Aug 26 18:24:45.531650: FIPS Product: YES Aug 26 18:24:45.531720: FIPS Kernel: NO Aug 26 18:24:45.531724: FIPS Mode: NO Aug 26 18:24:45.531727: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:24:45.531871: Initializing NSS Aug 26 18:24:45.531881: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:24:45.562304: NSS initialized Aug 26 18:24:45.562327: NSS crypto library initialized Aug 26 18:24:45.562330: FIPS HMAC integrity support [enabled] Aug 26 18:24:45.562333: FIPS mode disabled for pluto daemon Aug 26 18:24:45.595750: FIPS HMAC integrity verification self-test FAILED Aug 26 18:24:45.595836: libcap-ng support [enabled] Aug 26 18:24:45.595842: Linux audit support [enabled] Aug 26 18:24:45.596143: Linux audit activated Aug 26 18:24:45.596153: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22554 Aug 26 18:24:45.596156: core dump dir: /tmp Aug 26 18:24:45.596158: secrets file: /etc/ipsec.secrets Aug 26 18:24:45.596159: leak-detective enabled Aug 26 18:24:45.596160: NSS crypto [enabled] Aug 26 18:24:45.596162: XAUTH PAM support [enabled] Aug 26 18:24:45.596222: | libevent is using pluto's memory allocator Aug 26 18:24:45.596230: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:24:45.596242: | libevent_malloc: new ptr-libevent@0x56407d9ebbc8 size 40 Aug 26 18:24:45.596245: | libevent_malloc: new ptr-libevent@0x56407d9e5cd8 size 40 Aug 26 18:24:45.596247: | libevent_malloc: new ptr-libevent@0x56407d9e5dd8 size 40 Aug 26 18:24:45.596249: | creating event base Aug 26 18:24:45.596251: | libevent_malloc: new ptr-libevent@0x56407da68308 size 56 Aug 26 18:24:45.596255: | libevent_malloc: new ptr-libevent@0x56407da14e58 size 664 Aug 26 18:24:45.596265: | libevent_malloc: new ptr-libevent@0x56407da68378 size 24 Aug 26 18:24:45.596267: | libevent_malloc: new ptr-libevent@0x56407da683c8 size 384 Aug 26 18:24:45.596274: | libevent_malloc: new ptr-libevent@0x56407da682c8 size 16 Aug 26 18:24:45.596276: | libevent_malloc: new ptr-libevent@0x56407d9e5908 size 40 Aug 26 18:24:45.596278: | libevent_malloc: new ptr-libevent@0x56407d9e5d38 size 48 Aug 26 18:24:45.596281: | libevent_realloc: new ptr-libevent@0x56407da14ae8 size 256 Aug 26 18:24:45.596283: | libevent_malloc: new ptr-libevent@0x56407da68578 size 16 Aug 26 18:24:45.596298: | libevent_free: release ptr-libevent@0x56407da68308 Aug 26 18:24:45.596306: | libevent initialized Aug 26 18:24:45.596308: | libevent_realloc: new ptr-libevent@0x56407da68308 size 64 Aug 26 18:24:45.596313: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:24:45.596325: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:24:45.596327: NAT-Traversal support [enabled] Aug 26 18:24:45.596329: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:24:45.596334: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:24:45.596336: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:24:45.596364: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:24:45.596379: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:24:45.596382: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:24:45.596414: Encryption algorithms: Aug 26 18:24:45.596420: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:24:45.596423: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:24:45.596425: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:24:45.596427: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:24:45.596429: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:24:45.596451: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:24:45.596454: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:24:45.596456: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:24:45.596458: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:24:45.596460: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:24:45.596463: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:24:45.596465: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:24:45.596467: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:24:45.596469: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:24:45.596472: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:24:45.596474: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:24:45.596476: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:24:45.596481: Hash algorithms: Aug 26 18:24:45.596483: MD5 IKEv1: IKE IKEv2: Aug 26 18:24:45.596485: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:24:45.596487: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:24:45.596489: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:24:45.596491: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:24:45.596499: PRF algorithms: Aug 26 18:24:45.596501: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:24:45.596503: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:24:45.596506: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:24:45.596508: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:24:45.596510: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:24:45.596512: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:24:45.596540: Integrity algorithms: Aug 26 18:24:45.596543: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:24:45.596545: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:24:45.596548: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:24:45.596550: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:24:45.596552: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:24:45.596554: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:24:45.596556: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:24:45.596558: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:24:45.596560: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:24:45.596568: DH algorithms: Aug 26 18:24:45.596570: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:24:45.596572: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:24:45.596573: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:24:45.596577: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:24:45.596579: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:24:45.596581: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:24:45.596582: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:24:45.596584: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:24:45.596586: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:24:45.596588: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:24:45.596590: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:24:45.596592: