24:46.895358: | and parent for 192.1.3.33 "north-eastnets/0x2" #1 keying attempt 1 of 0; retransmit 1 Aug 26 18:24:46.895363: | retransmits: current time 29172.637827; retransmit count 0 exceeds limit? NO; deltatime 0.5 exceeds limit? NO; monotime 0.501265 exceeds limit? NO Aug 26 18:24:46.895365: | event_schedule: new EVENT_RETRANSMIT-pe@0x7f55dc002b78 Aug 26 18:24:46.895368: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Aug 26 18:24:46.895371: | libevent_malloc: new ptr-libevent@0x7f55dc002888 size 128 Aug 26 18:24:46.895374: "north-eastnets/0x2" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response Aug 26 18:24:46.895379: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:46.895381: | 1d 87 e1 c9 95 80 71 a7 00 00 00 00 00 00 00 00 Aug 26 18:24:46.895382: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 18:24:46.895384: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 18:24:46.895385: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:46.895387: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 18:24:46.895388: | 00 0e 00 00 32 a4 24 8a 88 7d 93 81 be 17 eb ae Aug 26 18:24:46.895390: | d5 fa f1 c0 0c d7 f7 3e e0 e0 e6 c6 c4 47 a7 9b Aug 26 18:24:46.895391: | bb a6 f7 21 d8 a7 06 b0 38 59 bf 1a 50 05 64 0a Aug 26 18:24:46.895393: | 96 f7 5d a2 ba 32 80 30 7b 7e 2b 7a 85 a6 cc 40 Aug 26 18:24:46.895394: | b2 ec fd a5 4a 7d ae 09 eb ab 37 4d f4 72 38 05 Aug 26 18:24:46.895396: | 3a c4 71 82 14 82 f3 a8 0d ae f6 ed 73 33 47 2d Aug 26 18:24:46.895397: | 3c 07 6c e5 a3 ea ea 6b bb 10 a2 74 ca d8 4a 9e Aug 26 18:24:46.895399: | 7b 68 fa 47 bb 65 29 c9 0a e0 44 b2 0b 8a 7d 61 Aug 26 18:24:46.895400: | 6b 3d 78 97 e3 d4 7d 5a f8 44 03 3c cd ac e2 fc Aug 26 18:24:46.895402: | 18 3e d0 df 25 53 3c 40 28 f4 95 f6 68 88 32 ce Aug 26 18:24:46.895403: | ff 34 88 1a a2 de a2 8c 30 c2 4a 8f c9 11 e5 6d Aug 26 18:24:46.895405: | c1 28 2b a6 b9 d3 ba ff 53 f7 ff 01 1c 82 35 e3 Aug 26 18:24:46.895406: | 84 5d fc 16 0c 0f 69 50 09 a6 92 ab f8 f1 da c7 Aug 26 18:24:46.895408: | 6d 19 63 94 5b 49 df 49 75 36 50 55 d8 2c 4b fe Aug 26 18:24:46.895409: | d8 02 76 84 b2 d2 97 be 7f 5e 7d a6 86 22 81 de Aug 26 18:24:46.895411: | 58 80 d1 3a 7b 9b 1f 79 a1 f9 fe 54 37 52 d8 90 Aug 26 18:24:46.895412: | ac 3b c9 b8 29 00 00 24 75 00 1b 1d 80 d3 03 ab Aug 26 18:24:46.895414: | b6 b9 db d8 a1 03 1c ed 77 23 cb 2b 85 4e 93 36 Aug 26 18:24:46.895415: | 22 a2 56 cd c0 ce 30 8d 29 00 00 08 00 00 40 2e Aug 26 18:24:46.895417: | 29 00 00 1c 00 00 40 04 b7 b1 a1 e1 5c 09 28 1a Aug 26 18:24:46.895418: | 25 49 a1 68 a4 6c 29 a5 76 8d 9d 06 00 00 00 1c Aug 26 18:24:46.895420: | 00 00 40 05 29 e6 d1 3b 01 7d 08 a4 29 58 21 73 Aug 26 18:24:46.895421: | 48 2a 04 6a 64 6e 6d 2f Aug 26 18:24:46.895449: | libevent_free: release ptr-libevent@0x55c00a677048 Aug 26 18:24:46.895452: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c00a674e58 Aug 26 18:24:46.895458: | #1 spent 0.12 milliseconds in timer_event_cb() EVENT_RETRANSMIT Aug 26 18:24:46.895461: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in timer_event_cb() at timer.c:557) Aug 26 18:24:47.397047: | timer_event_cb: processing event@0x7f55dc002b78 Aug 26 18:24:47.397072: | handling event EVENT_RETRANSMIT for parent state #1 Aug 26 18:24:47.397082: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in timer_event_cb() at timer.c:250) Aug 26 18:24:47.397087: | IKEv2 retransmit event Aug 26 18:24:47.397092: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in retransmit_v2_msg() at retry.c:144) Aug 26 18:24:47.397097: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x2" #1 attempt 2 of 0 Aug 26 18:24:47.397101: | and parent for 192.1.3.33 "north-eastnets/0x2" #1 keying attempt 1 of 0; retransmit 2 Aug 26 18:24:47.397109: | retransmits: current time 29173.139572; retransmit count 1 exceeds limit? NO; deltatime 1 exceeds limit? NO; monotime 1.00301 exceeds limit? NO Aug 26 18:24:47.397113: | event_schedule: new EVENT_RETRANSMIT-pe@0x55c00a674e58 Aug 26 18:24:47.397117: | inserting event EVENT_RETRANSMIT, timeout in 1 seconds for #1 Aug 26 18:24:47.397121: | libevent_malloc: new ptr-libevent@0x55c00a677048 size 128 Aug 26 18:24:47.397126: "north-eastnets/0x2" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response Aug 26 18:24:47.397134: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:47.397137: | 1d 87 e1 c9 95 80 71 a7 00 00 00 00 00 00 00 00 Aug 26 18:24:47.397140: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 18:24:47.397142: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 18:24:47.397145: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:47.397148: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 18:24:47.397150: | 00 0e 00 00 32 a4 24 8a 88 7d 93 81 be 17 eb ae Aug 26 18:24:47.397153: | d5 fa f1 c0 0c d7 f7 3e e0 e0 e6 c6 c4 47 a7 9b Aug 26 18:24:47.397155: | bb a6 f7 21 d8 a7 06 b0 38 59 bf 1a 50 05 64 0a Aug 26 18:24:47.397158: | 96 f7 5d a2 ba 32 80 30 7b 7e 2b 7a 85 a6 cc 40 Aug 26 18:24:47.397160: | b2 ec fd a5 4a 7d ae 09 eb ab 37 4d f4 72 38 05 Aug 26 18:24:47.397163: | 3a c4 71 82 14 82 f3 a8 0d ae f6 ed 73 33 47 2d Aug 26 18:24:47.397165: | 3c 07 6c e5 a3 ea ea 6b bb 10 a2 74 ca d8 4a 9e Aug 26 18:24:47.397168: | 7b 68 fa 47 bb 65 29 c9 0a e0 44 b2 0b 8a 7d 61 Aug 26 18:24:47.397171: | 6b 3d 78 97 e3 d4 7d 5a f8 44 03 3c cd ac e2 fc Aug 26 18:24:47.397173: | 18 3e d0 df 25 53 3c 40 28 f4 95 f6 68 88 32 ce Aug 26 18:24:47.397176: | ff 34 88 1a a2 de a2 8c 30 c2 4a 8f c9 11 e5 6d Aug 26 18:24:47.397178: | c1 28 2b a6 b9 d3 ba ff 53 f7 ff 01 1c 82 35 e3 Aug 26 18:24:47.397181: | 84 5d fc 16 0c 0f 69 50 09 a6 92 ab f8 f1 da c7 Aug 26 18:24:47.397183: | 6d 19 63 94 5b 49 df 49 75 36 50 55 d8 2c 4b fe Aug 26 18:24:47.397186: | d8 02 76 84 b2 d2 97 be 7f 5e 7d a6 86 22 81 de Aug 26 18:24:47.397188: | 58 80 d1 3a 7b 9b 1f 79 a1 f9 fe 54 37 52 d8 90 Aug 26 18:24:47.397191: | ac 3b c9 b8 29 00 00 24 75 00 1b 1d 80 d3 03 ab Aug 26 18:24:47.397193: | b6 b9 db d8 a1 03 1c ed 77 23 cb 2b 85 4e 93 36 Aug 26 18:24:47.397196: | 22 a2 56 cd c0 ce 30 8d 29 00 00 08 00 00 40 2e Aug 26 18:24:47.397198: | 29 00 00 1c 00 00 40 04 b7 b1 a1 e1 5c 09 28 1a Aug 26 18:24:47.397201: | 25 49 a1 68 a4 6c 29 a5 76 8d 9d 06 00 00 00 1c Aug 26 18:24:47.397204: | 00 00 40 05 29 e6 d1 3b 01 7d 08 a4 29 58 21 73 Aug 26 18:24:47.397206: | 48 2a 04 6a 64 6e 6d 2f Aug 26 18:24:47.397260: | libevent_free: release ptr-libevent@0x7f55dc002888 Aug 26 18:24:47.397266: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f55dc002b78 Aug 26 18:24:47.397275: | #1 spent 0.2 milliseconds in timer_event_cb() EVENT_RETRANSMIT Aug 26 18:24:47.397280: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in timer_event_cb() at timer.c:557) Aug 26 18:24:47.842421: | spent 0.00272 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:47.842444: | *received 440 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:47.842447: | a1 42 7a 34 8b 87 e9 05 00 00 00 00 00 00 00 00 Aug 26 18:24:47.842449: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 18:24:47.842450: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 18:24:47.842452: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:47.842453: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 18:24:47.842455: | 00 0e 00 00 64 e1 a4 96 90 d0 91 41 bb fe 98 1c Aug 26 18:24:47.842457: | 41 ba 91 5c a5 10 21 45 8f 26 d9 e3 f8 ca c2 52 Aug 26 18:24:47.842458: | f0 e5 3f fb 6a ed d7 71 e6 ce 23 8f 5c a1 94 1e Aug 26 18:24:47.842460: | ce 0e 3b 5d 29 fb 7e 31 e7 dc bb 42 71 0d 26 3a Aug 26 18:24:47.842461: | e1 79 03 ac d6 0a c8 22 96 c2 13 d0 92 a1 66 dd Aug 26 18:24:47.842476: | f3 50 8e 56 10 e8 4b 11 cb 57 52 3a c6 37 c1 01 Aug 26 18:24:47.842477: | 4b 13 02 55 43 fd 7d 4a 35 87 1c 3b 0d 1d bf ab Aug 26 18:24:47.842479: | 67 2c 56 95 0d 72 22 14 2f 00 3b 9f 5b 8b 17 a6 Aug 26 18:24:47.842480: | 3e 43 6d 47 96 a5 86 3b 1a 07 e2 6c e0 17 f8 b2 Aug 26 18:24:47.842482: | ca 45 46 8d 86 c7 51 0a 88 bc 5e 18 16 03 83 ce Aug 26 18:24:47.842483: | f2 e7 6f eb 7d e2 39 1e 90 79 a6 3f bd 6a e7 29 Aug 26 18:24:47.842484: | bf 1f c3 aa d2 83 92 2e 6d cb 67 b7 93 b1 3a 52 Aug 26 18:24:47.842486: | e7 97 40 01 c4 d8 47 36 39 d1 69 de 5b 2c e1 3f Aug 26 18:24:47.842487: | 48 4b 0d 8b 32 01 82 7b 00 a9 07 dc a0 64 70 9b Aug 26 18:24:47.842489: | 1c 19 b3 46 a1 ac 9b d1 69 f1 ba d2 d1 7b ff 07 Aug 26 18:24:47.842490: | 8a c3 a5 e9 75 86 4d 90 1b 12 9e c2 73 55 47 d1 Aug 26 18:24:47.842492: | 1b c3 c4 ad 29 00 00 24 49 83 81 95 20 b4 be bf Aug 26 18:24:47.842493: | 05 29 88 d0 b6 0b bf 3f 75 9a 87 af ac 59 3f f7 Aug 26 18:24:47.842495: | c8 60 2a fc b0 5e 8b 56 29 00 00 08 00 00 40 2e Aug 26 18:24:47.842496: | 29 00 00 1c 00 00 40 04 36 80 d9 fd a6 a1 3e 64 Aug 26 18:24:47.842497: | 1c 62 bc e7 73 1b 90 d1 ce cb 11 10 00 00 00 1c Aug 26 18:24:47.842499: | 00 00 40 05 f6 8c cb 70 26 5f 3b 68 76 36 1a dc Aug 26 18:24:47.842500: | d9 b4 83 09 86 6d d5 62 Aug 26 18:24:47.842504: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:47.842506: | **parse ISAKMP Message: Aug 26 18:24:47.842508: | initiator cookie: Aug 26 18:24:47.842509: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.842511: | responder cookie: Aug 26 18:24:47.842512: | 00 00 00 00 00 00 00 00 Aug 26 18:24:47.842514: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.842516: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.842518: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:47.842519: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:47.842521: | Message ID: 0 (0x0) Aug 26 18:24:47.842523: | length: 440 (0x1b8) Aug 26 18:24:47.842524: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:24:47.842527: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:24:47.842533: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:24:47.842535: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:47.842537: | ***parse IKEv2 Security Association Payload: Aug 26 18:24:47.842539: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:24:47.842540: | flags: none (0x0) Aug 26 18:24:47.842542: | length: 48 (0x30) Aug 26 18:24:47.842544: | processing payload: ISAKMP_NEXT_v2SA (len=44) Aug 26 18:24:47.842545: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:24:47.842547: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:24:47.842549: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:24:47.842550: | flags: none (0x0) Aug 26 18:24:47.842552: | length: 264 (0x108) Aug 26 18:24:47.842553: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.842556: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:24:47.842558: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.842559: | ***parse IKEv2 Nonce Payload: Aug 26 18:24:47.842561: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.842563: | flags: none (0x0) Aug 26 18:24:47.842564: | length: 36 (0x24) Aug 26 18:24:47.842566: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:24:47.842567: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.842569: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.842571: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.842572: | flags: none (0x0) Aug 26 18:24:47.842574: | length: 8 (0x8) Aug 26 18:24:47.842575: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.842577: | SPI size: 0 (0x0) Aug 26 18:24:47.842579: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:47.842580: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:24:47.842582: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.842584: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.842585: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.842587: | flags: none (0x0) Aug 26 18:24:47.842588: | length: 28 (0x1c) Aug 26 18:24:47.842590: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.842591: | SPI size: 0 (0x0) Aug 26 18:24:47.842593: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:47.842594: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:47.842596: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.842597: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.842599: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.842601: | flags: none (0x0) Aug 26 18:24:47.842602: | length: 28 (0x1c) Aug 26 18:24:47.842604: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.842605: | SPI size: 0 (0x0) Aug 26 18:24:47.842607: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:47.842608: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:47.842610: | DDOS disabled and no cookie sent, continuing Aug 26 18:24:47.842614: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.842617: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:47.842619: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:47.842622: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Aug 26 18:24:47.842624: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Aug 26 18:24:47.842626: | find_next_host_connection returns empty Aug 26 18:24:47.842628: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.842630: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:47.842631: | find_next_host_connection returns empty Aug 26 18:24:47.842634: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:24:47.842637: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.842639: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:47.842641: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:47.842643: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Aug 26 18:24:47.842645: | find_next_host_connection returns north-eastnets/0x2 Aug 26 18:24:47.842646: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:47.842648: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Aug 26 18:24:47.842651: | find_next_host_connection returns north-eastnets/0x1 Aug 26 18:24:47.842652: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:47.842654: | find_next_host_connection returns empty Aug 26 18:24:47.842656: | found connection: north-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Aug 26 18:24:47.842669: | creating state object #2 at 0x55c00a679cb8 Aug 26 18:24:47.842671: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:24:47.842677: | pstats #2 ikev2.ike started Aug 26 18:24:47.842679: | Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:24:47.842682: | parent state #2: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:24:47.842685: | Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:47.842690: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:47.842692: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:47.842695: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:47.842697: | #2 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:24:47.842700: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:24:47.842703: | Message ID: start-responder #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:24:47.842704: | #2 in state PARENT_R0: processing SA_INIT request Aug 26 18:24:47.842706: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:24:47.842708: | Now let's proceed with state specific processing Aug 26 18:24:47.842710: | calling processor Respond to IKE_SA_INIT Aug 26 18:24:47.842714: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:47.842718: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 18:24:47.842720: | Comparing remote proposals against IKE responder 1 local proposals Aug 26 18:24:47.842724: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:47.842725: | local proposal 1 type PRF has 1 transforms Aug 26 18:24:47.842727: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:47.842729: | local proposal 1 type DH has 1 transforms Aug 26 18:24:47.842730: | local proposal 1 type ESN has 0 transforms Aug 26 18:24:47.842732: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:24:47.842734: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.842736: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.842738: | length: 44 (0x2c) Aug 26 18:24:47.842739: | prop #: 1 (0x1) Aug 26 18:24:47.842741: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.842742: | spi size: 0 (0x0) Aug 26 18:24:47.842744: | # transforms: 4 (0x4) Aug 26 18:24:47.842746: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:24:47.842748: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.842750: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.842752: | length: 12 (0xc) Aug 26 18:24:47.842753: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.842755: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.842756: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.842758: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.842760: | length/value: 256 (0x100) Aug 26 18:24:47.842762: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:47.842764: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.842767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.842769: | length: 8 (0x8) Aug 26 18:24:47.842770: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.842772: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.842774: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:24:47.842776: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.842777: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.842779: | length: 8 (0x8) Aug 26 18:24:47.842780: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.842782: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.842784: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 18:24:47.842786: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.842787: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.842789: | length: 8 (0x8) Aug 26 18:24:47.842790: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.842792: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.842794: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:24:47.842796: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Aug 26 18:24:47.842799: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Aug 26 18:24:47.842801: | remote proposal 1 matches local proposal 1 Aug 26 18:24:47.842804: "north-eastnets/0x2" #2: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Aug 26 18:24:47.842807: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 18:24:47.842808: | converting proposal to internal trans attrs Aug 26 18:24:47.842811: | natd_hash: rcookie is zero Aug 26 18:24:47.842816: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:47.842818: | natd_hash: icookie= a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.842820: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:47.842821: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:47.842823: | natd_hash: port=500 Aug 26 18:24:47.842824: | natd_hash: hash= f6 8c cb 70 26 5f 3b 68 76 36 1a dc d9 b4 83 09 Aug 26 18:24:47.842826: | natd_hash: hash= 86 6d d5 62 Aug 26 18:24:47.842827: | natd_hash: rcookie is zero Aug 26 18:24:47.842831: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:47.842832: | natd_hash: icookie= a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.842834: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:47.842835: | natd_hash: ip= c0 01 03 21 Aug 26 18:24:47.842837: | natd_hash: port=500 Aug 26 18:24:47.842838: | natd_hash: hash= 36 80 d9 fd a6 a1 3e 64 1c 62 bc e7 73 1b 90 d1 Aug 26 18:24:47.842840: | natd_hash: hash= ce cb 11 10 Aug 26 18:24:47.842841: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:24:47.842843: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:24:47.842844: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:24:47.842846: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 18:24:47.842850: | adding ikev2_inI1outR1 KE work-order 2 for state #2 Aug 26 18:24:47.842852: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f55dc002b78 Aug 26 18:24:47.842854: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Aug 26 18:24:47.842856: | libevent_malloc: new ptr-libevent@0x7f55dc002888 size 128 Aug 26 18:24:47.842864: | #2 spent 0.151 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:24:47.842883: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.842886: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:47.842888: | suspending state #2 and saving MD Aug 26 18:24:47.842890: | #2 is busy; has a suspended MD Aug 26 18:24:47.842891: | crypto helper 1 resuming Aug 26 18:24:47.842904: | crypto helper 1 starting work-order 2 for state #2 Aug 26 18:24:47.842908: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 2 Aug 26 18:24:47.842892: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.842916: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.842919: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:47.842922: | #2 spent 0.481 milliseconds in ikev2_process_packet() Aug 26 18:24:47.842925: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:47.842927: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:47.842929: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:47.842931: | spent 0.49 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:47.843579: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 2 time elapsed 0.00067 seconds Aug 26 18:24:47.843591: | (#2) spent 0.65 milliseconds in crypto helper computing work-order 2: ikev2_inI1outR1 KE (pcr) Aug 26 18:24:47.843594: | crypto helper 1 sending results from work-order 2 for state #2 to event queue Aug 26 18:24:47.843597: | scheduling resume sending helper