testing CAMELLIA_CBC: Aug 26 18:24:45.596594: Camellia: 16 bytes with 128-bit key Aug 26 18:24:45.596685: Camellia: 16 bytes with 128-bit key Aug 26 18:24:45.596704: Camellia: 16 bytes with 256-bit key Aug 26 18:24:45.596722: Camellia: 16 bytes with 256-bit key Aug 26 18:24:45.596739: testing AES_GCM_16: Aug 26 18:24:45.596741: empty string Aug 26 18:24:45.596759: one block Aug 26 18:24:45.596775: two blocks Aug 26 18:24:45.596792: two blocks with associated data Aug 26 18:24:45.596808: testing AES_CTR: Aug 26 18:24:45.596810: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:24:45.596826: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:24:45.596843: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:24:45.596860: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:24:45.596876: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:24:45.596892: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:24:45.596909: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:24:45.596925: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:24:45.596942: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:24:45.596959: testing AES_CBC: Aug 26 18:24:45.596960: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:24:45.596979: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:24:45.596997: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:24:45.597014: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:24:45.597034: testing AES_XCBC: Aug 26 18:24:45.597036: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:24:45.597108: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:24:45.597186: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:24:45.597260: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:24:45.597369: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:24:45.597446: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:24:45.597524: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:24:45.597689: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:24:45.597767: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:24:45.597848: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:24:45.597989: testing HMAC_MD5: Aug 26 18:24:45.597992: RFC 2104: MD5_HMAC test 1 Aug 26 18:24:45.598097: RFC 2104: MD5_HMAC test 2 Aug 26 18:24:45.598189: RFC 2104: MD5_HMAC test 3 Aug 26 18:24:45.598362: 8 CPU cores online Aug 26 18:24:45.598367: starting up 7 crypto helpers Aug 26 18:24:45.598398: started thread for crypto helper 0 Aug 26 18:24:45.598425: | starting up helper thread 0 Aug 26 18:24:45.598437: | starting up helper thread 1 Aug 26 18:24:45.598447: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:24:45.598450: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:45.598450: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:24:45.598474: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:45.598432: started thread for crypto helper 1 Aug 26 18:24:45.598526: started thread for crypto helper 2 Aug 26 18:24:45.598529: | starting up helper thread 2 Aug 26 18:24:45.598545: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:24:45.598549: | crypto helper 2 waiting (nothing to do) Aug 26 18:24:45.598553: started thread for crypto helper 3 Aug 26 18:24:45.598557: | starting up helper thread 3 Aug 26 18:24:45.598594: started thread for crypto helper 4 Aug 26 18:24:45.598619: | starting up helper thread 4 Aug 26 18:24:45.598619: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:24:45.598634: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:24:45.598643: | crypto helper 3 waiting (nothing to do) Aug 26 18:24:45.598650: started thread for crypto helper 5 Aug 26 18:24:45.598656: | starting up helper thread 5 Aug 26 18:24:45.598668: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:24:45.598677: started thread for crypto helper 6 Aug 26 18:24:45.598680: | starting up helper thread 6 Aug 26 18:24:45.598684: | checking IKEv1 state table Aug 26 18:24:45.598685: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:24:45.598690: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598692: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:24:45.598694: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598696: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:24:45.598697: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:24:45.598699: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:24:45.598701: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:45.598702: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:45.598704: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:24:45.598705: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:24:45.598707: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:45.598708: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:45.598710: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:24:45.598712: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:45.598713: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:45.598715: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:45.598716: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:24:45.598718: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:45.598719: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:45.598721: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:45.598723: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:24:45.598724: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598726: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:24:45.598727: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598729: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598731: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:24:45.598732: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598734: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:45.598735: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:45.598737: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:24:45.598739: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:45.598740: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:45.598742: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:24:45.598743: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598745: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:24:45.598747: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598748: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:24:45.598750: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:24:45.598753: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:24:45.598755: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:24:45.598758: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:24:45.598763: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:24:45.598766: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:24:45.598768: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598770: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:24:45.598772: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598775: | INFO: category: informational flags: 0: Aug 26 18:24:45.598777: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598779: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:24:45.598781: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598784: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:24:45.598786: | -> XAUTH_R1 EVENT_NULL Aug 26 18:24:45.598789: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:24:45.598791: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:45.598793: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:24:45.598795: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:24:45.598798: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:24:45.598800: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:24:45.598803: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:24:45.598805: | -> UNDEFINED EVENT_NULL Aug 26 18:24:45.598807: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:24:45.598810: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:45.598812: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:24:45.598814: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:24:45.598817: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:24:45.598819: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:24:45.598825: | checking IKEv2 state table Aug 26 18:24:45.598831: | PARENT_I0: category: ignore flags: 0: Aug 26 18:24:45.598834: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:24:45.598837: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598840: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:24:45.598842: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:24:45.598845: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:24:45.598848: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:24:45.598850: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:24:45.598853: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:24:45.598856: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:24:45.598856: | crypto helper 4 waiting (nothing to do) Aug 26 18:24:45.598876: | crypto helper 5 waiting (nothing to do) Aug 26 18:24:45.598888: | crypto helper 6 waiting (nothing to do) Aug 26 18:24:45.598859: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:24:45.598921: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:24:45.598925: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:24:45.598927: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:24:45.598930: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:24:45.598932: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:24:45.598935: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598937: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:24:45.598940: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:24:45.598943: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:24:45.598945: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:24:45.598948: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:24:45.598950: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:24:45.598955: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:24:45.598958: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:24:45.598960: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:24:45.598963: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:24:45.598966: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:24:45.598968: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:24:45.598970: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:24:45.598973: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:24:45.598975: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:45.598978: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:24:45.598980: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:24:45.598983: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:24:45.598985: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:24:45.598988: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:24:45.598990: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:24:45.598993: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:24:45.598995: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:24:45.598998: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:45.599000: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:24:45.599003: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:24:45.599005: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:24:45.599008: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:24:45.599010: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:24:45.599013: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:24:45.599025: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:24:45.599352: | Hard-wiring algorithms Aug 26 18:24:45.599359: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:24:45.599363: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:24:45.599364: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:24:45.599366: | adding 3DES_CBC to kernel algorithm db Aug 26 18:24:45.599368: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:24:45.599370: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:24:45.599371: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:24:45.599373: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:24:45.599375: | adding AES_CTR to kernel algorithm db Aug 26 18:24:45.599376: | adding AES_CBC to kernel algorithm db Aug 26 18:24:45.599378: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:24:45.599380: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:24:45.599382: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:24:45.599383: | adding NULL to kernel algorithm db Aug 26 