answer for #2 Aug 26 18:24:47.843600: | libevent_malloc: new ptr-libevent@0x7f55d4002888 size 128 Aug 26 18:24:47.843607: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:47.843638: | processing resume sending helper answer for #2 Aug 26 18:24:47.843663: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.843668: | crypto helper 1 replies to request ID 2 Aug 26 18:24:47.843671: | calling continuation function 0x55c0090b4b50 Aug 26 18:24:47.843674: | ikev2_parent_inI1outR1_continue for #2: calculated ke+nonce, sending R1 Aug 26 18:24:47.843680: | **emit ISAKMP Message: Aug 26 18:24:47.843683: | initiator cookie: Aug 26 18:24:47.843686: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.843688: | responder cookie: Aug 26 18:24:47.843690: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.843693: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:47.843696: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.843699: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:47.843702: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:47.843704: | Message ID: 0 (0x0) Aug 26 18:24:47.843707: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:47.843710: | Emitting ikev2_proposal ... Aug 26 18:24:47.843713: | ***emit IKEv2 Security Association Payload: Aug 26 18:24:47.843716: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.843718: | flags: none (0x0) Aug 26 18:24:47.843722: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:47.843725: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.843728: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.843731: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.843733: | prop #: 1 (0x1) Aug 26 18:24:47.843736: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.843738: | spi size: 0 (0x0) Aug 26 18:24:47.843741: | # transforms: 4 (0x4) Aug 26 18:24:47.843744: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:47.843749: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.843752: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843755: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.843757: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.843760: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.843763: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.843781: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.843783: | length/value: 256 (0x100) Aug 26 18:24:47.843786: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:47.843789: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.843792: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843795: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.843798: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.843801: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843804: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.843820: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.843822: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.843825: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843827: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.843830: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.843833: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843836: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.843839: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.843842: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.843844: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.843847: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.843849: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.843852: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.843854: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.843857: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.843859: | emitting length of IKEv2 Proposal Substructure Payload: 44 Aug 26 18:24:47.843861: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:47.843864: | emitting length of IKEv2 Security Association Payload: 48 Aug 26 18:24:47.843866: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:47.843869: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:24:47.843871: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.843873: | flags: none (0x0) Aug 26 18:24:47.843875: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.843878: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:24:47.843880: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.843883: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:24:47.843887: | ikev2 g^x 79 8c 97 80 61 a8 d4 a3 46 b8 91 4c ef 08 97 cd Aug 26 18:24:47.843890: | ikev2 g^x 7f ff cb c9 40 ce 48 4d 5b 87 21 db 09 d6 05 03 Aug 26 18:24:47.843892: | ikev2 g^x 66 68 a3 4d 9c 50 23 eb 3f c2 2d da e1 b3 1d 0c Aug 26 18:24:47.843894: | ikev2 g^x f2 a5 25 21 db 2f a2 a2 bc 62 98 7e 60 7f 7f 7f Aug 26 18:24:47.843896: | ikev2 g^x 61 53 0b 96 25 be c5 a1 d5 9f b9 82 0b 2b e4 47 Aug 26 18:24:47.843899: | ikev2 g^x c5 9a 1a a6 a6 ec 81 40 06 66 d8 6f 95 63 ea 71 Aug 26 18:24:47.843901: | ikev2 g^x 88 b4 4d b4 60 50 46 f3 e0 c3 21 db 05 6b f3 ae Aug 26 18:24:47.843903: | ikev2 g^x 62 37 17 ec 51 5a 9d 59 1f 0c 26 48 52 38 7f e3 Aug 26 18:24:47.843906: | ikev2 g^x 34 d2 f9 81 d3 97 0a 1c 6b 94 9a 57 57 10 b2 07 Aug 26 18:24:47.843908: | ikev2 g^x 69 f6 0e 51 1a 90 0b 9a c8 e3 f1 e1 38 af 0e b3 Aug 26 18:24:47.843910: | ikev2 g^x cd e6 40 33 a9 dc e0 f2 fe 16 9e f6 00 1d 7c fb Aug 26 18:24:47.843913: | ikev2 g^x df b9 9d 27 d5 89 55 b6 2a f8 87 74 02 a6 f8 fc Aug 26 18:24:47.843915: | ikev2 g^x e3 a1 f3 b7 f8 17 47 97 02 e1 b4 ce de a1 4d 72 Aug 26 18:24:47.843917: | ikev2 g^x 36 c8 f3 62 a7 bc 93 50 ca 48 ee ac 65 8f 0a 69 Aug 26 18:24:47.843919: | ikev2 g^x 3a af f1 98 2b 6f ed d4 da b5 a0 40 55 ce 99 c8 Aug 26 18:24:47.843921: | ikev2 g^x d1 d4 dd 59 77 a4 81 8e 51 54 0c b6 b4 65 20 e2 Aug 26 18:24:47.843924: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:24:47.843926: | ***emit IKEv2 Nonce Payload: Aug 26 18:24:47.843929: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.843931: | flags: none (0x0) Aug 26 18:24:47.843934: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:24:47.843938: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.843941: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.843944: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:24:47.843947: | IKEv2 nonce d3 fb 80 83 fe 53 f2 02 8c bd fd 50 72 ae e5 08 Aug 26 18:24:47.843949: | IKEv2 nonce 41 8f cc 99 5e 98 0d 9d aa c5 6d 32 93 85 8c 4c Aug 26 18:24:47.843952: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:24:47.843956: | Adding a v2N Payload Aug 26 18:24:47.843959: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.843961: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.843964: | flags: none (0x0) Aug 26 18:24:47.843966: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.843969: | SPI size: 0 (0x0) Aug 26 18:24:47.843971: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:47.843973: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.843975: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.843977: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:24:47.843979: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:24:47.843986: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:47.843988: | natd_hash: icookie= a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.843990: | natd_hash: rcookie= cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.843991: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:47.843993: | natd_hash: port=500 Aug 26 18:24:47.843994: | natd_hash: hash= ed 62 67 95 a9 b1 b9 36 f4 b7 72 33 c0 30 59 a4 Aug 26 18:24:47.843996: | natd_hash: hash= 0b aa f0 df Aug 26 18:24:47.843997: | Adding a v2N Payload Aug 26 18:24:47.843999: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.844000: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.844002: | flags: none (0x0) Aug 26 18:24:47.844003: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.844005: | SPI size: 0 (0x0) Aug 26 18:24:47.844007: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:47.844010: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.844012: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.844014: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:47.844016: | Notify data ed 62 67 95 a9 b1 b9 36 f4 b7 72 33 c0 30 59 a4 Aug 26 18:24:47.844017: | Notify data 0b aa f0 df Aug 26 18:24:47.844019: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:47.844023: | natd_hash: hasher=0x55c009189800(20) Aug 26 18:24:47.844025: | natd_hash: icookie= a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.844026: | natd_hash: rcookie= cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.844027: | natd_hash: ip= c0 01 03 21 Aug 26 18:24:47.844029: | natd_hash: port=500 Aug 26 18:24:47.844031: | natd_hash: hash= c3 04 6c 3d 64 4c 3c 4a ee a9 eb 91 b9 f4 67 00 Aug 26 18:24:47.844032: | natd_hash: hash= f1 89 ed f2 Aug 26 18:24:47.844033: | Adding a v2N Payload Aug 26 18:24:47.844035: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.844037: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.844038: | flags: none (0x0) Aug 26 18:24:47.844040: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.844041: | SPI size: 0 (0x0) Aug 26 18:24:47.844043: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:47.844045: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.844046: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.844048: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:47.844050: | Notify data c3 04 6c 3d 64 4c 3c 4a ee a9 eb 91 b9 f4 67 00 Aug 26 18:24:47.844051: | Notify data f1 89 ed f2 Aug 26 18:24:47.844053: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:47.844054: | emitting length of ISAKMP Message: 440 Aug 26 18:24:47.844059: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.844062: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:24:47.844063: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:24:47.844065: | parent state #2: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:24:47.844067: | Message ID: updating counters for #2 to 0 after switching state Aug 26 18:24:47.844070: | Message ID: recv #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:24:47.844073: | Message ID: sent #2 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:24:47.844076: "north-eastnets/0x2" #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Aug 26 18:24:47.844079: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:47.844083: | sending 440 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 18:24:47.844085: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.844086: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 18:24:47.844088: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 18:24:47.844103: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:47.844104: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 18:24:47.844106: | 00 0e 00 00 79 8c 97 80 61 a8 d4 a3 46 b8 91 4c Aug 26 18:24:47.844107: | ef 08 97 cd 7f ff cb c9 40 ce 48 4d 5b 87 21 db Aug 26 18:24:47.844109: | 09 d6 05 03 66 68 a3 4d 9c 50 23 eb 3f c2 2d da Aug 26 18:24:47.844111: | e1 b3 1d 0c f2 a5 25 21 db 2f a2 a2 bc 62 98 7e Aug 26 18:24:47.844113: | 60 7f 7f 7f 61 53 0b 96 25 be c5 a1 d5 9f b9 82 Aug 26 18:24:47.844114: | 0b 2b e4 47 c5 9a 1a a6 a6 ec 81 40 06 66 d8 6f Aug 26 18:24:47.844116: | 95 63 ea 71 88 b4 4d b4 60 50 46 f3 e0 c3 21 db Aug 26 18:24:47.844117: | 05 6b f3 ae 62 37 17 ec 51 5a 9d 59 1f 0c 26 48 Aug 26 18:24:47.844119: | 52 38 7f e3 34 d2 f9 81 d3 97 0a 1c 6b 94 9a 57 Aug 26 18:24:47.844120: | 57 10 b2 07 69 f6 0e 51 1a 90 0b 9a c8 e3 f1 e1 Aug 26 18:24:47.844122: | 38 af 0e b3 cd e6 40 33 a9 dc e0 f2 fe 16 9e f6 Aug 26 18:24:47.844123: | 00 1d 7c fb df b9 9d 27 d5 89 55 b6 2a f8 87 74 Aug 26 18:24:47.844125: | 02 a6 f8 fc e3 a1 f3 b7 f8 17 47 97 02 e1 b4 ce Aug 26 18:24:47.844126: | de a1 4d 72 36 c8 f3 62 a7 bc 93 50 ca 48 ee ac Aug 26 18:24:47.844128: | 65 8f 0a 69 3a af f1 98 2b 6f ed d4 da b5 a0 40 Aug 26 18:24:47.844129: | 55 ce 99 c8 d1 d4 dd 59 77 a4 81 8e 51 54 0c b6 Aug 26 18:24:47.844131: | b4 65 20 e2 29 00 00 24 d3 fb 80 83 fe 53 f2 02 Aug 26 18:24:47.844132: | 8c bd fd 50 72 ae e5 08 41 8f cc 99 5e 98 0d 9d Aug 26 18:24:47.844134: | aa c5 6d 32 93 85 8c 4c 29 00 00 08 00 00 40 2e Aug 26 18:24:47.844135: | 29 00 00 1c 00 00 40 04 ed 62 67 95 a9 b1 b9 36 Aug 26 18:24:47.844137: | f4 b7 72 33 c0 30 59 a4 0b aa f0 df 00 00 00 1c Aug 26 18:24:47.844138: | 00 00 40 05 c3 04 6c 3d 64 4c 3c 4a ee a9 eb 91 Aug 26 18:24:47.844140: | b9 f4 67 00 f1 89 ed f2 Aug 26 18:24:47.844170: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.844174: | libevent_free: release ptr-libevent@0x7f55dc002888 Aug 26 18:24:47.844176: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f55dc002b78 Aug 26 18:24:47.844178: | event_schedule: new EVENT_SO_DISCARD-pe@0x7f55dc002b78 Aug 26 18:24:47.844181: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #2 Aug 26 18:24:47.844183: | libevent_malloc: new ptr-libevent@0x55c00a666e68 size 128 Aug 26 18:24:47.844185: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Aug 26 18:24:47.844190: | #2 spent 0.504 milliseconds in resume sending helper answer Aug 26 18:24:47.844193: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.844195: | libevent_free: release ptr-libevent@0x7f55d4002888 Aug 26 18:24:47.849106: | spent 0.00214 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:47.849123: | *received 464 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:47.849126: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.849127: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 18:24:47.849129: | 0d b9 94 4a c3 c4 97 78 06 6a ec 68 ba 33 0a ce Aug 26 18:24:47.849130: | a1 5b d4 23 cd 6a 99 4e 08 50 23 e0 f5 9c 0b f5 Aug 26 18:24:47.849132: | a2 28 46 26 48 cf 57 9e 67 11 4f a4 79 df dd 14 Aug 26 18:24:47.849133: | 81 35 43 b7 54 b1 1a 41 6f 25 40 8d 65 9f 43 96 Aug 26 18:24:47.849135: | a5 af 2c 3c 87 a4 19 cf f6 79 84 36 09 cb d4 d4 Aug 26 18:24:47.849137: | e0 c7 95 e4 a3 8e 35 75 e2 70 81 a2 74 8c ce 1e Aug 26 18:24:47.849138: | 87 3b 6f 69 2a 01 cc 6a 3a 25 27 87 87 a4 24 9c Aug 26 18:24:47.849140: | 2e 28 36 4a ba c6 35 b7 f2 25 b0 80 87 9c 80 77 Aug 26 18:24:47.849141: | 74 a8 77 3e b3 d0 e2 02 19 6c d1 c4 6d d3 85 5a Aug 26 18:24:47.849143: | c6 4c f5 76 47 94 a3 28 a2 c0 c6 29 05 f7 a6 29 Aug 26 18:24:47.849144: | 16 e7 68 cc 4a 09 97 2c ec b9 ba db 29 8c f4 14 Aug 26 18:24:47.849146: | 3f 0e e7 66 90 54 6a d6 b1 14 af 05 d5 41 c2 8a Aug 26 18:24:47.849147: | fc 2a 04 e6 66 48 c7 25 5f e4 14 40 45 0a be 44 Aug 26 18:24:47.849149: | d7 50 59 ad 40 73 ea f1 e7 05 b0 b1 b0 1d df 3d Aug 26 18:24:47.849150: | c9 bf 6e 9c 1a 41 f8 ca dc 7d 54 23 ea f8 d7 a5 Aug 26 18:24:47.849152: | 97 05 7f 35 82 7c 20 37 78 1f c8 f4 e9 85 65 f9 Aug 26 18:24:47.849153: | ca ab 46 65 e8 20 9f de 62 50 5d 7e 10 fb df 41 Aug 26 18:24:47.849157: | 13 52 18 7a 22 d6 81 25 e6 29 98 a6 84 d9 62 6f Aug 26 18:24:47.849159: | f5 fe e3 52 0c 8b 0e fe b5 6f 49 65 30 bb ac ad Aug 26 18:24:47.849160: | 0e 81 11 b8 cd c0 6b 4a fe 1d 63 69 ab 4b 72 ed Aug 26 18:24:47.849162: | 6f ce c7 d9 d0 55 41 19 d1 f9 48 02 27 34 cc c1 Aug 26 18:24:47.849163: | a1 fd d7 b2 6e 80 43 3f d5 01 24 da 0d a9 64 eb Aug 26 18:24:47.849165: | 3e 63 7a c6 62 37 37 94 c2 9e 9b 14 67 fe e8 c8 Aug 26 18:24:47.849166: | ad b1 1a 11 74 1e b8 5d 55 99 d4 a4 3f 14 80 5f Aug 26 18:24:47.849168: | a2 62 28 3e 66 b5 ce 9a a4 4f 9b a5 33 aa 6b 79 Aug 26 18:24:47.849169: | 68 e6 4b 46 08 36 30 98 9d 2d dc 4f b4 f1 33 cb Aug 26 18:24:47.849171: | 5d 75 fa 3d 4d 83 c9 72 8b fa f6 32 48 c2 2d b7 Aug 26 18:24:47.849174: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:47.849177: | **parse ISAKMP Message: Aug 26 18:24:47.849179: | initiator cookie: Aug 26 18:24:47.849180: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.849182: | responder cookie: Aug 26 18:24:47.849183: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.849185: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:24:47.849187: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.849189: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:47.849190: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:47.849192: | Message ID: 1 (0x1) Aug 26 18:24:47.849194: | length: 464 (0x1d0) Aug 26 18:24:47.849196: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:24:47.849198: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:24:47.849200: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:24:47.849205: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:47.849207: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:47.849210: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:47.849212: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:24:47.849214: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:24:47.849216: | unpacking clear payload Aug 26 18:24:47.849218: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:24:47.849220: | ***parse IKEv2 Encryption Payload: Aug 26 18:24:47.849222: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:24:47.849223: | flags: none (0x0) Aug 26 18:24:47.849225: | length: 436 (0x1b4) Aug 26 18:24:47.849227: | processing payload: ISAKMP_NEXT_v2SK (len=432) Aug 26 18:24:47.849230: | Message ID: start-responder #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:47.849232: | #2 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:47.849234: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:47.849235: | Now let's proceed with state specific processing Aug 26 18:24:47.849237: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:47.849239: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:24:47.849245: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Aug 26 18:24:47.849248: | adding ikev2_inI2outR2 KE work-order 3 for state #2 Aug 26 18:24:47.849250: | state #2 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:24:47.849252: | libevent_free: release ptr-libevent@0x55c00a666e68 Aug 26 18:24:47.849254: | free_event_entry: release EVENT_SO_DISCARD-pe@0x7f55dc002b78 Aug 26 18:24:47.849256: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f55dc002b78 Aug 26 18:24:47.849259: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Aug 26 18:24:47.849262: | libevent_malloc: new ptr-libevent@0x7f55d4002888 size 128 Aug 26 18:24:47.849270: | #2 spent 0.0296 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:24:47.849274: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.849276: | crypto helper 0 resuming Aug 26 18:24:47.849277: | #2 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:47.849300: | crypto helper 0 starting work-order 3 for state #2 Aug 26 18:24:47.849307: | suspending state #2 and saving MD Aug 26 18:24:47.849314: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 Aug 26 18:24:47.849320: | #2 is busy; has a suspended MD Aug 26 18:24:47.849333: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.849336: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.849339: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:47.849342: | #2 spent 0.207 milliseconds in ikev2_process_packet() Aug 26 18:24:47.849345: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:47.849347: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:47.849349: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:47.849352: | spent 0.216 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:47.850284: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Aug 26 18:24:47.850807: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 time elapsed 0.001492 seconds Aug 26 18:24:47.850819: | (#2) spent 1.49 milliseconds in crypto helper computing work-order 3: ikev2_inI2outR2 KE (pcr) Aug 26 18:24:47.850822: | crypto helper 0 sending results from work-order 3 for state #2 to event queue Aug 26 18:24:47.850825: | scheduling resume sending helper answer for #2 Aug 26 18:24:47.850829: | libevent_malloc: new ptr-libevent@0x7f55d800d5d8 size 128 Aug 26 18:24:47.850839: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:47.850848: | processing resume sending helper answer for #2 Aug 26 18:24:47.850860: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.850865: | crypto helper 0 replies to request ID 3 Aug 26 18:24:47.850868: | calling continuation function 0x55c0090b4b50 Aug 26 18:24:47.850871: | ikev2_parent_inI2outR2_continue for #2: calculating g^{xy}, sending R2 Aug 26 18:24:47.850875: | #2 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:47.850901: | data for hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.850905: | data for hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 18:24:47.850908: | data for hmac: 0d b9 94 4a c3 c4 97 78 06 6a ec 68 ba 33 0a ce Aug 26 18:24:47.850911: | data for hmac: a1 5b d4 23 cd 6a 99 4e 08 50 23 e0 f5 9c 0b f5 Aug 26 18:24:47.850913: | data for hmac: a2 28 46 26 48 cf 57 9e 67 11 4f a4 79 df dd 14 Aug 26 18:24:47.850915: | data for hmac: 81 35 43 b7 54 b1 1a 41 6f 25 40 8d 65 9f 43 96 Aug 26 18:24:47.850918: | data for hmac: a5 af 2c 3c 87 a4 19 cf f6 79 84 36 09 cb d4 d4 Aug 26 18:24:47.850920: | data for hmac: e0 c7 95 e4 a3 8e 35 75 e2 70 81 a2 74 8c ce 1e Aug 26 18:24:47.850923: | data for hmac: 87 3b 6f 69 2a 01 cc 6a 3a 25 27 87 87 a4 24 9c Aug 26 18:24:47.850925: | data for hmac: 2e 28 36 4a ba c6 35 b7 f2 25 b0 80 87 9c 80 77 Aug 26 18:24:47.850928: | data for hmac: 74 a8 77 3e b3 d0 e2 02 19 6c d1 c4 6d d3 85 5a Aug 26 18:24:47.850930: | data for hmac: c6 4c f5 76 47 94 a3 28 a2 c0 c6 29 05 f7 a6 29 Aug 26 18:24:47.850936: | data for hmac: 16 e7 68 cc 4a 09 97 2c ec b9 ba db 29 8c f4 14 Aug 26 18:24:47.850939: | data for hmac: 3f 0e e7 66 90 54 6a d6 b1 14 af 05 d5 41 c2 8a Aug 26 18:24:47.850940: | data for hmac: fc 2a 04 e6 66 48 c7 25 5f e4 14 40 45 0a be 44 Aug 26 18:24:47.850942: | data for hmac: d7 50 59 ad 40 73 ea f1 e7 05 b0 b1 b0 1d df 3d Aug 26 18:24:47.850943: | data for hmac: c9 bf 6e 9c 1a 41 f8 ca dc 7d 54 23 ea f8 d7 a5 Aug 26 18:24:47.850945: | data for hmac: 97 05 7f 35 82 7c 20 37 78 1f c8 f4 e9 85 65 f9 Aug 26 18:24:47.850946: | data for hmac: ca ab 46 65 e8 20 9f de 62 50 5d 7e 10 fb df 41 Aug 26 18:24:47.850948: | data for hmac: 13 52 18 7a 22 d6 81 25 e6 29 98 a6 84 d9 62 6f Aug 26 18:24:47.850950: | data for hmac: f5 fe e3 52 0c 8b 0e fe b5 6f 49 65 30 bb ac ad Aug 26 18:24:47.850952: | data for hmac: 0e 81 11 b8 cd c0 6b 4a fe 1d 63 69 ab 4b 72 ed Aug 26 18:24:47.850955: | data for hmac: 6f ce c7 d9 d0 55 41 19 d1 f9 48 02 27 34 cc c1 Aug 26 18:24:47.850957: | data for hmac: a1 fd d7 b2 6e 80 43 3f d5 01 24 da 0d a9 64 eb Aug 26 18:24:47.850959: | data for hmac: 3e 63 7a c6 62 37 37 94 c2 9e 9b 14 67 fe e8 c8 Aug 26 18:24:47.850961: | data for hmac: ad b1 1a 11 74 1e b8 5d 55 99 d4 a4 3f 14 80 5f Aug 26 18:24:47.850963: | data for hmac: a2 62 28 3e 66 b5 ce 9a a4 4f 9b a5 33 aa 6b 79 Aug 26 18:24:47.850966: | data for hmac: 68 e6 4b 46 08 36 30 98 9d 2d dc 4f b4 f1 33 cb Aug 26 18:24:47.850968: | calculated auth: 5d 75 fa 3d 4d 83 c9 72 8b fa f6 32 48 c2 2d b7 Aug 26 18:24:47.850971: | provided auth: 5d 75 fa 3d 4d 83 c9 72 8b fa f6 32 48 c2 2d b7 Aug 26 18:24:47.850973: | authenticator matched Aug 26 18:24:47.850983: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:24:47.850987: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:24:47.850990: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:24:47.850993: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 18:24:47.850996: | flags: none (0x0) Aug 26 18:24:47.850999: | length: 13 (0xd) Aug 26 18:24:47.851001: | ID type: ID_FQDN (0x2) Aug 26 18:24:47.851004: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Aug 26 18:24:47.851007: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 18:24:47.851009: | **parse IKEv2 Identification - Responder - Payload: Aug 26 18:24:47.851012: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:24:47.851014: | flags: none (0x0) Aug 26 18:24:47.851017: | length: 12 (0xc) Aug 26 18:24:47.851019: | ID type: ID_FQDN (0x2) Aug 26 18:24:47.851022: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 18:24:47.851025: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:24:47.851028: | **parse IKEv2 Authentication Payload: Aug 26 18:24:47.851031: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.851034: | flags: none (0x0) Aug 26 18:24:47.851036: | length: 282 (0x11a) Aug 26 18:24:47.851039: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 18:24:47.851042: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Aug 26 18:24:47.851044: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:47.851047: | **parse IKEv2 Security Association Payload: Aug 26 18:24:47.851050: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:24:47.851052: | flags: none (0x0) Aug 26 18:24:47.851055: | length: 44 (0x2c) Aug 26 18:24:47.851057: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 18:24:47.851060: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.851063: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.851065: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:24:47.851068: | flags: none (0x0) Aug 26 18:24:47.851070: | length: 24 (0x18) Aug 26 18:24:47.851073: | number of TS: 1 (0x1) Aug 26 18:24:47.851075: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:24:47.851078: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.851083: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.851086: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.851088: | flags: none (0x0) Aug 26 18:24:47.851091: | length: 24 (0x18) Aug 26 18:24:47.851093: | number of TS: 1 (0x1) Aug 26 18:24:47.851096: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:24:47.851099: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:24:47.851101: | Now let's proceed with state specific processing Aug 26 18:24:47.851104: | calling processor Responder: process IKE_AUTH request Aug 26 18:24:47.851110: "north-eastnets/0x2" #2: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 18:24:47.851118: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:47.851122: | received IDr payload - extracting our alleged ID Aug 26 18:24:47.851126: | refine_host_connection for IKEv2: starting with "north-eastnets/0x2" Aug 26 18:24:47.851130: | match_id a=@north Aug 26 18:24:47.851133: | b=@north Aug 26 18:24:47.851135: | results matched Aug 26 18:24:47.851140: | refine_host_connection: checking "north-eastnets/0x2" against "north-eastnets/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:24:47.851142: | Warning: not switching back to template of current instance Aug 26 18:24:47.851145: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 18:24:47.851148: | This connection's local id is @east (ID_FQDN) Aug 26 18:24:47.851151: | refine_host_connection: checked north-eastnets/0x2 against north-eastnets/0x2, now for see if best Aug 26 18:24:47.851155: | started looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:47.851158: | actually looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:47.851161: | line 1: key type PKK_RSA(@east) to type PKK_RSA Aug 26 18:24:47.851165: | 1: compared key (none) to @east / @north -> 002 Aug 26 18:24:47.851168: | 2: compared key (none) to @east / @north -> 002 Aug 26 18:24:47.851171: | line 1: match=002 Aug 26 18:24:47.851174: | match 002 beats previous best_match 000 match=0x55c00a5ccb58 (line=1) Aug 26 18:24:47.851177: | concluding with best_match=002 best=0x55c00a5ccb58 (lineno=1) Aug 26 18:24:47.851180: | returning because exact peer id match Aug 26 18:24:47.851182: | offered CA: '%none' Aug 26 18:24:47.851185: "north-eastnets/0x2" #2: IKEv2 mode peer ID is ID_FQDN: '@north' Aug 26 18:24:47.851203: | verifying AUTH payload Aug 26 18:24:47.851216: | required RSA CA is '%any' Aug 26 18:24:47.851219: | checking RSA keyid '@east' for match with '@north' Aug 26 18:24:47.851222: | checking RSA keyid '@north' for match with '@north' Aug 26 18:24:47.851225: | key issuer CA is '%any' Aug 26 18:24:47.851294: | an RSA Sig check passed with *AQPl33O2P [preloaded key] Aug 26 18:24:47.851305: | #2 spent 0.0704 milliseconds in try_all_RSA_keys() trying a pubkey Aug 26 18:24:47.851309: "north-eastnets/0x2" #2: Authenticated using RSA Aug 26 18:24:47.851313: | #2 spent 0.102 milliseconds in ikev2_verify_rsa_hash() Aug 26 18:24:47.851317: | parent state #2: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:24:47.851323: | #2 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:47.851326: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.851331: | libevent_free: release ptr-libevent@0x7f55d4002888 Aug 26 18:24:47.851334: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f55dc002b78 Aug 26 18:24:47.851337: | event_schedule: new EVENT_SA_REKEY-pe@0x7f55dc002b78 Aug 26 18:24:47.851341: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #2 Aug 26 18:24:47.851344: | libevent_malloc: new ptr-libevent@0x55c00a678358 size 128 Aug 26 18:24:47.851413: | pstats #2 ikev2.ike established Aug 26 18:24:47.851421: | **emit ISAKMP Message: Aug 26 18:24:47.851424: | initiator cookie: Aug 26 18:24:47.851426: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.851431: | responder cookie: Aug 26 18:24:47.851434: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.851437: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:47.851440: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.851442: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:47.851445: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:47.851448: | Message ID: 1 (0x1) Aug 26 18:24:47.851451: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:47.851454: | IKEv2 CERT: send a certificate? Aug 26 18:24:47.851457: | IKEv2 CERT: no certificate to send Aug 26 18:24:47.851460: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:47.851462: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.851465: | flags: none (0x0) Aug 26 18:24:47.851469: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:47.851472: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.851476: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:47.851483: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:47.851498: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:24:47.851502: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.851504: | flags: none (0x0) Aug 26 18:24:47.851507: | ID type: ID_FQDN (0x2) Aug 26 18:24:47.851511: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:24:47.851514: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.851517: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:24:47.851520: | my identity 65 61 73 74 Aug 26 18:24:47.851523: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:24:47.851531: | assembled IDr payload Aug 26 18:24:47.851534: | CHILD SA proposals received Aug 26 18:24:47.851536: | going to assemble AUTH payload Aug 26 18:24:47.851539: | ****emit IKEv2 Authentication Payload: Aug 26 18:24:47.851542: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.851545: | flags: none (0x0) Aug 26 18:24:47.851547: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 18:24:47.851551: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:24:47.851554: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:24:47.851557: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.851562: | started looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:47.851565: | actually looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:47.851568: | line 1: key type PKK_RSA(@east) to type PKK_RSA Aug 26 18:24:47.851572: | 1: compared key (none) to @east / @north -> 002 Aug 26 18:24:47.851575: | 2: compared key (none) to @east / @north -> 002 Aug 26 18:24:47.851577: | line 1: match=002 Aug 26 18:24:47.851580: | match 002 beats previous best_match 000 match=0x55c00a5ccb58 (line=1) Aug 26 18:24:47.851583: | concluding with best_match=002 best=0x55c00a5ccb58 (lineno=1) Aug 26 18:24:47.855450: | #2 spent 3.82 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Aug 26 18:24:47.855461: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Aug 26 18:24:47.855464: | rsa signature 7d 49 4e 15 65 75 23 16 5d b8 a3 55 55 fc a6 e7 Aug 26 18:24:47.855466: | rsa signature 8f a7 a0 b5 fa a9 27 74 df 21 25 b7 ff f4 08 f0 Aug 26 18:24:47.855467: | rsa signature f4 24 07 f1 1d da 15 e4 aa a5 b6 0b e9 38 ff c7 Aug 26 18:24:47.855471: | rsa signature 05 8f 2c 95 a4 c8 86 6c 9e 85 71 fe 2e c9 06 30 Aug 26 18:24:47.855473: | rsa signature 52 64 c6 a1 97 16 14 8b 11 ba d2 0c 4c 48 4e 6a Aug 26 18:24:47.855475: | rsa signature 8c 6a 3c de 96 95 fb d0 ac 14 aa 9e 5a 4c cc 67 Aug 26 18:24:47.855476: | rsa signature b8 de 5c b0 04 4b 8f 4f 5f 5b b6 48 df e7 18 47 Aug 26 18:24:47.855478: | rsa signature d9 98 dd a7 0c 23 24 23 68 c8 50 c1 b8 7b e1 90 Aug 26 18:24:47.855479: | rsa signature 41 2b 76 e8 8a 7d 12 81 16 a5 ee 56 19 d1 62 13 Aug 26 18:24:47.855481: | rsa signature 4c 47 37 3f b2 22 b2 14 f0 64 70 eb c3 4c bc 04 Aug 26 18:24:47.855482: | rsa signature c8 5e 20 98 93 f6 ad 67 22 d3 4b a1 2b a0 19 04 Aug 26 18:24:47.855484: | rsa signature c9 1d a4 18 77 f9 2f b2 3c 5b 85 42 c3 2b fd f1 Aug 26 18:24:47.855485: | rsa signature 77 8a b1 18 e0 87 c7 70 68 13 d6 9c dd d7 29 82 Aug 26 18:24:47.855487: | rsa signature 97 4e 26 b3 43 6b d6 88 32 2d a5 00 f9 fa 6e ca Aug 26 18:24:47.855488: | rsa signature 68 c7 a7 cd 34 69 60 1c 3d c8 11 c1 42 2b 67 54 Aug 26 18:24:47.855490: | rsa signature c0 d0 14 33 33 29 6e 84 52 6f 8a 95 c4 3b 15 4a Aug 26 18:24:47.855492: | rsa signature 80 a4 bb 0a c0 ec 86 6a ce 18 16 d4 b9 b4 58 3b Aug 26 18:24:47.855493: | rsa signature 5e b2 Aug 26 18:24:47.855496: | #2 spent 3.9 milliseconds in ikev2_calculate_rsa_hash() Aug 26 18:24:47.855498: | emitting length of IKEv2 Authentication Payload: 282 Aug 26 18:24:47.855503: | creating state object #3 at 0x55c00a681dc8 Aug 26 18:24:47.855505: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 18:24:47.855510: | pstats #3 ikev2.child started Aug 26 18:24:47.855513: | duplicating state object #2 "north-eastnets/0x2" as #3 for IPSEC SA Aug 26 18:24:47.855517: | #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:24:47.855521: | Message ID: init_child #2.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:47.855525: | Message ID: switch-from #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:47.855527: | Message ID: switch-to #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:47.855530: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:24:47.855532: | TSi: parsing 1 traffic selectors Aug 26 18:24:47.855534: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.855536: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.855538: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.855540: | length: 16 (0x10) Aug 26 18:24:47.855541: | start port: 0 (0x0) Aug 26 18:24:47.855543: | end port: 65535 (0xffff) Aug 26 18:24:47.855545: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.855547: | TS low c0 00 03 00 Aug 26 18:24:47.855548: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.855550: | TS high c0 00 03 ff Aug 26 18:24:47.855552: | TSi: parsed 1 traffic selectors Aug 26 18:24:47.855553: | TSr: parsing 1 traffic selectors Aug 26 18:24:47.855555: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.855556: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.855558: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.855560: | length: 16 (0x10) Aug 26 18:24:47.855561: | start port: 0 (0x0) Aug 26 18:24:47.855563: | end port: 65535 (0xffff) Aug 26 18:24:47.855564: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.855566: | TS low c0 00 02 00 Aug 26 18:24:47.855567: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.855569: | TS high c0 00 02 ff Aug 26 18:24:47.855570: | TSr: parsed 1 traffic selectors Aug 26 18:24:47.855572: | looking for best SPD in current connection Aug 26 18:24:47.855579: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0/0 R=192.0.22.0/24:0/0 to their: Aug 26 18:24:47.855584: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855589: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.855592: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.855594: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.855597: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.855600: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.855603: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855608: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Aug 26 18:24:47.855610: | looking for better host pair Aug 26 18:24:47.855615: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:47.855620: | checking hostpair 192.0.22.0/24 -> 192.0.3.0/24 is found Aug 26 18:24:47.855622: | investigating connection "north-eastnets/0x2" as a better match Aug 26 18:24:47.855626: | match_id a=@north Aug 26 18:24:47.855628: | b=@north Aug 26 18:24:47.855630: | results matched Aug 26 18:24:47.855634: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0/0 R=192.0.22.0/24:0/0 to their: Aug 26 18:24:47.855638: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855643: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.855646: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.855648: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.855650: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.855653: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.855656: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855662: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Aug 26 18:24:47.855665: | investigating connection "north-eastnets/0x1" as a better match Aug 26 18:24:47.855668: | match_id a=@north Aug 26 18:24:47.855670: | b=@north Aug 26 18:24:47.855672: | results matched Aug 26 18:24:47.855677: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:47.855681: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855686: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.855688: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.855691: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.855693: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.855696: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.855700: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.855705: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:47.855708: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:24:47.855710: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:47.855713: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:24:47.855716: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.855718: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:47.855721: | protocol fitness found better match d north-eastnets/0x1, TSi[0],TSr[0] Aug 26 18:24:47.855726: | in connection_discard for connection north-eastnets/0x2 Aug 26 18:24:47.855729: | printing contents struct traffic_selector Aug 26 18:24:47.855731: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.855733: | ipprotoid: 0 Aug 26 18:24:47.855738: | port range: 0-65535 Aug 26 18:24:47.855741: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:24:47.855743: | printing contents struct traffic_selector Aug 26 18:24:47.855746: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.855748: | ipprotoid: 0 Aug 26 18:24:47.855750: | port range: 0-65535 Aug 26 18:24:47.855754: | ip range: 192.0.3.0-192.0.3.255 Aug 26 18:24:47.855758: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:24:47.855763: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 18:24:47.855768: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 18:24:47.855773: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 18:24:47.855777: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 18:24:47.855780: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:47.855782: | local proposal 1 type PRF has 0 transforms Aug 26 18:24:47.855785: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:47.855787: | local proposal 1 type DH has 1 transforms Aug 26 18:24:47.855790: | local proposal 1 type ESN has 1 transforms Aug 26 18:24:47.855793: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:24:47.855797: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.855800: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.855802: | length: 40 (0x28) Aug 26 18:24:47.855805: | prop #: 1 (0x1) Aug 26 18:24:47.855807: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.855809: | spi size: 4 (0x4) Aug 26 18:24:47.855812: | # transforms: 3 (0x3) Aug 26 18:24:47.855815: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.855818: | remote SPI 1d c3 f9 f9 Aug 26 18:24:47.855821: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:24:47.855824: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855826: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855829: | length: 12 (0xc) Aug 26 18:24:47.855831: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.855833: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.855835: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.855836: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.855838: | length/value: 128 (0x80) Aug 26 18:24:47.855841: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:47.855843: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855844: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855846: | length: 8 (0x8) Aug 26 18:24:47.855848: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.855849: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.855852: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 18:24:47.855853: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855855: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.855856: | length: 8 (0x8) Aug 26 18:24:47.855858: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.855860: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.855862: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:24:47.855864: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 18:24:47.855867: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 18:24:47.855871: | remote proposal 1 matches local proposal 1 Aug 26 18:24:47.855875: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=1dc3f9f9;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Aug 26 18:24:47.855878: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=1dc3f9f9;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Aug 26 18:24:47.855880: | converting proposal to internal trans attrs Aug 26 18:24:47.855898: | netlink_get_spi: allocated 0x8dc7cf24 for esp.0@192.1.2.23 Aug 26 18:24:47.855900: | Emitting ikev2_proposal ... Aug 26 18:24:47.855902: | ****emit IKEv2 Security Association Payload: Aug 