18:24:45.599385: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:24:45.599387: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:24:45.599389: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:24:45.599390: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:24:45.599392: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:24:45.599394: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:24:45.599395: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:24:45.599397: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:24:45.599399: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:24:45.599400: | adding NONE to kernel algorithm db Aug 26 18:24:45.599421: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:24:45.599426: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:24:45.599428: | setup kernel fd callback Aug 26 18:24:45.599430: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x56407da6db88 Aug 26 18:24:45.599434: | libevent_malloc: new ptr-libevent@0x56407da51398 size 128 Aug 26 18:24:45.599437: | libevent_malloc: new ptr-libevent@0x56407da6d0e8 size 16 Aug 26 18:24:45.599442: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x56407da6cfd8 Aug 26 18:24:45.599445: | libevent_malloc: new ptr-libevent@0x56407da17d58 size 128 Aug 26 18:24:45.599447: | libevent_malloc: new ptr-libevent@0x56407da6dad8 size 16 Aug 26 18:24:45.599596: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:24:45.599602: selinux support is enabled. Aug 26 18:24:45.599796: | unbound context created - setting debug level to 5 Aug 26 18:24:45.599815: | /etc/hosts lookups activated Aug 26 18:24:45.599841: | /etc/resolv.conf usage activated Aug 26 18:24:45.599904: | outgoing-port-avoid set 0-65535 Aug 26 18:24:45.599921: | outgoing-port-permit set 32768-60999 Aug 26 18:24:45.599923: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:24:45.599925: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:24:45.599927: | Setting up events, loop start Aug 26 18:24:45.599943: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x56407da6db18 Aug 26 18:24:45.599945: | libevent_malloc: new ptr-libevent@0x56407da79dd8 size 128 Aug 26 18:24:45.599947: | libevent_malloc: new ptr-libevent@0x56407da850e8 size 16 Aug 26 18:24:45.599951: | libevent_realloc: new ptr-libevent@0x56407da85128 size 256 Aug 26 18:24:45.599953: | libevent_malloc: new ptr-libevent@0x56407da85258 size 8 Aug 26 18:24:45.599955: | libevent_realloc: new ptr-libevent@0x56407da17788 size 144 Aug 26 18:24:45.599957: | libevent_malloc: new ptr-libevent@0x56407da18fc8 size 152 Aug 26 18:24:45.599960: | libevent_malloc: new ptr-libevent@0x56407da85298 size 16 Aug 26 18:24:45.599962: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:24:45.599964: | libevent_malloc: new ptr-libevent@0x56407da852d8 size 8 Aug 26 18:24:45.599966: | libevent_malloc: new ptr-libevent@0x56407da85318 size 152 Aug 26 18:24:45.599981: | signal event handler PLUTO_SIGTERM installed Aug 26 18:24:45.599983: | libevent_malloc: new ptr-libevent@0x56407da853e8 size 8 Aug 26 18:24:45.599984: | libevent_malloc: new ptr-libevent@0x56407da85428 size 152 Aug 26 18:24:45.599986: | signal event handler PLUTO_SIGHUP installed Aug 26 18:24:45.599988: | libevent_malloc: new ptr-libevent@0x56407da854f8 size 8 Aug 26 18:24:45.599990: | libevent_realloc: release ptr-libevent@0x56407da17788 Aug 26 18:24:45.599992: | libevent_realloc: new ptr-libevent@0x56407da85538 size 256 Aug 26 18:24:45.599993: | libevent_malloc: new ptr-libevent@0x56407da85668 size 152 Aug 26 18:24:45.599995: | signal event handler PLUTO_SIGSYS installed Aug 26 18:24:45.600246: | created addconn helper (pid:22617) using fork+execve Aug 26 18:24:45.600259: | forked child 22617 Aug 26 18:24:45.600305: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:45.600333: listening for IKE messages Aug 26 18:24:45.622930: | Inspecting interface lo Aug 26 18:24:45.622951: | found lo with address 127.0.0.1 Aug 26 18:24:45.622955: | Inspecting interface eth0 Aug 26 18:24:45.622960: | found eth0 with address 192.0.2.254 Aug 26 18:24:45.622965: | Inspecting interface eth1 Aug 26 18:24:45.622970: | found eth1 with address 192.1.2.23 Aug 26 18:24:45.623190: Kernel supports NIC esp-hw-offload Aug 26 18:24:45.623208: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:24:45.623233: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:45.623239: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:45.623244: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:45.624460: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:24:45.625245: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:45.625257: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:45.625263: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:45.625312: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:24:45.625365: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:45.625370: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:45.625374: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:24:45.625558: | no interfaces to sort Aug 26 18:24:45.625564: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:45.625575: | add_fd_read_event_handler: new ethX-pe@0x56407da85bb8 Aug 26 18:24:45.625580: | libevent_malloc: new ptr-libevent@0x56407da79d28 size 128 Aug 26 18:24:45.625585: | libevent_malloc: new ptr-libevent@0x56407da85c28 size 16 Aug 26 18:24:45.625594: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:24:45.625598: | add_fd_read_event_handler: new ethX-pe@0x56407da85c68 Aug 26 18:24:45.625615: | libevent_malloc: new ptr-libevent@0x56407da163a8 size 128 Aug 26 18:24:45.625619: | libevent_malloc: new ptr-libevent@0x56407da85cd8 size 16 Aug 26 18:24:45.625624: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:24:45.625627: | add_fd_read_event_handler: new ethX-pe@0x56407da85d18 Aug 26 18:24:45.625631: | libevent_malloc: new ptr-libevent@0x56407da162a8 size 128 Aug 26 18:24:45.625634: | libevent_malloc: new ptr-libevent@0x56407da85d88 size 16 Aug 26 18:24:45.625652: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:24:45.625655: | add_fd_read_event_handler: new ethX-pe@0x56407da85dc8 Aug 26 18:24:45.625660: | libevent_malloc: new ptr-libevent@0x56407da17688 size 128 Aug 26 18:24:45.625663: | libevent_malloc: new ptr-libevent@0x56407da85e38 size 16 Aug 26 18:24:45.625669: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:24:45.625672: | add_fd_read_event_handler: new ethX-pe@0x56407da85e78 Aug 26 18:24:45.625676: | libevent_malloc: new ptr-libevent@0x56407d9e64e8 size 128 Aug 26 18:24:45.625680: | libevent_malloc: new ptr-libevent@0x56407da85ee8 size 16 Aug 26 18:24:45.625685: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:45.625688: | add_fd_read_event_handler: new ethX-pe@0x56407da85f28 Aug 26 18:24:45.625692: | libevent_malloc: new ptr-libevent@0x56407d9e61d8 size 128 Aug 26 18:24:45.625695: | libevent_malloc: new ptr-libevent@0x56407da85f98 size 16 Aug 26 18:24:45.625700: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:45.625705: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:45.625708: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:45.625730: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:45.625741: | Processing PSK at line 1: passed Aug 26 18:24:45.625745: | certs and keys locked by 'process_secret' Aug 26 18:24:45.625749: | certs and keys unlocked by 'process_secret' Aug 26 18:24:45.625758: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:45.625767: | spent 1.78 milliseconds in whack Aug 26 18:24:45.625781: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:45.625793: listening for IKE messages Aug 26 18:24:45.625820: | Inspecting interface lo Aug 26 18:24:45.625827: | found lo with address 127.0.0.1 Aug 26 18:24:45.625830: | Inspecting interface eth0 Aug 26 18:24:45.625834: | found eth0 with address 192.0.2.254 Aug 26 18:24:45.625837: | Inspecting interface eth1 Aug 26 18:24:45.625840: | found eth1 with address 192.1.2.23 Aug 26 18:24:45.625881: | no interfaces to sort Aug 26 18:24:45.625889: | libevent_free: release ptr-libevent@0x56407da79d28 Aug 26 18:24:45.625893: | free_event_entry: release EVENT_NULL-pe@0x56407da85bb8 Aug 26 18:24:45.625901: | add_fd_read_event_handler: new ethX-pe@0x56407da85bb8 Aug 26 18:24:45.625904: | libevent_malloc: new ptr-libevent@0x56407da79d28 size 128 Aug 26 18:24:45.625910: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:24:45.625914: | libevent_free: release ptr-libevent@0x56407da163a8 Aug 26 18:24:45.625917: | free_event_entry: release EVENT_NULL-pe@0x56407da85c68 Aug 26 18:24:45.625919: | add_fd_read_event_handler: new ethX-pe@0x56407da85c68 Aug 26 18:24:45.625922: | libevent_malloc: new ptr-libevent@0x56407da163a8 size 128 Aug 26 18:24:45.625927: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:24:45.625931: | libevent_free: release ptr-libevent@0x56407da162a8 Aug 26 18:24:45.625934: | free_event_entry: release EVENT_NULL-pe@0x56407da85d18 Aug 26 18:24:45.625937: | add_fd_read_event_handler: new ethX-pe@0x56407da85d18 Aug 26 18:24:45.625940: | libevent_malloc: new ptr-libevent@0x56407da162a8 size 128 Aug 26 18:24:45.625945: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:24:45.625949: | libevent_free: release ptr-libevent@0x56407da17688 Aug 26 18:24:45.625952: | free_event_entry: release EVENT_NULL-pe@0x56407da85dc8 Aug 26 18:24:45.625955: | add_fd_read_event_handler: new ethX-pe@0x56407da85dc8 Aug 26 18:24:45.625958: | libevent_malloc: new ptr-libevent@0x56407da17688 size 128 Aug 26 18:24:45.625964: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:24:45.625968: | libevent_free: release ptr-libevent@0x56407d9e64e8 Aug 26 18:24:45.625972: | free_event_entry: release EVENT_NULL-pe@0x56407da85e78 Aug 26 18:24:45.625974: | add_fd_read_event_handler: new ethX-pe@0x56407da85e78 Aug 26 18:24:45.625977: | libevent_malloc: new ptr-libevent@0x56407d9e64e8 size 128 Aug 26 18:24:45.625982: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:45.625985: | libevent_free: release ptr-libevent@0x56407d9e61d8 Aug 26 18:24:45.625988: | free_event_entry: release EVENT_NULL-pe@0x56407da85f28 Aug 26 18:24:45.625991: | add_fd_read_event_handler: new ethX-pe@0x56407da85f28 Aug 26 18:24:45.625994: | libevent_malloc: new ptr-libevent@0x56407d9e61d8 size 128 Aug 26 18:24:45.625999: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:45.626002: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:45.626005: forgetting secrets Aug 26 18:24:45.626014: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:45.626027: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:45.626036: | Processing PSK at line 1: passed Aug 26 18:24:45.626039: | certs and keys locked by 'process_secret' Aug 26 18:24:45.626042: | certs and keys unlocked by 'process_secret' Aug 26 18:24:45.626050: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:45.626057: | spent 0.28 milliseconds in whack Aug 26 18:24:45.627163: | processing signal PLUTO_SIGCHLD Aug 26 18:24:45.627182: | waitpid returned pid 22617 (exited with status 0) Aug 26 18:24:45.627187: | reaped addconn helper child (status 0) Aug 26 18:24:45.627193: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:45.627199: | spent 0.0203 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:45.703914: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:45.703935: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:45.703939: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:45.703943: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:45.703946: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:45.703951: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:45.703959: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:45.704041: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:24:45.704052: | from whack: got --esp= Aug 26 18:24:45.704114: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 18:24:45.704119: | counting wild cards for (none) is 15 Aug 26 18:24:45.704123: | counting wild cards for @east is 0 Aug 26 18:24:45.704130: | based upon policy, the connection is a template. Aug 26 18:24:45.704139: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 18:24:45.704142: | new hp@0x56407da88178 Aug 26 18:24:45.704147: added connection description "eastnet-any" Aug 26 18:24:45.704157: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:45.704168: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Aug 26 18:24:45.704175: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:45.704182: | spent 0.277 milliseconds in whack Aug 26 18:24:47.232829: | spent 0.00261 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:47.232858: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 18:24:47.232862: | 11 80 aa 5c 40 d8 5b be 00 00 00 00 00 00 00 00 Aug 26 