26 18:24:47.855904: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.855906: | flags: none (0x0) Aug 26 18:24:47.855909: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:47.855911: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.855913: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.855915: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.855916: | prop #: 1 (0x1) Aug 26 18:24:47.855918: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.855919: | spi size: 4 (0x4) Aug 26 18:24:47.855921: | # transforms: 3 (0x3) Aug 26 18:24:47.855923: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:47.855925: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:24:47.855927: | our spi 8d c7 cf 24 Aug 26 18:24:47.855929: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855930: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855932: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.855934: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.855936: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.855937: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.855939: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.855941: | length/value: 128 (0x80) Aug 26 18:24:47.855943: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:47.855945: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855946: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855948: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.855949: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.855952: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855953: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.855955: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.855957: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.855959: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.855960: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.855962: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.855964: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.855966: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.855967: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.855969: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 18:24:47.855972: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:47.855974: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 18:24:47.855976: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:47.855978: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.855980: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.855982: | flags: none (0x0) Aug 26 18:24:47.855983: | number of TS: 1 (0x1) Aug 26 18:24:47.855985: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.855987: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.855989: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.855991: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.855993: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.855995: | start port: 0 (0x0) Aug 26 18:24:47.855997: | end port: 65535 (0xffff) Aug 26 18:24:47.856000: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.856003: | ipv4 start c0 00 03 00 Aug 26 18:24:47.856005: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.856008: | ipv4 end c0 00 03 ff Aug 26 18:24:47.856010: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.856012: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:24:47.856015: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.856017: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.856020: | flags: none (0x0) Aug 26 18:24:47.856022: | number of TS: 1 (0x1) Aug 26 18:24:47.856025: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.856028: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.856031: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.856033: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.856036: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.856038: | start port: 0 (0x0) Aug 26 18:24:47.856040: | end port: 65535 (0xffff) Aug 26 18:24:47.856043: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.856046: | ipv4 start c0 00 02 00 Aug 26 18:24:47.856049: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.856051: | ipv4 end c0 00 02 ff Aug 26 18:24:47.856054: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.856056: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:24:47.856059: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:47.856063: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 18:24:47.856309: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:24:47.856321: | install_ipsec_sa() for #3: inbound and outbound Aug 26 18:24:47.856325: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Aug 26 18:24:47.856328: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.856332: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.856335: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 18:24:47.856338: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.856341: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:47.856345: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Aug 26 18:24:47.856349: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 18:24:47.856353: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 18:24:47.856359: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 18:24:47.856363: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.856367: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 18:24:47.856371: | netlink: enabling tunnel mode Aug 26 18:24:47.856374: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.856377: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.856460: | netlink response for Add SA esp.1dc3f9f9@192.1.3.33 included non-error error Aug 26 18:24:47.856466: | set up outgoing SA, ref=0/0 Aug 26 18:24:47.856470: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 18:24:47.856473: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 18:24:47.856476: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 18:24:47.856480: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.856483: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 18:24:47.856486: | netlink: enabling tunnel mode Aug 26 18:24:47.856489: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.856492: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.856532: | netlink response for Add SA esp.8dc7cf24@192.1.2.23 included non-error error Aug 26 18:24:47.856537: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:47.856543: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:47.856546: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.856569: | raw_eroute result=success Aug 26 18:24:47.856573: | set up incoming SA, ref=0/0 Aug 26 18:24:47.856575: | sr for #3: unrouted Aug 26 18:24:47.856578: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:24:47.856581: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.856584: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.856587: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 18:24:47.856590: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.856593: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:47.856597: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Aug 26 18:24:47.856600: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #3 Aug 26 18:24:47.856604: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:47.856611: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 18:24:47.856614: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.856628: | raw_eroute result=success Aug 26 18:24:47.856632: | running updown command "ipsec _updown" for verb up Aug 26 18:24:47.856634: | command executing up-client Aug 26 18:24:47.856652: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1 Aug 26 18:24:47.856656: | popen cmd is 1041 chars long Aug 26 18:24:47.856658: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Aug 26 18:24:47.856660: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 18:24:47.856662: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLU: Aug 26 18:24:47.856665: | cmd( 240):TO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_: Aug 26 18:24:47.856667: | cmd( 320):SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@nor: Aug 26 18:24:47.856670: | cmd( 400):th' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEE: Aug 26 18:24:47.856672: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 18:24:47.856674: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCR: Aug 26 18:24:47.856677: | cmd( 640):YPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Aug 26 18:24:47.856679: | cmd( 720):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=: Aug 26 18:24:47.856681: | cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: Aug 26 18:24:47.856684: | cmd( 880):CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: Aug 26 18:24:47.856686: | cmd( 960):TING='no' VTI_SHARED='no' SPI_IN=0x1dc3f9f9 SPI_OUT=0x8dc7cf24 ipsec _updown 2>&: Aug 26 18:24:47.856688: | cmd(1040):1: Aug 26 18:24:47.864075: | route_and_eroute: firewall_notified: true Aug 26 18:24:47.864091: | running updown command "ipsec _updown" for verb prepare Aug 26 18:24:47.864095: | command executing prepare-client Aug 26 18:24:47.864128: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Aug 26 18:24:47.864132: | popen cmd is 1046 chars long Aug 26 18:24:47.864136: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 18:24:47.864138: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Aug 26 18:24:47.864141: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 18:24:47.864144: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 18:24:47.864147: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=: Aug 26 18:24:47.864150: | cmd( 400):'@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUT: Aug 26 18:24:47.864152: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Aug 26 18:24:47.864155: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Aug 26 18:24:47.864158: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Aug 26 18:24:47.864161: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Aug 26 18:24:47.864167: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Aug 26 18:24:47.864170: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Aug 26 18:24:47.864172: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1dc3f9f9 SPI_OUT=0x8dc7cf24 ipsec _updow: Aug 26 18:24:47.864175: | cmd(1040):n 2>&1: Aug 26 18:24:47.874745: | running updown command "ipsec _updown" for verb route Aug 26 18:24:47.874760: | command executing route-client Aug 26 18:24:47.874802: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 18:24:47.874807: | popen cmd is 1044 chars long Aug 26 18:24:47.874810: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Aug 26 18:24:47.874813: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:24:47.874816: | cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 18:24:47.874819: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 18:24:47.874822: | cmd( 320):TO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@: Aug 26 18:24:47.874824: | cmd( 400):north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_: Aug 26 18:24:47.874827: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Aug 26 18:24:47.874830: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: Aug 26 18:24:47.874833: | cmd( 640):NCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: Aug 26 18:24:47.874835: | cmd( 720):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Aug 26 18:24:47.874838: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Aug 26 18:24:47.874841: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Aug 26 18:24:47.874844: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x1dc3f9f9 SPI_OUT=0x8dc7cf24 ipsec _updown : Aug 26 18:24:47.874846: | cmd(1040):2>&1: Aug 26 18:24:47.885749: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x55c00a674408,sr=0x55c00a674408} to #3 (was #0) (newest_ipsec_sa=#0) Aug 26 18:24:47.885810: | #2 spent 1.86 milliseconds in install_ipsec_sa() Aug 26 18:24:47.885817: | ISAKMP_v2_IKE_AUTH: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #2 Aug 26 18:24:47.885819: | adding 14 bytes of padding (including 1 byte padding-length) Aug 26 18:24:47.885822: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885825: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885827: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885831: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885833: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885835: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885836: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885838: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885840: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885841: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885858: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885860: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885861: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885863: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.885865: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:47.885867: | emitting length of IKEv2 Encryption Payload: 436 Aug 26 18:24:47.885869: | emitting length of ISAKMP Message: 464 Aug 26 18:24:47.885928: | data being hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.885944: | data being hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 18:24:47.885946: | data being hmac: 2a ae 63 2d 25 d5 1a 8c 9a ca e5 30 b2 0b 57 69 Aug 26 18:24:47.885947: | data being hmac: 6d be 9a 7d 30 a0 3b 18 ec 23 28 64 c1 ce bb 84 Aug 26 18:24:47.885949: | data being hmac: 10 9e b8 59 9c b5 40 13 36 f8 bd 3e 5f 40 60 16 Aug 26 18:24:47.885950: | data being hmac: 7a 3d 60 9c cc bf c4 25 ae 63 3b 66 40 35 76 2c Aug 26 18:24:47.885952: | data being hmac: b8 25 41 12 22 0a ac ff ab 30 32 7f 24 59 93 73 Aug 26 18:24:47.885953: | data being hmac: 02 5a 57 8d b6 f0 69 d2 07 0e 29 41 2f 11 35 f3 Aug 26 18:24:47.885955: | data being hmac: d1 91 f3 2c ae 89 bc 06 3f 2d 85 8b b9 9c 15 cb Aug 26 18:24:47.885956: | data being hmac: 12 c2 ac e0 d4 97 ab 76 6d 5c 0c 9e 8d 35 0f 49 Aug 26 18:24:47.885958: | data being hmac: 64 22 6e dd df 7a f7 5c 92 43 8b 66 1f 8a 05 3e Aug 26 18:24:47.885959: | data being hmac: 35 f5 df da 1c ad 60 1f a6 94 6b 29 c7 c7 ff 89 Aug 26 18:24:47.885961: | data being hmac: 9a b1 8e 5a 94 32 63 04 21 5c f2 fb 01 27 e3 61 Aug 26 18:24:47.885975: | data being hmac: 09 a7 47 56 1b 58 a5 19 a1 16 f6 d0 5f 63 72 2b Aug 26 18:24:47.885977: | data being hmac: 55 44 fb e5 df f9 37 e6 e1 e0 dd e9 61 7d db 17 Aug 26 18:24:47.885978: | data being hmac: a5 3d a6 7d ca ff 4e e5 03 76 ae bf 4b 8e ba 3b Aug 26 18:24:47.885980: | data being hmac: cc b0 92 32 e8 a3 c2 05 ad b6 7b 5c ae d2 b9 9d Aug 26 18:24:47.885981: | data being hmac: 3b cb a9 c0 4a ea 3f 97 c7 5c 99 98 96 74 20 87 Aug 26 18:24:47.885983: | data being hmac: d0 24 32 84 47 77 f3 ae f6 7a fc f7 d7 64 b2 70 Aug 26 18:24:47.885986: | data being hmac: 66 a1 d3 95 62 bd 6d 58 02 53 3a f9 96 e6 d5 13 Aug 26 18:24:47.885988: | data being hmac: 59 d1 fd 2e ba bd a7 e4 c2 76 a2 db a3 c3 9a d0 Aug 26 18:24:47.885991: | data being hmac: 5a 1b f9 3b 7a 65 39 4e b0 8b 3a 11 a5 75 50 77 Aug 26 18:24:47.885993: | data being hmac: 64 96 bf b8 58 a4 67 80 8c 9f 89 64 1a 58 6c b7 Aug 26 18:24:47.885995: | data being hmac: c0 43 5f b6 7b 87 22 82 e2 74 f2 cd f6 2e ea 15 Aug 26 18:24:47.885997: | data being hmac: 67 fe 68 49 62 4e 81 0d 1e 34 3d d5 ee a0 25 87 Aug 26 18:24:47.885999: | data being hmac: c3 b5 42 86 2f a5 4e 61 e9 d8 bb 0f 4e f1 ae af Aug 26 18:24:47.886002: | data being hmac: 81 b6 cc 3b 71 06 38 91 c5 37 44 24 f7 e4 47 25 Aug 26 18:24:47.886017: | data being hmac: 1e dd b3 63 d2 41 12 7d 1a 20 b2 4e b1 f6 d0 22 Aug 26 18:24:47.886022: | out calculated auth: Aug 26 18:24:47.886025: | 9a 6b e6 84 30 16 71 6c b8 1a c6 9b 80 d5 10 3a Aug 26 18:24:47.886035: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:24:47.886041: | #2 spent 7.26 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:24:47.886052: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.886059: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.886063: | #3 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:24:47.886067: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:24:47.886072: | child state #3: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:24:47.886076: | Message ID: updating counters for #3 to 1 after switching state Aug 26 18:24:47.886083: | Message ID: recv #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:47.886089: | Message ID: sent #2.#3 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:24:47.886093: | pstats #3 ikev2.child established Aug 26 18:24:47.886103: "north-eastnets/0x1" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:24:47.886108: | NAT-T: encaps is 'auto' Aug 26 18:24:47.886113: "north-eastnets/0x1" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x1dc3f9f9 <0x8dc7cf24 xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Aug 26 18:24:47.886120: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:47.886128: | sending 464 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 18:24:47.886134: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.886137: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 18:24:47.886140: | 2a ae 63 2d 25 d5 1a 8c 9a ca e5 30 b2 0b 57 69 Aug 26 18:24:47.886142: | 6d be 9a 7d 30 a0 3b 18 ec 23 28 64 c1 ce bb 84 Aug 26 18:24:47.886145: | 10 9e b8 59 9c b5 40 13 36 f8 bd 3e 5f 40 60 16 Aug 26 18:24:47.886148: | 7a 3d 60 9c cc bf c4 25 ae 63 3b 66 40 35 76 2c Aug 26 18:24:47.886151: | b8 25 41 12 22 0a ac ff ab 30 32 7f 24 59 93 73 Aug 26 18:24:47.886153: | 02 5a 57 8d b6 f0 69 d2 07 0e 29 41 2f 11 35 f3 Aug 26 18:24:47.886155: | d1 91 f3 2c ae 89 bc 06 3f 2d 85 8b b9 9c 15 cb Aug 26 18:24:47.886157: | 12 c2 ac e0 d4 97 ab 76 6d 5c 0c 9e 8d 35 0f 49 Aug 26 18:24:47.886160: | 64 22 6e dd df 7a f7 5c 92 43 8b 66 1f 8a 05 3e Aug 26 18:24:47.886162: | 35 f5 df da 1c ad 60 1f a6 94 6b 29 c7 c7 ff 89 Aug 26 18:24:47.886164: | 9a b1 8e 5a 94 32 63 04 21 5c f2 fb 01 27 e3 61 Aug 26 18:24:47.886166: | 09 a7 47 56 1b 58 a5 19 a1 16 f6 d0 5f 63 72 2b Aug 26 18:24:47.886169: | 55 44 fb e5 df f9 37 e6 e1 e0 dd e9 61 7d db 17 Aug 26 18:24:47.886171: | a5 3d a6 7d ca ff 4e e5 03 76 ae bf 4b 8e ba 3b Aug 26 18:24:47.886174: | cc b0 92 32 e8 a3 c2 05 ad b6 7b 5c ae d2 b9 9d Aug 26 18:24:47.886176: | 3b cb a9 c0 4a ea 3f 97 c7 5c 99 98 96 74 20 87 Aug 26 18:24:47.886178: | d0 24 32 84 47 77 f3 ae f6 7a fc f7 d7 64 b2 70 Aug 26 18:24:47.886181: | 66 a1 d3 95 62 bd 6d 58 02 53 3a f9 96 e6 d5 13 Aug 26 18:24:47.886184: | 59 d1 fd 2e ba bd a7 e4 c2 76 a2 db a3 c3 9a d0 Aug 26 18:24:47.886186: | 5a 1b f9 3b 7a 65 39 4e b0 8b 3a 11 a5 75 50 77 Aug 26 18:24:47.886188: | 64 96 bf b8 58 a4 67 80 8c 9f 89 64 1a 58 6c b7 Aug 26 18:24:47.886191: | c0 43 5f b6 7b 87 22 82 e2 74 f2 cd f6 2e ea 15 Aug 26 18:24:47.886193: | 67 fe 68 49 62 4e 81 0d 1e 34 3d d5 ee a0 25 87 Aug 26 18:24:47.886197: | c3 b5 42 86 2f a5 4e 61 e9 d8 bb 0f 4e f1 ae af Aug 26 18:24:47.886200: | 81 b6 cc 3b 71 06 38 91 c5 37 44 24 f7 e4 47 25 Aug 26 18:24:47.886203: | 1e dd b3 63 d2 41 12 7d 1a 20 b2 4e b1 f6 d0 22 Aug 26 18:24:47.886205: | 9a 6b e6 84 30 16 71 6c b8 1a c6 9b 80 d5 10 3a Aug 26 18:24:47.886240: | releasing whack for #3 (sock=fd@-1) Aug 26 18:24:47.886245: | releasing whack and unpending for parent #2 Aug 26 18:24:47.886248: | unpending state #2 connection "north-eastnets/0x1" Aug 26 18:24:47.886253: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:47.886256: | event_schedule: new EVENT_SA_REKEY-pe@0x7f55d4002b78 Aug 26 18:24:47.886259: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Aug 26 18:24:47.886262: | libevent_malloc: new ptr-libevent@0x55c00a67dbf8 size 128 Aug 26 18:24:47.886275: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Aug 26 18:24:47.886280: | #2 spent 7.73 milliseconds in resume sending helper answer Aug 26 18:24:47.886284: | stop processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.886292: | libevent_free: release ptr-libevent@0x7f55d800d5d8 Aug 26 18:24:47.886324: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.886329: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.886334: | spent 0.00515 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:47.886337: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.886340: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.886343: | spent 0.00338 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:47.886346: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.886349: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.886353: | spent 0.00324 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:47.922553: | spent 0.00315 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:47.922586: | *received 608 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:47.922591: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.922594: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 18:24:47.922597: | c5 fa 6d 6a 42 73 49 bc 85 4c c6 ce 02 e2 b8 7d Aug 26 18:24:47.922600: | b5 43 c7 15 03 a6 52 7d e7 4e 1f 95 4a 61 aa 14 Aug 26 18:24:47.922603: | 35 76 ae ac f0 73 2a a4 61 cc 13 2c 8a fb 9f bc Aug 26 18:24:47.922606: | 1a 66 e2 fb c5 