18:24:47.232865: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:24:47.232867: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:24:47.232870: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:24:47.232872: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:24:47.232875: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:24:47.232878: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:24:47.232880: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:24:47.232883: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:24:47.232885: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:24:47.232888: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:24:47.232890: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:24:47.232893: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:24:47.232895: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:24:47.232898: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:24:47.232900: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:24:47.232903: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:47.232905: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:24:47.232908: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:24:47.232910: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:24:47.232913: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:24:47.232915: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:24:47.232918: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:24:47.232920: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:24:47.232923: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:24:47.232925: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:24:47.232928: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:24:47.232931: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:24:47.232933: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:24:47.232936: | 28 00 01 08 00 0e 00 00 f7 67 00 de b4 36 5a 35 Aug 26 18:24:47.232938: | 04 8c 29 61 78 22 fe 85 69 f6 c6 01 0b 96 9b 69 Aug 26 18:24:47.232941: | 0b 2e 2e a8 8b 98 ca 79 48 9c 50 87 14 2c 3b 2b Aug 26 18:24:47.232943: | a1 89 6b 4f 29 55 59 ed 59 3e 29 e0 78 39 20 39 Aug 26 18:24:47.232950: | 34 5c d0 d0 d4 8b 3b b3 6a e8 0c 8c 02 0d 52 c8 Aug 26 18:24:47.232953: | ef d5 33 f2 aa 19 10 c8 06 a8 fc c7 ab 6e 90 5e Aug 26 18:24:47.232955: | a8 3f 21 8e 28 1c 12 b6 e8 56 72 03 33 a5 00 5d Aug 26 18:24:47.232958: | 53 e5 66 45 20 a4 67 a9 0d 74 a1 c4 6d 00 d1 0f Aug 26 18:24:47.232960: | 5e 67 20 97 a2 66 e3 5e 99 92 c3 41 80 b0 3f 29 Aug 26 18:24:47.232963: | bf 6d 39 bf 57 f0 38 50 23 cb d5 9d c5 db 5d 40 Aug 26 18:24:47.232965: | e9 92 e9 6a 6d b1 0b 42 fa 56 2d bd 18 bc e0 8d Aug 26 18:24:47.232968: | 8e b9 01 f2 af d2 c0 0f 8e 88 04 70 eb 99 cf e6 Aug 26 18:24:47.232970: | f2 a5 28 72 b9 ae 95 3a 7d 4b 0b bd 30 12 f2 35 Aug 26 18:24:47.232973: | 9e 79 25 9f 7b ec ec ca 24 30 28 d4 0b 52 c8 1e Aug 26 18:24:47.232975: | f7 7c 8b 09 6b f0 67 3a 74 49 19 93 d2 30 12 12 Aug 26 18:24:47.232978: | eb de b0 0c 1f aa 5c f9 80 2e 8c 68 e7 e6 ab bd Aug 26 18:24:47.232980: | 7e c7 c9 d3 8a 5a 42 db 29 00 00 24 8f c4 3d ef Aug 26 18:24:47.232983: | 23 15 df ca 35 e9 34 c6 e3 af c1 9c 8e 58 e6 2a Aug 26 18:24:47.232985: | 3c 5f 4d bf 22 8f e1 64 32 e6 6e 12 29 00 00 08 Aug 26 18:24:47.232988: | 00 00 40 2e 29 00 00 1c 00 00 40 04 e6 81 8b 9d Aug 26 18:24:47.232990: | 87 ab 86 e0 62 d7 1b 08 0c 1f 86 21 a3 88 12 a6 Aug 26 18:24:47.232993: | 00 00 00 1c 00 00 40 05 b5 b1 14 1b bf 47 01 28 Aug 26 18:24:47.232996: | 05 09 b0 28 65 42 e8 67 a8 33 2e 30 Aug 26 18:24:47.233003: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 18:24:47.233007: | **parse ISAKMP Message: Aug 26 18:24:47.233011: | initiator cookie: Aug 26 18:24:47.233013: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.233016: | responder cookie: Aug 26 18:24:47.233018: | 00 00 00 00 00 00 00 00 Aug 26 18:24:47.233021: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.233024: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.233027: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:47.233030: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:47.233033: | Message ID: 0 (0x0) Aug 26 18:24:47.233035: | length: 828 (0x33c) Aug 26 18:24:47.233038: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:24:47.233042: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:24:47.233046: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:24:47.233049: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:47.233052: | ***parse IKEv2 Security Association Payload: Aug 26 18:24:47.233055: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:24:47.233058: | flags: none (0x0) Aug 26 18:24:47.233061: | length: 436 (0x1b4) Aug 26 18:24:47.233064: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:24:47.233066: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:24:47.233069: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:24:47.233072: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:24:47.233074: | flags: none (0x0) Aug 26 18:24:47.233077: | length: 264 (0x108) Aug 26 18:24:47.233080: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.233082: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:24:47.233085: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.233088: | ***parse IKEv2 Nonce Payload: Aug 26 18:24:47.233090: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.233093: | flags: none (0x0) Aug 26 18:24:47.233095: | length: 36 (0x24) Aug 26 18:24:47.233098: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:24:47.233100: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.233103: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.233106: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.233109: | flags: none (0x0) Aug 26 18:24:47.233111: | length: 8 (0x8) Aug 26 18:24:47.233114: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.233119: | SPI size: 0 (0x0) Aug 26 18:24:47.233122: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:47.233125: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:24:47.233128: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.233130: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.233133: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.233136: | flags: none (0x0) Aug 26 18:24:47.233138: | length: 28 (0x1c) Aug 26 18:24:47.233141: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.233143: | SPI size: 0 (0x0) Aug 26 18:24:47.233146: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:47.233149: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:47.233151: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:47.233154: | ***parse IKEv2 Notify Payload: Aug 26 18:24:47.233157: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.233159: | flags: none (0x0) Aug 26 18:24:47.233162: | length: 28 (0x1c) Aug 26 18:24:47.233164: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.233167: | SPI size: 0 (0x0) Aug 26 18:24:47.233169: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:47.233172: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:47.233175: | DDOS disabled and no cookie sent, continuing Aug 26 18:24:47.233181: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233184: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:47.233188: | find_next_host_connection returns empty Aug 26 18:24:47.233192: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233197: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:24:47.233200: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:47.233204: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 18:24:47.233207: | find_next_host_connection returns empty Aug 26 18:24:47.233211: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:24:47.233216: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233219: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:47.233222: | find_next_host_connection returns empty Aug 26 18:24:47.233226: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233231: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:24:47.233234: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:47.233237: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 18:24:47.233239: | find_next_host_connection returns empty Aug 26 18:24:47.233243: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 18:24:47.233248: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233251: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:24:47.233254: | find_next_host_connection returns empty Aug 26 18:24:47.233258: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:24:47.233263: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:24:47.233265: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:24:47.233268: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 18:24:47.233271: | find_next_host_connection returns eastnet-any Aug 26 18:24:47.233274: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:24:47.233278: | find_next_host_connection returns empty Aug 26 18:24:47.233281: | rw_instantiate Aug 26 18:24:47.233334: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 18:24:47.233340: | new hp@0x56407da8a108 Aug 26 18:24:47.233346: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.45 for 192.1.2.45 Aug 26 18:24:47.233351: | found connection: eastnet-any[1] 192.1.2.45 with policy PSK+IKEV2_ALLOW Aug 26 18:24:47.233356: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:24:47.233382: | creating state object #1 at 0x56407da8a658 Aug 26 18:24:47.233386: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:24:47.233394: | pstats #1 ikev2.ike started Aug 26 18:24:47.233397: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:24:47.233401: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:24:47.233407: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:47.233417: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:47.233421: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:47.233426: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:47.233430: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:24:47.233434: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:24:47.233438: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:24:47.233441: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:24:47.233445: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:24:47.233447: | Now let's proceed with state specific processing Aug 26 18:24:47.233450: | calling processor Respond to IKE_SA_INIT Aug 26 18:24:47.233456: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:47.233459: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Aug 26 18:24:47.233467: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:47.233475: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:47.233480: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:47.233485: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:47.233490: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:47.233495: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:47.233499: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:47.233505: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:47.233518: "eastnet-any"[1] 192.1.2.45: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:47.233524: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:24:47.233528: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:47.233531: | local proposal 1 type PRF has 2 transforms Aug 26 18:24:47.233534: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:47.233536: | local proposal 1 type DH has 8 transforms Aug 26 18:24:47.233539: | local proposal 1 type ESN has 0 transforms Aug 26 18:24:47.233543: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:24:47.233546: | local proposal 2 type ENCR has 1 transforms Aug 26 18:24:47.233549: | local proposal 2 type PRF has 2 transforms Aug 26 18:24:47.233551: | local proposal 2 type INTEG has 1 transforms Aug 26 18:24:47.233554: | local proposal 2 type DH has 8 transforms Aug 26 18:24:47.233557: | local proposal 2 type ESN has 0 transforms Aug 26 18:24:47.233560: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:24:47.233562: | local proposal 3 type ENCR has 1 transforms Aug 26 18:24:47.233565: | local proposal 3 type PRF has 2 transforms Aug 26 18:24:47.233568: | local proposal 3 type INTEG has 2 transforms Aug 26 18:24:47.233570: | local proposal 3 type DH has 8 transforms Aug 26 18:24:47.233573: | local proposal 3 type ESN has 0 transforms Aug 26 18:24:47.233576: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:24:47.233579: | local proposal 4 type ENCR has 1 transforms Aug 26 18:24:47.233582: | local proposal 4 type PRF has 2 transforms Aug 26 18:24:47.233584: | local proposal 4 type INTEG has 2 transforms Aug 26 18:24:47.233587: | local proposal 4 type DH has 8 transforms Aug 26 18:24:47.233590: | local proposal 4 type ESN has 0 transforms Aug 26 18:24:47.233593: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:24:47.233596: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.233599: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.233602: | length: 100 (0x64) Aug 26 18:24:47.233604: | prop #: 1 (0x1) Aug 26 18:24:47.233607: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.233610: | spi size: 0 (0x0) Aug 26 18:24:47.233613: | # transforms: 11 (0xb) Aug 26 