1f 85 ea 88 a9 d2 3e 54 33 41 83 Aug 26 18:24:47.922609: | b0 66 9d ed be 29 e9 e4 92 09 29 f2 8f 5a f3 b9 Aug 26 18:24:47.922612: | a1 32 cf 58 d7 5f 62 1c cc 37 ba 9d 2e 43 95 61 Aug 26 18:24:47.922615: | e8 6d e5 77 db b9 b9 3c eb 84 d1 c7 80 af d3 f7 Aug 26 18:24:47.922618: | 44 ec b1 52 c6 f7 db b2 79 94 1b 55 e7 da 3b e0 Aug 26 18:24:47.922621: | 9d a3 1a 88 59 f9 ee 10 ab ab d8 f4 b6 10 b7 6d Aug 26 18:24:47.922623: | 08 c5 6a bb 32 62 df e4 72 26 ab bf a1 3e 1b de Aug 26 18:24:47.922626: | 87 32 31 fa 59 5a 97 eb 22 e0 e0 c5 75 e0 7f e6 Aug 26 18:24:47.922629: | 03 6d f0 64 55 e2 1f 9c 7e 60 7b c4 c9 e5 61 a6 Aug 26 18:24:47.922632: | 08 ec ac a7 61 94 84 46 7e 2e e7 ad c8 e0 cf 96 Aug 26 18:24:47.922635: | 34 a3 e8 ff dd 0e f6 64 8c 69 6d e9 87 9c 66 9f Aug 26 18:24:47.922637: | 1a 14 d4 2d b5 61 3d a2 aa 14 41 c3 fd 87 f2 6d Aug 26 18:24:47.922640: | 8b b8 6f 56 79 c5 30 33 16 42 08 a5 88 a5 79 04 Aug 26 18:24:47.922643: | 96 00 ce 88 cf 66 2e d5 a2 e7 1f 49 46 d9 63 54 Aug 26 18:24:47.922646: | 93 cf 65 aa d5 5b 7e 80 d5 75 b8 31 16 09 0e 48 Aug 26 18:24:47.922649: | 5a 50 a7 32 87 0e 4f 5a fb fa 9b ab ca e0 66 8a Aug 26 18:24:47.922652: | d4 39 9e bc 0b 9b b6 9d 13 63 c1 55 4c 37 84 4f Aug 26 18:24:47.922655: | 08 e8 df c3 fe 36 c9 9e 29 91 cc 1a 1c 2e 21 6d Aug 26 18:24:47.922658: | 06 52 bd 2b d1 ea 14 ba 8a e4 27 97 21 99 47 ad Aug 26 18:24:47.922664: | 74 27 07 3c a9 35 0b 4a ab 5f b5 24 84 c2 df a7 Aug 26 18:24:47.922667: | 5a d6 7f c3 41 b4 4d a6 58 57 73 50 fb 05 46 be Aug 26 18:24:47.922670: | 0c db b4 14 d3 20 81 be b7 a8 d3 4f 0a 00 70 d5 Aug 26 18:24:47.922673: | ad 69 18 e1 15 25 b3 b9 eb ff 81 7b ba 16 fc 93 Aug 26 18:24:47.922676: | 1c 2b e1 43 13 9a 43 08 7b b6 79 cb 28 d1 6f 34 Aug 26 18:24:47.922678: | 70 bf ba 6d 3a 2d 49 a2 85 f7 b3 66 e0 e7 b5 ff Aug 26 18:24:47.922681: | 7a 2c 49 16 49 bf 06 f7 6c 9f 60 e4 78 3a 80 b1 Aug 26 18:24:47.922684: | 31 95 45 c6 e1 cf 54 89 8e 9e 28 26 f3 1a ee 5c Aug 26 18:24:47.922687: | b3 a1 c3 0e de 15 d7 6c c0 5c ca 22 33 3d 88 c6 Aug 26 18:24:47.922690: | 06 b0 21 9b 7d f7 40 29 44 9c 56 64 cd b3 04 e8 Aug 26 18:24:47.922693: | 09 0e ae 28 e6 57 8f de 45 53 0c 4e 52 99 1c 51 Aug 26 18:24:47.922696: | 80 2e 33 89 84 d7 c9 d4 88 54 3e 34 ce ea d6 61 Aug 26 18:24:47.922699: | 22 b2 de db 98 8e 0d 97 c0 ed d3 81 69 cc 40 f1 Aug 26 18:24:47.922702: | 62 4b 2a db 60 7a ed 3c 20 bb 98 6d b6 2e cc 8a Aug 26 18:24:47.922708: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:47.922713: | **parse ISAKMP Message: Aug 26 18:24:47.922717: | initiator cookie: Aug 26 18:24:47.922719: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.922722: | responder cookie: Aug 26 18:24:47.922725: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.922729: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:24:47.922750: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.922754: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 18:24:47.922759: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:47.922762: | Message ID: 2 (0x2) Aug 26 18:24:47.922765: | length: 608 (0x260) Aug 26 18:24:47.922769: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 18:24:47.922773: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 18:24:47.922778: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 18:24:47.922786: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:47.922790: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:47.922795: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:47.922799: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 18:24:47.922804: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 18:24:47.922807: | unpacking clear payload Aug 26 18:24:47.922810: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:24:47.922814: | ***parse IKEv2 Encryption Payload: Aug 26 18:24:47.922817: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.922820: | flags: none (0x0) Aug 26 18:24:47.922823: | length: 580 (0x244) Aug 26 18:24:47.922826: | processing payload: ISAKMP_NEXT_v2SK (len=576) Aug 26 18:24:47.922832: | Message ID: start-responder #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 18:24:47.922836: | #2 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 18:24:47.922877: | data for hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.922881: | data for hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 18:24:47.922883: | data for hmac: c5 fa 6d 6a 42 73 49 bc 85 4c c6 ce 02 e2 b8 7d Aug 26 18:24:47.922886: | data for hmac: b5 43 c7 15 03 a6 52 7d e7 4e 1f 95 4a 61 aa 14 Aug 26 18:24:47.922888: | data for hmac: 35 76 ae ac f0 73 2a a4 61 cc 13 2c 8a fb 9f bc Aug 26 18:24:47.922890: | data for hmac: 1a 66 e2 fb c5 1f 85 ea 88 a9 d2 3e 54 33 41 83 Aug 26 18:24:47.922892: | data for hmac: b0 66 9d ed be 29 e9 e4 92 09 29 f2 8f 5a f3 b9 Aug 26 18:24:47.922896: | data for hmac: a1 32 cf 58 d7 5f 62 1c cc 37 ba 9d 2e 43 95 61 Aug 26 18:24:47.922899: | data for hmac: e8 6d e5 77 db b9 b9 3c eb 84 d1 c7 80 af d3 f7 Aug 26 18:24:47.922901: | data for hmac: 44 ec b1 52 c6 f7 db b2 79 94 1b 55 e7 da 3b e0 Aug 26 18:24:47.922903: | data for hmac: 9d a3 1a 88 59 f9 ee 10 ab ab d8 f4 b6 10 b7 6d Aug 26 18:24:47.922905: | data for hmac: 08 c5 6a bb 32 62 df e4 72 26 ab bf a1 3e 1b de Aug 26 18:24:47.922907: | data for hmac: 87 32 31 fa 59 5a 97 eb 22 e0 e0 c5 75 e0 7f e6 Aug 26 18:24:47.922909: | data for hmac: 03 6d f0 64 55 e2 1f 9c 7e 60 7b c4 c9 e5 61 a6 Aug 26 18:24:47.922911: | data for hmac: 08 ec ac a7 61 94 84 46 7e 2e e7 ad c8 e0 cf 96 Aug 26 18:24:47.922913: | data for hmac: 34 a3 e8 ff dd 0e f6 64 8c 69 6d e9 87 9c 66 9f Aug 26 18:24:47.922916: | data for hmac: 1a 14 d4 2d b5 61 3d a2 aa 14 41 c3 fd 87 f2 6d Aug 26 18:24:47.922918: | data for hmac: 8b b8 6f 56 79 c5 30 33 16 42 08 a5 88 a5 79 04 Aug 26 18:24:47.922920: | data for hmac: 96 00 ce 88 cf 66 2e d5 a2 e7 1f 49 46 d9 63 54 Aug 26 18:24:47.922922: | data for hmac: 93 cf 65 aa d5 5b 7e 80 d5 75 b8 31 16 09 0e 48 Aug 26 18:24:47.922924: | data for hmac: 5a 50 a7 32 87 0e 4f 5a fb fa 9b ab ca e0 66 8a Aug 26 18:24:47.922926: | data for hmac: d4 39 9e bc 0b 9b b6 9d 13 63 c1 55 4c 37 84 4f Aug 26 18:24:47.922928: | data for hmac: 08 e8 df c3 fe 36 c9 9e 29 91 cc 1a 1c 2e 21 6d Aug 26 18:24:47.922930: | data for hmac: 06 52 bd 2b d1 ea 14 ba 8a e4 27 97 21 99 47 ad Aug 26 18:24:47.922933: | data for hmac: 74 27 07 3c a9 35 0b 4a ab 5f b5 24 84 c2 df a7 Aug 26 18:24:47.922935: | data for hmac: 5a d6 7f c3 41 b4 4d a6 58 57 73 50 fb 05 46 be Aug 26 18:24:47.922937: | data for hmac: 0c db b4 14 d3 20 81 be b7 a8 d3 4f 0a 00 70 d5 Aug 26 18:24:47.922939: | data for hmac: ad 69 18 e1 15 25 b3 b9 eb ff 81 7b ba 16 fc 93 Aug 26 18:24:47.922941: | data for hmac: 1c 2b e1 43 13 9a 43 08 7b b6 79 cb 28 d1 6f 34 Aug 26 18:24:47.922944: | data for hmac: 70 bf ba 6d 3a 2d 49 a2 85 f7 b3 66 e0 e7 b5 ff Aug 26 18:24:47.922946: | data for hmac: 7a 2c 49 16 49 bf 06 f7 6c 9f 60 e4 78 3a 80 b1 Aug 26 18:24:47.922948: | data for hmac: 31 95 45 c6 e1 cf 54 89 8e 9e 28 26 f3 1a ee 5c Aug 26 18:24:47.922951: | data for hmac: b3 a1 c3 0e de 15 d7 6c c0 5c ca 22 33 3d 88 c6 Aug 26 18:24:47.922953: | data for hmac: 06 b0 21 9b 7d f7 40 29 44 9c 56 64 cd b3 04 e8 Aug 26 18:24:47.922956: | data for hmac: 09 0e ae 28 e6 57 8f de 45 53 0c 4e 52 99 1c 51 Aug 26 18:24:47.922958: | data for hmac: 80 2e 33 89 84 d7 c9 d4 88 54 3e 34 ce ea d6 61 Aug 26 18:24:47.922960: | data for hmac: 22 b2 de db 98 8e 0d 97 c0 ed d3 81 69 cc 40 f1 Aug 26 18:24:47.922963: | calculated auth: 62 4b 2a db 60 7a ed 3c 20 bb 98 6d b6 2e cc 8a Aug 26 18:24:47.922966: | provided auth: 62 4b 2a db 60 7a ed 3c 20 bb 98 6d b6 2e cc 8a Aug 26 18:24:47.922968: | authenticator matched Aug 26 18:24:47.922981: | #2 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 18:24:47.922985: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:47.922988: | **parse IKEv2 Security Association Payload: Aug 26 18:24:47.922991: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:24:47.922993: | flags: none (0x0) Aug 26 18:24:47.922995: | length: 52 (0x34) Aug 26 18:24:47.922997: | processing payload: ISAKMP_NEXT_v2SA (len=48) Aug 26 18:24:47.923000: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.923002: | **parse IKEv2 Nonce Payload: Aug 26 18:24:47.923004: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:24:47.923007: | flags: none (0x0) Aug 26 18:24:47.923009: | length: 36 (0x24) Aug 26 18:24:47.923011: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:24:47.923013: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:24:47.923016: | **parse IKEv2 Key Exchange Payload: Aug 26 18:24:47.923018: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:24:47.923024: | flags: none (0x0) Aug 26 18:24:47.923026: | length: 392 (0x188) Aug 26 18:24:47.923028: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.923031: | processing payload: ISAKMP_NEXT_v2KE (len=384) Aug 26 18:24:47.923033: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.923035: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.923037: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:24:47.923040: | flags: none (0x0) Aug 26 18:24:47.923042: | length: 24 (0x18) Aug 26 18:24:47.923044: | number of TS: 1 (0x1) Aug 26 18:24:47.923046: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:24:47.923048: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.923050: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.923053: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.923055: | flags: none (0x0) Aug 26 18:24:47.923057: | length: 24 (0x18) Aug 26 18:24:47.923059: | number of TS: 1 (0x1) Aug 26 18:24:47.923061: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:24:47.923065: | state #2 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 18:24:47.923068: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 18:24:47.923073: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:47.923078: | creating state object #4 at 0x55c00a67b568 Aug 26 18:24:47.923080: | State DB: adding IKEv2 state #4 in UNDEFINED Aug 26 18:24:47.923090: | pstats #4 ikev2.child started Aug 26 18:24:47.923093: | duplicating state object #2 "north-eastnets/0x2" as #4 for IPSEC SA Aug 26 18:24:47.923099: | #4 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:24:47.923110: | Message ID: init_child #2.#4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:47.923114: | child state #4: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 18:24:47.923120: | "north-eastnets/0x2" #2 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "north-eastnets/0x2" #4 in STATE_V2_CREATE_R will process it further Aug 26 18:24:47.923125: | Message ID: switch-from #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 18:24:47.923130: | Message ID: switch-to #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 18:24:47.923133: | forcing ST #2 to CHILD #2.#4 in FSM processor Aug 26 18:24:47.923136: | Now let's proceed with state specific processing Aug 26 18:24:47.923139: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 18:24:47.923145: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 18:24:47.923149: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Aug 26 18:24:47.923155: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 18:24:47.923163: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 18:24:47.923168: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 18:24:47.923172: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Aug 26 18:24:47.923176: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:47.923179: | local proposal 1 type PRF has 0 transforms Aug 26 18:24:47.923182: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:47.923185: | local proposal 1 type DH has 1 transforms Aug 26 18:24:47.923190: | local proposal 1 type ESN has 1 transforms Aug 26 18:24:47.923195: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 18:24:47.923199: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.923202: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.923205: | length: 48 (0x30) Aug 26 18:24:47.923208: | prop #: 1 (0x1) Aug 26 18:24:47.923211: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.923214: | spi size: 4 (0x4) Aug 26 18:24:47.923217: | # transforms: 4 (0x4) Aug 26 18:24:47.923221: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.923224: | remote SPI 01 64 7d 1b Aug 26 18:24:47.923228: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:24:47.923231: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.923234: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.923237: | length: 12 (0xc) Aug 26 18:24:47.923240: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.923243: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.923246: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.923249: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.923252: | length/value: 128 (0x80) Aug 26 18:24:47.923257: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:47.923261: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.923264: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.923267: | length: 8 (0x8) Aug 26 18:24:47.923270: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.923273: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.923277: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 18:24:47.923280: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.923283: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.923286: | length: 8 (0x8) Aug 26 18:24:47.923307: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.923313: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.923317: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:24:47.923321: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.923324: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.923327: | length: 8 (0x8) Aug 26 18:24:47.923330: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.923333: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.923337: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:24:47.923342: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Aug 26 18:24:47.923360: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Aug 26 18:24:47.923363: | remote proposal 1 matches local proposal 1 Aug 26 18:24:47.923370: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=01647d1b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Aug 26 18:24:47.923377: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=01647d1b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 18:24:47.923380: | converting proposal to internal trans attrs Aug 26 18:24:47.923385: | updating #4's .st_oakley with preserved PRF, but why update? Aug 26 18:24:47.923389: | Child SA TS Request has child->sa == md->st; so using child connection Aug 26 18:24:47.923393: | TSi: parsing 1 traffic selectors Aug 26 18:24:47.923396: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.923399: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.923404: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.923407: | length: 16 (0x10) Aug 26 18:24:47.923410: | start port: 0 (0x0) Aug 26 18:24:47.923413: | end port: 65535 (0xffff) Aug 26 18:24:47.923416: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.923419: | TS low c0 00 03 00 Aug 26 18:24:47.923422: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.923425: | TS high c0 00 03 ff Aug 26 18:24:47.923428: | TSi: parsed 1 traffic selectors Aug 26 18:24:47.923431: | TSr: parsing 1 traffic selectors Aug 26 18:24:47.923434: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.923437: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.923440: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.923443: | length: 16 (0x10) Aug 26 18:24:47.923445: | start port: 0 (0x0) Aug 26 18:24:47.923448: | end port: 65535 (0xffff) Aug 26 18:24:47.923451: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.923454: | TS low c0 00 16 00 Aug 26 18:24:47.923457: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.923460: | TS high c0 00 16 ff Aug 26 18:24:47.923462: | TSr: parsed 1 traffic selectors Aug 26 18:24:47.923465: | looking for best SPD in current connection Aug 26 18:24:47.923473: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0/0 R=192.0.22.0/24:0/0 to their: Aug 26 18:24:47.923479: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923487: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.923491: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.923494: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.923498: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.923502: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.923507: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923514: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Aug 26 18:24:47.923517: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:24:47.923520: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:47.923523: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:24:47.923527: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.923530: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:47.923533: | found better spd route for TSi[0],TSr[0] Aug 26 18:24:47.923536: | looking for better host pair Aug 26 18:24:47.923542: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:47.923548: | checking hostpair 192.0.22.0/24 -> 192.0.3.0/24 is found Aug 26 18:24:47.923551: | investigating connection "north-eastnets/0x2" as a better match Aug 26 18:24:47.923555: | match_id a=@north Aug 26 18:24:47.923558: | b=@north Aug 26 18:24:47.923561: | results matched Aug 26 18:24:47.923567: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0/0 R=192.0.22.0/24:0/0 to their: Aug 26 18:24:47.923573: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923579: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.923583: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.923586: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.923589: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.923593: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.923598: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923605: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Aug 26 18:24:47.923608: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:24:47.923613: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:47.923617: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:24:47.923620: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.923623: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:47.923627: | investigating connection "north-eastnets/0x1" as a better match Aug 26 18:24:47.923630: | match_id a=@north Aug 26 18:24:47.923633: | b=@north Aug 26 18:24:47.923636: | results matched Aug 26 18:24:47.923642: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:47.923647: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923654: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:24:47.923657: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.923660: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.923663: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.923667: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.923672: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.923679: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: NO Aug 26 18:24:47.923682: | did not find a better connection using host pair Aug 26 18:24:47.923685: | printing contents struct traffic_selector Aug 26 18:24:47.923688: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.923690: | ipprotoid: 0 Aug 26 18:24:47.923693: | port range: 0-65535 Aug 26 18:24:47.923698: | ip range: 192.0.22.0-192.0.22.255 Aug 26 18:24:47.923701: | printing contents struct traffic_selector Aug 26 18:24:47.923704: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.923707: | ipprotoid: 0 Aug 26 18:24:47.923709: | port range: 0-65535 Aug 26 18:24:47.923714: | ip range: 192.0.3.0-192.0.3.255 Aug 26 18:24:47.923721: | adding Child Responder KE and nonce nr work-order 4 for state #4 Aug 26 18:24:47.923726: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c00a67f408 Aug 26 18:24:47.923731: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 18:24:47.923735: | libevent_malloc: new ptr-libevent@0x7f55d800d5d8 size 128 Aug 26 18:24:47.923739: | libevent_realloc: release ptr-libevent@0x55c00a655498 Aug 26 18:24:47.923743: | libevent_realloc: new ptr-libevent@0x55c00a67da18 size 128 Aug 26 18:24:47.923772: | #4 spent 0.623 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 18:24:47.923778: | crypto helper 3 resuming Aug 26 18:24:47.923779: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.923796: | crypto helper 3 starting work-order 4 for state #4 Aug 26 18:24:47.923806: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.923810: | crypto helper 3 doing build KE and nonce (Child Responder KE and nonce nr); request ID 4 Aug 26 18:24:47.923812: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 18:24:47.923821: | suspending state #4 and saving MD Aug 26 18:24:47.923825: | #4 is busy; has a suspended MD Aug 26 18:24:47.923830: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.923834: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.923840: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:47.923846: | #2 spent 1.27 milliseconds in ikev2_process_packet() Aug 26 18:24:47.923854: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:47.923858: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:47.923862: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:47.923867: | spent 1.29 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:47.925555: | crypto helper 3 finished build KE and nonce (Child Responder KE and nonce nr); request ID 4 time elapsed 0.001743 seconds Aug 26 18:24:47.925569: | (#4) spent 1.73 milliseconds in crypto helper computing work-order 4: Child Responder KE and nonce nr (pcr) Aug 26 18:24:47.925572: | crypto helper 3 sending results from work-order 4 for state #4 to event queue Aug 26 18:24:47.925575: | scheduling resume sending helper answer for #4 Aug 26 18:24:47.925578: | libevent_malloc: new ptr-libevent@0x7f55cc001b78 size 128 Aug 26 18:24:47.925586: | crypto helper 3 waiting (nothing to do) Aug 26 18:24:47.925599: | processing resume sending helper answer for #4 Aug 26 18:24:47.925621: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.925636: | crypto helper 3 replies to request ID 4 Aug 26 18:24:47.925642: | calling continuation function 0x55c0090b4b50 Aug 26 18:24:47.925646: | ikev2_child_inIoutR_continue for #4 STATE_V2_CREATE_R Aug 26 18:24:47.925654: | adding DHv2 for child sa work-order 5 for state #4 Aug 26 18:24:47.925657: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.925661: | libevent_free: release ptr-libevent@0x7f55d800d5d8 Aug 26 18:24:47.925664: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c00a67f408 Aug 26 18:24:47.925667: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c00a67f408 Aug 26 18:24:47.925671: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 18:24:47.925674: | libevent_malloc: new ptr-libevent@0x7f55d800d5d8 size 128 Aug 26 18:24:47.925685: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.925690: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 18:24:47.925692: | suspending state #4 and saving MD Aug 26 18:24:47.925702: | #4 is busy; has a suspended MD Aug 26 18:24:47.925707: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.925710: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.925714: | resume sending helper answer for #4 suppresed complete_v2_state_transition() and stole MD Aug 26 18:24:47.925719: | #4 spent 0.081 milliseconds in resume sending helper answer Aug 26 18:24:47.925690: | crypto helper 4 resuming Aug 26 18:24:47.925724: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.925732: | crypto helper 4 starting work-order 5 for state #4 Aug 26 18:24:47.925734: | libevent_free: release ptr-libevent@0x7f55cc001b78 Aug 26 18:24:47.925739: | crypto helper 4 doing crypto (DHv2 for child sa); request ID 5 Aug 26 18:24:47.927123: | crypto helper 4 finished crypto (DHv2 for child sa); request ID 5 time elapsed 0.001384 seconds Aug 26 18:24:47.927136: | (#4) spent 1.39 milliseconds in crypto helper computing work-order 5: DHv2 for child sa (dh) Aug 26 18:24:47.927138: | crypto helper 4 sending results from work-order 5 for state #4 to event queue Aug 26 18:24:47.927140: | scheduling resume sending helper answer for #4 Aug 26 18:24:47.927143: | libevent_malloc: new ptr-libevent@0x7f55d0001188 size 128 Aug 26 18:24:47.927149: | crypto helper 4 waiting (nothing to do) Aug 26 18:24:47.927159: | processing resume sending helper answer for #4 Aug 26 18:24:47.927172: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.927181: | crypto helper 4 replies to request ID 5 Aug 26 18:24:47.927184: | calling continuation function 0x55c0090b59d0 Aug 26 18:24:47.927188: | ikev2_child_inIoutR_continue_continue for #4 STATE_V2_CREATE_R Aug 26 18:24:47.927213: | **emit ISAKMP Message: Aug 26 18:24:47.927216: | initiator cookie: Aug 26 18:24:47.927219: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:47.927221: | responder cookie: Aug 26 18:24:47.927224: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.927227: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:47.927230: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.927233: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 18:24:47.927236: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:47.927239: | Message ID: 2 (0x2) Aug 26 18:24:47.927242: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:47.927246: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:47.927249: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927251: | flags: none (0x0) Aug 26 18:24:47.927255: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:47.927258: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927262: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:47.927293: | netlink_get_spi: allocated 0xd2041aac for esp.0@192.1.2.23 Aug 26 18:24:47.927299: | Emitting ikev2_proposal ... Aug 26 18:24:47.927303: | ****emit IKEv2 Security Association Payload: Aug 26 18:24:47.927305: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927308: | flags: none (0x0) Aug 26 18:24:47.927311: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:47.927315: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927318: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.927321: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.927323: | prop #: 1 (0x1) Aug 26 18:24:47.927326: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.927329: | spi size: 4 (0x4) Aug 26 18:24:47.927331: | # transforms: 4 (0x4) Aug 26 18:24:47.927334: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:47.927338: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:24:47.927341: | our spi d2 04 1a ac Aug 26 18:24:47.927343: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.927346: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927349: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.927352: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.927355: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.927358: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.927361: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.927363: | length/value: 128 (0x80) Aug 26 18:24:47.927366: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:47.927369: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.927372: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927374: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.927378: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.927381: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927384: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.927389: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.927392: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.927394: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927397: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.927400: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.927403: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927406: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.927409: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.927411: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.927414: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.927417: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.927419: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.927422: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.927425: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.927428: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.927431: | emitting length of IKEv2 Proposal Substructure Payload: 48 Aug 26 18:24:47.927434: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:47.927437: | emitting length of IKEv2 Security Association Payload: 52 Aug 26 18:24:47.927440: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:47.927443: | ****emit IKEv2 Nonce Payload: Aug 26 18:24:47.927445: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927448: | flags: none (0x0) Aug 26 18:24:47.927452: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.927455: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927459: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:24:47.927462: | IKEv2 nonce cc 5e a0 39 c9 c9 79 66 39 ca 60 bb 5d c5 b6 fb Aug 26 18:24:47.927464: | IKEv2 nonce 0a 30 85 6b 57 f3 02 ee 90 e7 31 c5 dd 76 1d fa Aug 26 18:24:47.927467: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:24:47.927470: | ****emit IKEv2 Key Exchange Payload: Aug 26 18:24:47.927473: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927476: | flags: none (0x0) Aug 26 18:24:47.927478: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.927482: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:24:47.927485: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927488: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:24:47.927491: | ikev2 g^x 8e b1 6b 6f 7f f4 d0 16 33 bb e7 38 5d 2a 7b 2a Aug 26 18:24:47.927493: | ikev2 g^x 0d 7f 66 e9 53 5c 1f 70 01 dc c6 19 a4 55 41 fc Aug 26 18:24:47.927496: | ikev2 g^x 44 96 0f e6 b3 ca 9b 67 98 5b e2 ac ed d5 04 14 Aug 26 18:24:47.927498: | ikev2 g^x fa 43 ab d9 f9 60 9c 72 03 9a 6d 91 07 79 89 47 Aug 26 18:24:47.927501: | ikev2 g^x ae 65 e8 85 c8 7d be f7 bc 89 a8 c9 e6 5e a4 68 Aug 26 18:24:47.927503: | ikev2 g^x d9 fb 71 7d ce e6 54 8a f5 30 b9 2e 79 47 6b 6f Aug 26 18:24:47.927505: | ikev2 g^x ad 85 4f b8 9e c1 94 a5 ed 24 bc b5 3a ea 1b d0 Aug 26 18:24:47.927509: | ikev2 g^x a6 55 1d 30 de 11 56 20 7b ef ad ec 2b 73 6c 41 Aug 26 18:24:47.927512: | ikev2 g^x 2d eb 31 c3 ff 1c 4a 61 2d 48 59 f0 63 6d 9d f7 Aug 26 18:24:47.927514: | ikev2 g^x 5b 26 47 ad 4b ca 40 6d 55 b3 e7 2d 80 92 55 da Aug 26 18:24:47.927517: | ikev2 g^x ef f1 35 06 9b 03 bb 95 2b e4 9a b4 87 08 8a 9c Aug 26 18:24:47.927519: | ikev2 g^x 78 0e 67 6d cc 85 24 5f 02 2c 86 2a 41 88 ae 84 Aug 26 18:24:47.927522: | ikev2 g^x 20 1c 95 49 e6 6c 59 25 60 ee 46 12 7d 9e 0d b6 Aug 26 18:24:47.927524: | ikev2 g^x 1e 3c ea 87 47 20 d1 f8 5a 79 3f ba 67 32 5f c8 Aug 26 18:24:47.927527: | ikev2 g^x 2f 32 07 38 e0 e7 15 2f e1 de 3c ce be 3f 42 27 Aug 26 18:24:47.927529: | ikev2 g^x e0 54 0b 48 44 48 5f 21 15 00 f6 05 4b 29 c3 43 Aug 26 18:24:47.927532: | ikev2 g^x 6b 93 93 fe ec cc cd c1 9d b6 8d 2d 93 bd 97 c4 Aug 26 18:24:47.927534: | ikev2 g^x bb 99 84 23 25 ec cc 70 59 71 19 c8 99 99 73 41 Aug 26 18:24:47.927537: | ikev2 g^x 7c 4e 4c f6 7d 45 75 cb 21 18 3d e0 13 ae 24 24 Aug 26 18:24:47.927539: | ikev2 g^x 47 6a 3b 94 e2 3c 24 5b 86 1d 79 cb c5 07 8d 32 Aug 26 18:24:47.927542: | ikev2 g^x 3d f7 b3 95 f9 f4 62 e1 68 a5 f7 bc 10 38 a8 88 Aug 26 18:24:47.927544: | ikev2 g^x 00 f8 b8 cd 97 5a 5f 99 2f ae 14 b7 4a 95 4b 9c Aug 26 18:24:47.927547: | ikev2 g^x 7d 35 f3 65 33 5f 38 1b 04 ed 34 8c b5 c0 96 ce Aug 26 18:24:47.927549: | ikev2 g^x ac 72 79 38 73 bf 03 1d 44 7c 8c 9b 52 78 75 d8 Aug 26 18:24:47.927552: | emitting length of IKEv2 Key Exchange Payload: 392 Aug 26 18:24:47.927555: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.927558: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927560: | flags: none (0x0) Aug 26 18:24:47.927563: | number of TS: 1 (0x1) Aug 26 18:24:47.927566: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.927569: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927572: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.927575: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.927577: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.927580: | start port: 0 (0x0) Aug 26 18:24:47.927582: | end port: 65535 (0xffff) Aug 26 18:24:47.927585: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.927588: | ipv4 start c0 00 03 00 Aug 26 18:24:47.927591: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.927593: | ipv4 end c0 00 03 ff Aug 26 18:24:47.927596: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.927599: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:24:47.927601: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.927604: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.927607: | flags: none (0x0) Aug 26 18:24:47.927609: | number of TS: 1 (0x1) Aug 26 18:24:47.927612: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.927615: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.927618: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.927621: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.927623: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.927625: | start port: 0 (0x0) Aug 26 18:24:47.927628: | end port: 65535 (0xffff) Aug 26 18:24:47.927631: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.927633: | ipv4 start c0 00 16 00 Aug 26 18:24:47.927636: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.927638: | ipv4 end c0 00 16 ff Aug 26 18:24:47.927641: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.927645: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:24:47.927648: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:47.927652: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 18:24:47.927996: | install_ipsec_sa() for #4: inbound and outbound Aug 26 18:24:47.928002: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Aug 26 18:24:47.928005: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.928008: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.928011: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 18:24:47.928014: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.928017: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:47.928022: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" erouted; eroute owner: NULL Aug 26 18:24:47.928026: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 18:24:47.928030: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 18:24:47.928033: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 18:24:47.928037: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.928041: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 18:24:47.928044: | netlink: enabling tunnel mode Aug 26 18:24:47.928047: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.928050: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.928115: | netlink response for Add SA esp.1647d1b@192.1.3.33 included non-error error Aug 26 18:24:47.928120: | set up outgoing SA, ref=0/0 Aug 26 18:24:47.928124: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 18:24:47.928127: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 18:24:47.928130: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 18:24:47.928134: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.928137: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 18:24:47.928140: | netlink: enabling tunnel mode Aug 26 18:24:47.928142: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.928145: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.928181: | netlink response for Add SA esp.d2041aac@192.1.2.23 included non-error error Aug 26 18:24:47.928186: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:47.928193: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:47.928197: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.928218: | raw_eroute result=success Aug 26 18:24:47.928221: | set up incoming SA, ref=0/0 Aug 26 18:24:47.928224: | sr for #4: unrouted Aug 26 18:24:47.928227: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:24:47.928230: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.928233: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.928236: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 18:24:47.928239: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.928242: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:47.928246: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" erouted; eroute owner: NULL Aug 26 18:24:47.928250: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:north-eastnets/0x1 rosr:{0x55c00a674408} and state: #4 Aug 26 18:24:47.928253: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:47.928261: | eroute_connection add eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 18:24:47.928264: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.928278: | raw_eroute result=success Aug 26 18:24:47.928282: | running updown command "ipsec _updown" for verb up Aug 26 18:24:47.928305: | command executing up-client Aug 26 18:24:47.928353: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Aug 26 18:24:47.928357: | popen cmd is 1042 chars long Aug 26 18:24:47.928360: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Aug 26 18:24:47.928363: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 18:24:47.928366: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' P: Aug 26 18:24:47.928369: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Aug 26 18:24:47.928372: | cmd( 320):O_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Aug 26 18:24:47.928374: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Aug 26 18:24:47.928377: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 18:24:47.928380: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Aug 26 18:24:47.928383: | cmd( 640):CRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Aug 26 18:24:47.928385: | cmd( 720):ND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: Aug 26 18:24:47.928388: | cmd( 800):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: Aug 26 18:24:47.928391: | cmd( 880):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R: Aug 26 18:24:47.928393: | cmd( 960):OUTING='no' VTI_SHARED='no' SPI_IN=0x1647d1b SPI_OUT=0xd2041aac ipsec _updown 2>: Aug 26 18:24:47.928396: | cmd(1040):&1: Aug 26 18:24:47.936281: | route_and_eroute: firewall_notified: true Aug 26 18:24:47.936308: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x55c00a675938,sr=0x55c00a675938} to #4 (was #0) (newest_ipsec_sa=#0) Aug 26 18:24:47.936413: | #2 spent 1.01 milliseconds in install_ipsec_sa() Aug 26 18:24:47.936421: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #2 Aug 26 18:24:47.936425: | adding 16 bytes of padding (including 1 byte padding-length) Aug 26 18:24:47.936429: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936434: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936437: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936440: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936443: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936446: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936466: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936469: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936472: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936474: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936477: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936480: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936483: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936486: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936489: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936492: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.936495: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:47.936498: | emitting length of IKEv2 Encryption Payload: 580 Aug 26 18:24:47.936501: | emitting length of ISAKMP Message: 608 Aug 26 18:24:47.936566: | data being hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.936570: | data being hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 18:24:47.936573: | data being hmac: 0a 00 3f fd a2 4a da 3e ea 92 36 4d a9 d3 43 fb Aug 26 18:24:47.936575: | data being hmac: 6e 3d 2d ef 41 81 26 62 89 cf 89 4d 3b 32 51 8a Aug 26 18:24:47.936578: | data being hmac: 2a 61 37 a8 05 38 12 69 f7 85 64 27 c9 c4 6c 3c Aug 26 18:24:47.936580: | data being hmac: 29 dd 90 cb b3 6b 93 6d db ff 6d 91 53 8b 25 45 Aug 26 18:24:47.936583: | data being hmac: 3d 46 6b 4b de ed 52 18 75 a4 aa 03 b4 24 07 04 Aug 26 18:24:47.936585: | data being hmac: 30 dd 4e ea 5d 76 6f 93 3e a4 8e ab 71 35 bd 15 Aug 26 18:24:47.936588: | data being hmac: 90 f7 69 db 57 08 a5 cd 77 9a ef c8 e4 97 ac 4e Aug 26 18:24:47.936590: | data being hmac: ed 42 a1 b6 98 0c 00 36 37 b0 28 a0 f3 62 52 d7 Aug 26 18:24:47.936593: | data being hmac: 25 8d 54 06 b0 38 f7 8a af d5 2a fa 37 1f 71 1d Aug 26 18:24:47.936595: | data being hmac: f3 6a bf f4 31 3c 53 15 c4 54 da e4 3c 6c c9 9a Aug 26 18:24:47.936598: | data being hmac: a3 42 84 29 ba 7f 28 11 aa 73 c6 44 5c 64 70 db Aug 26 18:24:47.936600: | data being hmac: 23 49 2e 72 e4 59 5e 60 9a bb ab 87 38 d3 42 b0 Aug 26 18:24:47.936603: | data being hmac: f8 7f 7e 5c 14 ed a9 a8 27 13 77 5c 0f 7f 86 b4 Aug 26 18:24:47.936605: | data being hmac: bc 3a 54 f4 4b 05 e6 97 c4 b7 1f fb 97 e6 4d f4 Aug 26 18:24:47.936608: | data being hmac: 8d 3a 02 e4 5c 5b 60 d3 df 0e a4 c5 c6 c0 3b 18 Aug 26 18:24:47.936610: | data being hmac: a8 7b 06 55 2a 77 af e2 48 10 8e 50 9a 19 f5 37 Aug 26 18:24:47.936613: | data being hmac: f5 dd 6a c1 3c 3f a9 a8 e4 b1 4c 14 1e 4c 15 c5 Aug 26 18:24:47.936616: | data being hmac: 88 c1 f4 8c 87 d7 90 ec 2c 80 71 65 cd 5d c3 46 Aug 26 18:24:47.936618: | data being hmac: 38 d9 b8 53 3f 23 01 50 b9 26 e0 1f 73 2b 23 f4 Aug 26 18:24:47.936621: | data being hmac: 33 7f 08 fd 48 91 da 3b e1 ef 90 78 fb 54 9f c1 Aug 26 18:24:47.936623: | data being hmac: 3e 24 5a b7 0c d9 d0 2f 09 3b 4a 03 db 9f 82 65 Aug 26 18:24:47.936626: | data being hmac: 00 9e 5e ce c5 51 45 4c 2b 21 9a b4 fb be 37 88 Aug 26 18:24:47.936628: | data being hmac: 52 94 e6 55 c6 bc e4 c6 ae 6c cd 36 9c fa 2a 97 Aug 26 18:24:47.936631: | data being hmac: 32 8d 95 32 52 ce 49 e7 69 4c 19 8a 0a 36 24 f6 Aug 26 18:24:47.936633: | data being hmac: 93 30 a1 bc d7 42 6f 12 b9 70 65 cf e9 cc de 0b Aug 26 18:24:47.936636: | data being hmac: 93 96 1c da 19 7a 8e 38 57 2b ad d4 cf f6 0a 88 Aug 26 18:24:47.936638: | data being hmac: e9 6c 2a f6 b7 a1 37 a1 f3 c7 55 ca 5a 9d 62 ac Aug 26 18:24:47.936642: | data being hmac: a7 05 05 f2 be 15 c4 8c 27 91 68 15 d4 ad 64 61 Aug 26 18:24:47.936645: | data being hmac: ee 0e 55 db 90 ce 8a 4f da f0 dc 67 79 41 9c c1 Aug 26 18:24:47.936647: | data being hmac: 98 08 05 3e ad d3 d6 0c 81 6a 55 d0 8e 6b 03 74 Aug 26 18:24:47.936650: | data being hmac: 13 4b ba f5 7f ab d3 90 6e 3d 70 a7 67 9b a8 2a Aug 26 18:24:47.936652: | data being hmac: 20 4c 35 c8 44 ca 00 86 10 73 83 3e 99 4b 05 c7 Aug 26 18:24:47.936655: | data being hmac: 04 38 64 5a 72 87 68 3f 02 75 57 e4 2b c0 c6 7b Aug 26 18:24:47.936657: | data being hmac: 13 c2 79 fa ee bf 31 50 9f 85 df 59 b8 0e 3a 1d Aug 26 18:24:47.936660: | data being hmac: a2 a4 fc 5d a6 e5 b9 9a 5f c9 a5 a9 ce c0 90 82 Aug 26 18:24:47.936662: | out calculated auth: Aug 26 18:24:47.936665: | 93 a4 c4 2b 04 86 b1 45 8f 1b 8f c4 ca 12 14 28 Aug 26 18:24:47.936676: "north-eastnets/0x2" #4: negotiated new IPsec SA [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:24:47.936690: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.936694: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Aug 26 18:24:47.936698: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 18:24:47.936703: | child state #4: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 18:24:47.936706: | Message ID: updating counters for #4 to 2 after switching state Aug 26 18:24:47.936712: | Message ID: recv #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 18:24:47.936717: | Message ID: sent #2.#4 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:24:47.936720: | pstats #4 ikev2.child established Aug 26 18:24:47.936728: "north-eastnets/0x2" #4: negotiated connection [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:24:47.936732: | NAT-T: encaps is 'auto' Aug 26 18:24:47.936737: "north-eastnets/0x2" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x01647d1b <0xd2041aac xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Aug 26 18:24:47.936742: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:47.936751: | sending 608 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 18:24:47.936753: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:47.936756: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 18:24:47.936759: | 0a 00 3f fd a2 4a da 3e ea 92 36 4d a9 d3 43 fb Aug 26 18:24:47.936761: | 6e 3d 2d ef 41 81 26 62 89 cf 89 4d 3b 32 51 8a Aug 26 18:24:47.936764: | 2a 61 37 a8 05 38 12 69 f7 85 64 27 c9 c4 6c 3c Aug 26 18:24:47.936766: | 29 dd 90 cb b3 6b 93 6d db ff 6d 91 53 8b 25 45 Aug 26 18:24:47.936768: | 3d 46 6b 4b de ed 52 18 75 a4 aa 03 b4 24 07 04 Aug 26 18:24:47.936771: | 30 dd 4e ea 5d 76 6f 93 3e a4 8e ab 71 35 bd 15 Aug 26 18:24:47.936773: | 90 f7 69 db 57 08 a5 cd 77 9a ef c8 e4 97 ac 4e Aug 26 18:24:47.936776: | ed 42 a1 b6 98 0c 00 36 37 b0 28 a0 f3 62 52 d7 Aug 26 18:24:47.936778: | 25 8d 54 06 b0 38 f7 8a af d5 2a fa 37 1f 71 1d Aug 26 18:24:47.936781: | f3 6a bf f4 31 3c 53 15 c4 54 da e4 3c 6c c9 9a Aug 26 18:24:47.936784: | a3 42 84 29 ba 7f 28 11 aa 73 c6 44 5c 64 70 db Aug 26 18:24:47.936786: | 23 49 2e 72 e4 59 5e 60 9a bb ab 87 38 d3 42 b0 Aug 26 18:24:47.936789: | f8 7f 7e 5c 14 ed a9 a8 27 13 77 5c 0f 7f 86 b4 Aug 26 18:24:47.936791: | bc 3a 54 f4 4b 05 e6 97 c4 b7 1f fb 97 e6 4d f4 Aug 26 18:24:47.936794: | 8d 3a 02 e4 5c 5b 60 d3 df 0e a4 c5 c6 c0 3b 18 Aug 26 18:24:47.936796: | a8 7b 06 55 2a 77 af e2 48 10 8e 50 9a 19 f5 37 Aug 26 18:24:47.936799: | f5 dd 6a c1 3c 3f a9 a8 e4 b1 4c 14 1e 4c 15 c5 Aug 26 18:24:47.936803: | 88 c1 f4 8c 87 d7 90 ec 2c 80 71 65 cd 5d c3 46 Aug 26 18:24:47.936805: | 38 d9 b8 53 3f 23 01 50 b9 26 e0 1f 73 2b 23 f4 Aug 26 18:24:47.936808: | 33 7f 08 fd 48 91 da 3b e1 ef 90 78 fb 54 9f c1 Aug 26 18:24:47.936810: | 3e 24 5a b7 0c d9 d0 2f 09 3b 4a 03 db 9f 82 65 Aug 26 18:24:47.936813: | 00 9e 5e ce c5 51 45 4c 2b 21 9a b4 fb be 37 88 Aug 26 18:24:47.936815: | 52 94 e6 55 c6 bc e4 c6 ae 6c cd 36 9c fa 2a 97 Aug 26 18:24:47.936818: | 32 8d 95 32 52 ce 49 e7 69 4c 19 8a 0a 36 24 f6 Aug 26 18:24:47.936820: | 93 30 a1 bc d7 42 6f 12 b9 70 65 cf e9 cc de 0b Aug 26 18:24:47.936823: | 93 96 1c da 19 7a 8e 38 57 2b ad d4 cf f6 0a 88 Aug 26 18:24:47.936825: | e9 6c 2a f6 b7 a1 37 a1 f3 c7 55 ca 5a 9d 62 ac Aug 26 18:24:47.936828: | a7 05 05 f2 be 15 c4 8c 27 91 68 15 d4 ad 64 61 Aug 26 18:24:47.936830: | ee 0e 55 db 90 ce 8a 4f da f0 dc 67 79 41 9c c1 Aug 26 18:24:47.936833: | 98 08 05 3e ad d3 d6 0c 81 6a 55 d0 8e 6b 03 74 Aug 26 18:24:47.936835: | 13 4b ba f5 7f ab d3 90 6e 3d 70 a7 67 9b a8 2a Aug 26 18:24:47.936837: | 20 4c 35 c8 44 ca 00 86 10 73 83 3e 99 4b 05 c7 Aug 26 18:24:47.936840: | 04 38 64 5a 72 87 68 3f 02 75 57 e4 2b c0 c6 7b Aug 26 18:24:47.936842: | 13 c2 79 fa ee bf 31 50 9f 85 df 59 b8 0e 3a 1d Aug 26 18:24:47.936845: | a2 a4 fc 5d a6 e5 b9 9a 5f c9 a5 a9 ce c0 90 82 Aug 26 18:24:47.936848: | 93 a4 c4 2b 04 86 b1 45 8f 1b 8f c4 ca 12 14 28 Aug 26 18:24:47.936897: | releasing whack for #4 (sock=fd@-1) Aug 26 18:24:47.936901: | releasing whack and unpending for parent #2 Aug 26 18:24:47.936904: | unpending state #2 connection "north-eastnets/0x2" Aug 26 18:24:47.936909: | #4 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:47.936912: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.936921: | libevent_free: release ptr-libevent@0x7f55d800d5d8 Aug 26 18:24:47.936926: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c00a67f408 Aug 26 18:24:47.936929: | event_schedule: new EVENT_SA_REKEY-pe@0x55c00a67f408 Aug 26 18:24:47.936933: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #4 Aug 26 18:24:47.936937: | libevent_malloc: new ptr-libevent@0x55c00a687d08 size 128 Aug 26 18:24:47.936944: | #4 spent 2.33 milliseconds in resume sending helper answer Aug 26 18:24:47.936950: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.936954: | libevent_free: release ptr-libevent@0x7f55d0001188 Aug 26 18:24:47.936968: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.936973: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.936978: | spent 0.00504 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:48.398322: | timer_event_cb: processing event@0x55c00a674e58 Aug 26 18:24:48.398338: | handling event EVENT_RETRANSMIT for parent state #1 Aug 26 18:24:48.398346: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in timer_event_cb() at timer.c:250) Aug 26 18:24:48.398351: | IKEv2 retransmit event Aug 26 18:24:48.398356: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in retransmit_v2_msg() at retry.c:144) Aug 26 18:24:48.398361: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x2" #1 attempt 2 of 0 Aug 26 18:24:48.398365: | and parent for 192.1.3.33 "north-eastnets/0x2" #1 keying attempt 1 of 0; retransmit 3 Aug 26 18:24:48.398369: "north-eastnets/0x2" #1: suppressing retransmit because superseded by #4 try=1. Drop this negotitation Aug 26 18:24:48.398372: | pstats #1 ikev2.ike failed too-many-retransmits Aug 26 18:24:48.398373: | pstats #1 ikev2.ike deleted too-many-retransmits Aug 26 18:24:48.398377: | #1 spent 1.87 milliseconds in total Aug 26 18:24:48.398380: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33 (in delete_state() at state.c:879) Aug 26 18:24:48.398386: "north-eastnets/0x2" #1: deleting state (STATE_PARENT_I1) aged 2.005s and NOT sending notification Aug 26 18:24:48.398389: | parent state #1: PARENT_I1(half-open IKE SA) => delete Aug 26 18:24:48.398392: | in connection_discard for connection north-eastnets/0x1 Aug 26 18:24:48.398395: | removing pending policy for "north-eastnets/0x1" {0x55c00a666278} Aug 26 18:24:48.398400: | in connection_discard for connection north-eastnets/0x2 Aug 26 18:24:48.398402: | removing pending policy for "north-eastnets/0x2" {0x55c00a6662f8} Aug 26 18:24:48.398404: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:24:48.398406: | picked newest_isakmp_sa #2 for #1 Aug 26 18:24:48.398408: | IKE delete_state() for #1 and connection 'north-eastnets/0x2' that is supposed to remain up; not a problem - have newer #2 Aug 26 18:24:48.398412: | in connection_discard for connection north-eastnets/0x2 Aug 26 18:24:48.398414: | State DB: deleting IKEv2 state #1 in PARENT_I1 Aug 26 18:24:48.398419: | parent state #1: PARENT_I1(half-open IKE SA) => UNDEFINED(ignore) Aug 26 18:24:48.398446: | stop processing: state #1 from 192.1.3.33 (in delete_state() at state.c:1143) Aug 26 18:24:48.398451: | libevent_free: release ptr-libevent@0x55c00a677048 Aug 26 18:24:48.398453: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c00a674e58 Aug 26 18:24:48.398456: | in statetime_stop() and could not find #1 Aug 26 18:24:48.398458: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Aug 26 18:24:49.332868: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.332888: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 18:24:49.332891: | FOR_EACH_STATE_... in sort_states Aug 26 18:24:49.332897: | get_sa_info esp.8dc7cf24@192.1.2.23 Aug 26 18:24:49.332914: | get_sa_info esp.1dc3f9f9@192.1.3.33 Aug 26 18:24:49.332927: | get_sa_info esp.d2041aac@192.1.2.23 Aug 26 18:24:49.332934: | get_sa_info esp.1647d1b@192.1.3.33 Aug 26 18:24:49.332953: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.332960: | spent 0.101 milliseconds in whack Aug 26 18:24:50.303565: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:50.303590: shutting down Aug 26 18:24:50.303599: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:24:50.303607: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:50.303609: forgetting secrets Aug 26 18:24:50.303617: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:50.303621: | unreference key: 0x55c00a6750e8 @east cnt 1-- Aug 26 18:24:50.303626: | unreference key: 0x55c00a5ccc48 @north cnt 2-- Aug 26 18:24:50.303630: | start processing: connection "north-eastnets/0x2" (in delete_connection() at connections.c:189) Aug 26 18:24:50.303633: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:50.303635: | pass 0 Aug 26 18:24:50.303638: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:50.303640: | state #4 Aug 26 18:24:50.303644: | suspend processing: connection "north-eastnets/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:50.303649: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:50.303652: | pstats #4 ikev2.child deleted completed Aug 26 18:24:50.303657: | #4 spent 6.16 milliseconds in total Aug 26 18:24:50.303661: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 18:24:50.303665: "north-eastnets/0x2" #4: deleting state (STATE_V2_IPSEC_R) aged 2.380s and sending notification Aug 26 18:24:50.303668: | child state #4: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:24:50.303673: | get_sa_info esp.1647d1b@192.1.3.33 Aug 26 18:24:50.303689: | get_sa_info esp.d2041aac@192.1.2.23 Aug 26 18:24:50.303701: "north-eastnets/0x2" #4: ESP traffic information: in=672B out=672B Aug 26 18:24:50.303705: | #4 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:24:50.303708: | Opening output PBS informational exchange delete request Aug 26 18:24:50.303711: | **emit ISAKMP Message: Aug 26 18:24:50.303714: | initiator cookie: Aug 26 18:24:50.303716: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:50.303719: | responder cookie: Aug 26 18:24:50.303721: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.303723: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:50.303726: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.303728: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:50.303731: | flags: none (0x0) Aug 26 18:24:50.303733: | Message ID: 0 (0x0) Aug 26 18:24:50.303736: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:50.303739: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:50.303742: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.303744: | flags: none (0x0) Aug 26 18:24:50.303747: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:50.303750: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.303753: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:50.303769: | ****emit IKEv2 Delete Payload: Aug 26 18:24:50.303772: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.303774: | flags: none (0x0) Aug 26 18:24:50.303776: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:24:50.303779: | SPI size: 4 (0x4) Aug 26 18:24:50.303781: | number of SPIs: 1 (0x1) Aug 26 18:24:50.303784: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:50.303787: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.303790: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:24:50.303792: | local spis d2 04 1a ac Aug 26 18:24:50.303794: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:24:50.303797: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 18:24:50.303800: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.303803: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.303805: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.303808: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.303811: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:50.303813: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 18:24:50.303816: | emitting length of ISAKMP Message: 80 Aug 26 18:24:50.303853: | data being hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.303856: | data being hmac: 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.303859: | data being hmac: d7 a1 ba 72 5c 9a d9 ef 08 89 96 cb 61 11 29 21 Aug 26 18:24:50.303861: | data being hmac: 46 2e a5 d8 6f d9 85 52 e7 d0 37 b9 dc 4b 3d 34 Aug 26 18:24:50.303863: | out calculated auth: Aug 26 18:24:50.303865: | 22 ff 0c 8b f0 69 e5 aa 88 38 be 02 87 76 81 a3 Aug 26 18:24:50.303878: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #4) Aug 26 18:24:50.303881: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.303883: | 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.303885: | d7 a1 ba 72 5c 9a d9 ef 08 89 96 cb 61 11 29 21 Aug 26 18:24:50.303887: | 46 2e a5 d8 6f d9 85 52 e7 d0 37 b9 dc 4b 3d 34 Aug 26 18:24:50.303891: | 22 ff 0c 8b f0 69 e5 aa 88 38 be 02 87 76 81 a3 Aug 26 18:24:50.303933: | Message ID: IKE #2 sender #4 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:24:50.303940: | Message ID: IKE #2 sender #4 in send_delete hacking around record ' send Aug 26 18:24:50.303946: | Message ID: sent #2 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:24:50.303951: | state #4 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:50.303957: | libevent_free: release ptr-libevent@0x55c00a687d08 Aug 26 18:24:50.303961: | free_event_entry: release EVENT_SA_REKEY-pe@0x55c00a67f408 Aug 26 18:24:50.304029: | running updown command "ipsec _updown" for verb down Aug 26 18:24:50.304034: | command executing down-client Aug 26 18:24:50.304075: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Aug 26 18:24:50.304080: | popen cmd is 1053 chars long Aug 26 18:24:50.304084: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Aug 26 18:24:50.304089: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Aug 26 18:24:50.304093: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0': Aug 26 18:24:50.304097: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 18:24:50.304101: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=': Aug 26 18:24:50.304105: | cmd( 400):@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO: Aug 26 18:24:50.304109: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 18:24:50.304113: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY: Aug 26 18:24:50.304117: | cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PL: Aug 26 18:24:50.304120: | cmd( 720):UTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_I: Aug 26 18:24:50.304125: | cmd( 800):S_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BAN: Aug 26 18:24:50.304129: | cmd( 880):NER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFA: Aug 26 18:24:50.304133: | cmd( 960):CE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1647d1b SPI_OUT=0xd2041aac ipsec: Aug 26 18:24:50.304137: | cmd(1040): _updown 2>&1: Aug 26 18:24:50.314113: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:24:50.314130: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:50.314134: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:50.314139: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:50.314180: | delete esp.1647d1b@192.1.3.33 Aug 26 18:24:50.314199: | netlink response for Del SA esp.1647d1b@192.1.3.33 included non-error error Aug 26 18:24:50.314207: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:50.314214: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:50.314240: | raw_eroute result=success Aug 26 18:24:50.314244: | delete esp.d2041aac@192.1.2.23 Aug 26 18:24:50.314255: | netlink response for Del SA esp.d2041aac@192.1.2.23 included non-error error Aug 26 18:24:50.314266: | stop processing: connection "north-eastnets/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:24:50.314271: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:24:50.314273: | in connection_discard for connection north-eastnets/0x2 Aug 26 18:24:50.314276: | State DB: deleting IKEv2 state #4 in V2_IPSEC_R Aug 26 18:24:50.314285: | child state #4: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:24:50.314333: | stop processing: state #4 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 18:24:50.314359: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:50.314362: | state #3 Aug 26 18:24:50.314367: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:50.314370: | pstats #3 ikev2.child deleted completed Aug 26 18:24:50.314375: | [RE]START processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 18:24:50.314379: "north-eastnets/0x1" #3: deleting state (STATE_V2_IPSEC_R) aged 2.458s and sending notification Aug 26 18:24:50.314382: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:24:50.314385: | get_sa_info esp.1dc3f9f9@192.1.3.33 Aug 26 18:24:50.314397: | get_sa_info esp.8dc7cf24@192.1.2.23 Aug 26 18:24:50.314406: "north-eastnets/0x1" #3: ESP traffic information: in=840B out=840B Aug 26 18:24:50.314410: | #3 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:24:50.314413: | Opening output PBS informational exchange delete request Aug 26 18:24:50.314416: | **emit ISAKMP Message: Aug 26 18:24:50.314419: | initiator cookie: Aug 26 18:24:50.314421: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:50.314424: | responder cookie: Aug 26 18:24:50.314426: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.314428: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:50.314431: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.314434: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:50.314437: | flags: none (0x0) Aug 26 18:24:50.314439: | Message ID: 1 (0x1) Aug 26 18:24:50.314442: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:50.314445: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:50.314448: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.314450: | flags: none (0x0) Aug 26 18:24:50.314453: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:50.314456: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.314459: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:50.314478: | ****emit IKEv2 Delete Payload: Aug 26 18:24:50.314481: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.314483: | flags: none (0x0) Aug 26 18:24:50.314485: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:24:50.314488: | SPI size: 4 (0x4) Aug 26 18:24:50.314490: | number of SPIs: 1 (0x1) Aug 26 18:24:50.314493: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:50.314496: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.314501: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:24:50.314503: | local spis 8d c7 cf 24 Aug 26 18:24:50.314506: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:24:50.314508: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 18:24:50.314511: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.314514: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.314517: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.314519: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.314522: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:50.314524: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 18:24:50.314527: | emitting length of ISAKMP Message: 80 Aug 26 18:24:50.314569: | data being hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.314572: | data being hmac: 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.314574: | data being hmac: d3 04 2d 7d 0f 8f 76 f5 10 f1 95 00 db 1b 8c a5 Aug 26 18:24:50.314577: | data being hmac: 43 95 ac 1a a2 59 f2 24 84 e7 82 35 a4 53 54 24 Aug 26 18:24:50.314579: | out calculated auth: Aug 26 18:24:50.314581: | 77 9d 00 15 2e f5 a4 95 43 06 93 b5 91 af 03 64 Aug 26 18:24:50.314590: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #3) Aug 26 18:24:50.314593: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.314595: | 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.314597: | d3 04 2d 7d 0f 8f 76 f5 10 f1 95 00 db 1b 8c a5 Aug 26 18:24:50.314599: | 43 95 ac 1a a2 59 f2 24 84 e7 82 35 a4 53 54 24 Aug 26 18:24:50.314601: | 77 9d 00 15 2e f5 a4 95 43 06 93 b5 91 af 03 64 Aug 26 18:24:50.314641: | Message ID: IKE #2 sender #3 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:24:50.314645: | Message ID: IKE #2 sender #3 in send_delete hacking around record ' send Aug 26 18:24:50.314650: | Message ID: #2 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 18:24:50.314654: | Message ID: sent #2 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 18:24:50.314657: | state #3 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:50.314667: | libevent_free: release ptr-libevent@0x55c00a67dbf8 Aug 26 18:24:50.314671: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f55d4002b78 Aug 26 18:24:50.314717: | running updown command "ipsec _updown" for verb down Aug 26 18:24:50.314722: | command executing down-client Aug 26 18:24:50.314746: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 18:24:50.314752: | popen cmd is 1052 chars long Aug 26 18:24:50.314755: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Aug 26 18:24:50.314758: | cmd( 80):1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Aug 26 18:24:50.314760: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' P: Aug 26 18:24:50.314763: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Aug 26 18:24:50.314765: | cmd( 320):O_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Aug 26 18:24:50.314767: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Aug 26 18:24:50.314770: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 18:24:50.314772: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY=': Aug 26 18:24:50.314774: | cmd( 640):RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Aug 26 18:24:50.314777: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Aug 26 18:24:50.314779: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Aug 26 18:24:50.314781: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Aug 26 18:24:50.314784: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1dc3f9f9 SPI_OUT=0x8dc7cf24 ipsec : Aug 26 18:24:50.314786: | cmd(1040):_updown 2>&1: Aug 26 18:24:50.327242: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:24:50.327259: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:50.327263: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:50.327268: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:50.327328: | delete esp.1dc3f9f9@192.1.3.33 Aug 26 18:24:50.327365: | netlink response for Del SA esp.1dc3f9f9@192.1.3.33 included non-error error Aug 26 18:24:50.327373: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:50.327384: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:50.327416: | raw_eroute result=success Aug 26 18:24:50.327424: | delete esp.8dc7cf24@192.1.2.23 Aug 26 18:24:50.327442: | netlink response for Del SA esp.8dc7cf24@192.1.2.23 included non-error error Aug 26 18:24:50.327459: | in connection_discard for connection north-eastnets/0x1 Aug 26 18:24:50.327464: | State DB: deleting IKEv2 state #3 in V2_IPSEC_R Aug 26 18:24:50.327478: | child state #3: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:24:50.327492: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 18:24:50.327515: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:50.327521: | state #2 Aug 26 18:24:50.327525: | pass 1 Aug 26 18:24:50.327530: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:50.327534: | state #2 Aug 26 18:24:50.327544: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:50.327549: | pstats #2 ikev2.ike deleted completed Aug 26 18:24:50.327560: | #2 spent 13.3 milliseconds in total Aug 26 18:24:50.327569: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 18:24:50.327575: "north-eastnets/0x2" #2: deleting state (STATE_PARENT_R2) aged 2.484s and sending notification Aug 26 18:24:50.327581: | parent state #2: PARENT_R2(established IKE SA) => delete Aug 26 18:24:50.327644: | #2 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:24:50.327652: | Opening output PBS informational exchange delete request Aug 26 18:24:50.327661: | **emit ISAKMP Message: Aug 26 18:24:50.327666: | initiator cookie: Aug 26 18:24:50.327670: | a1 42 7a 34 8b 87 e9 05 Aug 26 18:24:50.327675: | responder cookie: Aug 26 18:24:50.327679: | cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.327684: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:50.327689: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.327694: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:50.327701: | flags: none (0x0) Aug 26 18:24:50.327706: | Message ID: 2 (0x2) Aug 26 18:24:50.327711: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:50.327716: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:50.327722: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.327726: | flags: none (0x0) Aug 26 18:24:50.327733: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:50.327739: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.327745: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:50.327767: | ****emit IKEv2 Delete Payload: Aug 26 18:24:50.327773: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.327777: | flags: none (0x0) Aug 26 18:24:50.327782: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:24:50.327786: | SPI size: 0 (0x0) Aug 26 18:24:50.327790: | number of SPIs: 0 (0x0) Aug 26 18:24:50.327797: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:50.327803: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:50.327808: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:24:50.327813: | adding 8 bytes of padding (including 1 byte padding-length) Aug 26 18:24:50.327819: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327825: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327831: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327836: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327841: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327847: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327852: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327858: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.327864: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:50.327869: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 18:24:50.327873: | emitting length of ISAKMP Message: 80 Aug 26 18:24:50.327949: | data being hmac: a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.327957: | data being hmac: 2e 20 25 00 00 00 00 02 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.327962: | data being hmac: b6 8b ac 4c 86 84 b8 51 33 97 34 67 51 32 fd 51 Aug 26 18:24:50.327967: | data being hmac: 21 61 c7 12 f0 6f 24 45 c7 36 b9 c6 6c 65 71 a7 Aug 26 18:24:50.327971: | out calculated auth: Aug 26 18:24:50.327975: | 9b 63 06 3e 9b 2a 42 53 20 67 18 57 90 97 1b e4 Aug 26 18:24:50.327992: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 18:24:50.327997: | a1 42 7a 34 8b 87 e9 05 cf fc 77 cb d8 5b ca 72 Aug 26 18:24:50.328002: | 2e 20 25 00 00 00 00 02 00 00 00 50 2a 00 00 34 Aug 26 18:24:50.328006: | b6 8b ac 4c 86 84 b8 51 33 97 34 67 51 32 fd 51 Aug 26 18:24:50.328010: | 21 61 c7 12 f0 6f 24 45 c7 36 b9 c6 6c 65 71 a7 Aug 26 18:24:50.328018: | 9b 63 06 3e 9b 2a 42 53 20 67 18 57 90 97 1b e4 Aug 26 18:24:50.328071: | Message ID: IKE #2 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=2->3 and sender msgid=1->2 Aug 26 18:24:50.328079: | Message ID: IKE #2 sender #2 in send_delete hacking around record ' send Aug 26 18:24:50.328088: | Message ID: #2 XXX: expecting sender.wip.initiator 1 == -1 - suspect record'n'send out-of-order?); initiator.sent=2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=2 wip.responder=-1 Aug 26 18:24:50.328096: | Message ID: sent #2 request 2; ike: initiator.sent=1->2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1->2 wip.responder=-1 Aug 26 18:24:50.328101: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:50.328114: | libevent_free: release ptr-libevent@0x55c00a678358 Aug 26 18:24:50.328119: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f55dc002b78 Aug 26 18:24:50.328127: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:24:50.328132: | picked newest_isakmp_sa #0 for #2 Aug 26 18:24:50.328137: "north-eastnets/0x2" #2: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Aug 26 18:24:50.328142: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 0 seconds Aug 26 18:24:50.328147: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds Aug 26 18:24:50.328154: | in connection_discard for connection north-eastnets/0x2 Aug 26 18:24:50.328159: | State DB: deleting IKEv2 state #2 in PARENT_R2 Aug 26 18:24:50.328165: | parent state #2: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:24:50.328171: | unreference key: 0x55c00a5ccc48 @north cnt 1-- Aug 26 18:24:50.328203: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 18:24:50.328237: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:50.328241: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:24:50.328244: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:50.328247: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:50.328268: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 18:24:50.328283: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:50.328295: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.328304: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 18:24:50.328309: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.328314: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:50.328321: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" prospective erouted Aug 26 18:24:50.328328: | flush revival: connection 'north-eastnets/0x2' revival flushed Aug 26 18:24:50.328334: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:24:50.328348: | start processing: connection "north-eastnets/0x1" (in delete_connection() at connections.c:189) Aug 26 18:24:50.328354: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:50.328359: | pass 0 Aug 26 18:24:50.328363: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:50.328367: | pass 1 Aug 26 18:24:50.328371: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:50.328377: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:24:50.328382: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:50.328386: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:50.328409: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 18:24:50.328427: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:50.328433: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.328438: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 18:24:50.328444: | route owner of "north-eastnets/0x1" unrouted: NULL Aug 26 18:24:50.328449: | running updown command "ipsec _updown" for verb unroute Aug 26 18:24:50.328454: | command executing unroute-client Aug 26 18:24:50.328502: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Aug 26 18:24:50.328509: | popen cmd is 1033 chars long Aug 26 18:24:50.328515: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 18:24:50.328520: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Aug 26 18:24:50.328524: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 18:24:50.328527: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 18:24:50.328529: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 18:24:50.328532: | cmd( 400):='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLU: Aug 26 18:24:50.328534: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Aug 26 18:24:50.328536: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: Aug 26 18:24:50.328539: | cmd( 640):G+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Aug 26 18:24:50.328541: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Aug 26 18:24:50.328543: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Aug 26 18:24:50.328545: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Aug 26 18:24:50.328548: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 18:24:50.341406: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341432: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341438: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341456: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341482: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341549: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341572: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341591: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341608: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341620: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341634: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341650: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341664: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341677: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341690: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341703: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341718: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341731: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341745: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341759: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341772: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341786: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341799: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.341812: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.342261: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.342285: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:50.354939: | free hp@0x55c00a674d78 Aug 26 18:24:50.354958: | flush revival: connection 'north-eastnets/0x1' wasn't on the list Aug 26 18:24:50.354963: | stop processing: connection "north-eastnets/0x1" (in discard_connection() at connections.c:249) Aug 26 18:24:50.354972: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:24:50.354975: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:24:50.354989: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:24:50.354992: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:24:50.354995: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:50.354998: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:24:50.355001: shutting down interface eth0/eth0 192.0.22.251:4500 Aug 26 18:24:50.355003: shutting down interface eth0/eth0 192.0.22.251:500 Aug 26 18:24:50.355006: shutting down interface eth0/eth0 192.0.22.254:4500 Aug 26 18:24:50.355009: shutting down interface eth0/eth0 192.0.22.254:500 Aug 26 18:24:50.355011: shutting down interface eth0/eth0 192.0.2.251:4500 Aug 26 18:24:50.355014: shutting down interface eth0/eth0 192.0.2.251:500 Aug 26 18:24:50.355016: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:50.355019: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:24:50.355023: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:24:50.355035: | libevent_free: release ptr-libevent@0x55c00a676358 Aug 26 18:24:50.355039: | free_event_entry: release EVENT_NULL-pe@0x55c00a672f88 Aug 26 18:24:50.355050: | libevent_free: release ptr-libevent@0x55c00a5fcba8 Aug 26 18:24:50.355053: | free_event_entry: release EVENT_NULL-pe@0x55c00a673038 Aug 26 18:24:50.355059: | libevent_free: release ptr-libevent@0x55c00a5fc428 Aug 26 18:24:50.355062: | free_event_entry: release EVENT_NULL-pe@0x55c00a6730e8 Aug 26 18:24:50.355069: | libevent_free: release ptr-libevent@0x55c00a5fd588 Aug 26 18:24:50.355071: | free_event_entry: release EVENT_NULL-pe@0x55c00a673808 Aug 26 18:24:50.355077: | libevent_free: release ptr-libevent@0x55c00a5d14e8 Aug 26 18:24:50.355080: | free_event_entry: release EVENT_NULL-pe@0x55c00a6738b8 Aug 26 18:24:50.355086: | libevent_free: release ptr-libevent@0x55c00a5d11d8 Aug 26 18:24:50.355088: | free_event_entry: release EVENT_NULL-pe@0x55c00a673968 Aug 26 18:24:50.355098: | libevent_free: release ptr-libevent@0x55c00a673a88 Aug 26 18:24:50.355101: | free_event_entry: release EVENT_NULL-pe@0x55c00a673a18 Aug 26 18:24:50.355106: | libevent_free: release ptr-libevent@0x55c00a673be8 Aug 26 18:24:50.355109: | free_event_entry: release EVENT_NULL-pe@0x55c00a673b78 Aug 26 18:24:50.355115: | libevent_free: release ptr-libevent@0x55c00a673d48 Aug 26 18:24:50.355117: | free_event_entry: release EVENT_NULL-pe@0x55c00a673cd8 Aug 26 18:24:50.355123: | libevent_free: release ptr-libevent@0x55c00a673ea8 Aug 26 18:24:50.355126: | free_event_entry: release EVENT_NULL-pe@0x55c00a673e38 Aug 26 18:24:50.355132: | libevent_free: release ptr-libevent@0x55c00a674008 Aug 26 18:24:50.355134: | free_event_entry: release EVENT_NULL-pe@0x55c00a673f98 Aug 26 18:24:50.355140: | libevent_free: release ptr-libevent@0x55c00a674168 Aug 26 18:24:50.355142: | free_event_entry: release EVENT_NULL-pe@0x55c00a6740f8 Aug 26 18:24:50.355147: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:50.355658: | libevent_free: release ptr-libevent@0x55c00a666f18 Aug 26 18:24:50.355669: | free_event_entry: release EVENT_NULL-pe@0x55c00a65ac88 Aug 26 18:24:50.355675: | libevent_free: release ptr-libevent@0x55c00a5fcc58 Aug 26 18:24:50.355678: | free_event_entry: release EVENT_NULL-pe@0x55c00a65ac18 Aug 26 18:24:50.355683: | libevent_free: release ptr-libevent@0x55c00a63e578 Aug 26 18:24:50.355685: | free_event_entry: release EVENT_NULL-pe@0x55c00a65a0d8 Aug 26 18:24:50.355690: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:24:50.355692: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:24:50.355695: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:24:50.355697: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:24:50.355699: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:24:50.355701: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:24:50.355704: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:24:50.355706: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:24:50.355708: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:24:50.355713: | libevent_free: release ptr-libevent@0x55c00a605888 Aug 26 18:24:50.355716: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:24:50.355719: | libevent_free: release ptr-libevent@0x55c00a5fd658 Aug 26 18:24:50.355721: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:24:50.355725: | libevent_free: release ptr-libevent@0x55c00a672458 Aug 26 18:24:50.355727: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:24:50.355730: | libevent_free: release ptr-libevent@0x55c00a672698 Aug 26 18:24:50.355732: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:24:50.355734: | releasing event base Aug 26 18:24:50.355747: | libevent_free: release ptr-libevent@0x55c00a672568 Aug 26 18:24:50.355750: | libevent_free: release ptr-libevent@0x55c00a655558 Aug 26 18:24:50.355754: | libevent_free: release ptr-libevent@0x55c00a655508 Aug 26 18:24:50.355756: | libevent_free: release ptr-libevent@0x55c00a67da18 Aug 26 18:24:50.355758: | libevent_free: release ptr-libevent@0x55c00a655458 Aug 26 18:24:50.355761: | libevent_free: release ptr-libevent@0x55c00a6721e8 Aug 26 18:24:50.355763: | libevent_free: release ptr-libevent@0x55c00a672398 Aug 26 18:24:50.355766: | libevent_free: release ptr-libevent@0x55c00a655708 Aug 26 18:24:50.355768: | libevent_free: release ptr-libevent@0x55c00a65a1e8 Aug 26 18:24:50.355770: | libevent_free: release ptr-libevent@0x55c00a65abd8 Aug 26 18:24:50.355772: | libevent_free: release ptr-libevent@0x55c00a674218 Aug 26 18:24:50.355775: | libevent_free: release ptr-libevent@0x55c00a6740b8 Aug 26 18:24:50.355777: | libevent_free: release ptr-libevent@0x55c00a673f58 Aug 26 18:24:50.355779: | libevent_free: release ptr-libevent@0x55c00a673df8 Aug 26 18:24:50.355781: | libevent_free: release ptr-libevent@0x55c00a673c98 Aug 26 18:24:50.355784: | libevent_free: release ptr-libevent@0x55c00a673b38 Aug 26 18:24:50.355786: | libevent_free: release ptr-libevent@0x55c00a6739d8 Aug 26 18:24:50.355791: | libevent_free: release ptr-libevent@0x55c00a673928 Aug 26 18:24:50.355793: | libevent_free: release ptr-libevent@0x55c00a673878 Aug 26 18:24:50.355796: | libevent_free: release ptr-libevent@0x55c00a673158 Aug 26 18:24:50.355798: | libevent_free: release ptr-libevent@0x55c00a6730a8 Aug 26 18:24:50.355800: | libevent_free: release ptr-libevent@0x55c00a672ff8 Aug 26 18:24:50.355802: | libevent_free: release ptr-libevent@0x55c00a5f9888 Aug 26 18:24:50.355805: | libevent_free: release ptr-libevent@0x55c00a672418 Aug 26 18:24:50.355807: | libevent_free: release ptr-libevent@0x55c00a6723d8 Aug 26 18:24:50.355809: | libevent_free: release ptr-libevent@0x55c00a672358 Aug 26 18:24:50.355812: | libevent_free: release ptr-libevent@0x55c00a672528 Aug 26 18:24:50.355814: | libevent_free: release ptr-libevent@0x55c00a672228 Aug 26 18:24:50.355817: | libevent_free: release ptr-libevent@0x55c00a5d0908 Aug 26 18:24:50.355819: | libevent_free: release ptr-libevent@0x55c00a5d0d38 Aug 26 18:24:50.355821: | libevent_free: release ptr-libevent@0x55c00a5f9bf8 Aug 26 18:24:50.355824: | releasing global libevent data Aug 26 18:24:50.355826: | libevent_free: release ptr-libevent@0x55c00a5d5a48 Aug 26 18:24:50.355829: | libevent_free: release ptr-libevent@0x55c00a5d0cd8 Aug 26 18:24:50.355832: | libevent_free: release ptr-libevent@0x55c00a5d0dd8 Aug 26 18:24:50.355862: leak detective found no leaks