18:24:47.233616: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:24:47.233620: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233622: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233625: | length: 12 (0xc) Aug 26 18:24:47.233628: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.233630: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.233633: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.233636: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.233639: | length/value: 256 (0x100) Aug 26 18:24:47.233643: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:47.233647: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233652: | length: 8 (0x8) Aug 26 18:24:47.233654: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.233657: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:47.233661: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:24:47.233668: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:24:47.233672: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:24:47.233675: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:24:47.233678: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233681: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233684: | length: 8 (0x8) Aug 26 18:24:47.233686: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.233689: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.233692: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233695: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233697: | length: 8 (0x8) Aug 26 18:24:47.233700: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233703: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.233706: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:24:47.233710: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:24:47.233713: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:24:47.233716: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:24:47.233719: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233722: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233724: | length: 8 (0x8) Aug 26 18:24:47.233727: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233730: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.233733: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233736: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233738: | length: 8 (0x8) Aug 26 18:24:47.233741: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233744: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:47.233747: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233749: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233752: | length: 8 (0x8) Aug 26 18:24:47.233755: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233757: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:47.233760: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233763: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233765: | length: 8 (0x8) Aug 26 18:24:47.233768: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233771: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:47.233774: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233776: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233779: | length: 8 (0x8) Aug 26 18:24:47.233781: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233784: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:47.233787: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233790: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233792: | length: 8 (0x8) Aug 26 18:24:47.233795: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233798: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:47.233801: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233804: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.233807: | length: 8 (0x8) Aug 26 18:24:47.233809: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233812: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:47.233816: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:24:47.233823: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:24:47.233826: | remote proposal 1 matches local proposal 1 Aug 26 18:24:47.233829: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.233832: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.233834: | length: 100 (0x64) Aug 26 18:24:47.233837: | prop #: 2 (0x2) Aug 26 18:24:47.233840: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.233842: | spi size: 0 (0x0) Aug 26 18:24:47.233845: | # transforms: 11 (0xb) Aug 26 18:24:47.233848: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.233851: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233854: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233856: | length: 12 (0xc) Aug 26 18:24:47.233859: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.233862: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.233865: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.233868: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.233870: | length/value: 128 (0x80) Aug 26 18:24:47.233873: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233876: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233879: | length: 8 (0x8) Aug 26 18:24:47.233881: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.233884: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:47.233887: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233890: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233892: | length: 8 (0x8) Aug 26 18:24:47.233895: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.233897: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.233901: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233903: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233906: | length: 8 (0x8) Aug 26 18:24:47.233908: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233911: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.233914: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233919: | length: 8 (0x8) Aug 26 18:24:47.233922: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233924: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.233927: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233930: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233933: | length: 8 (0x8) Aug 26 18:24:47.233935: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233938: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:47.233941: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233944: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233946: | length: 8 (0x8) Aug 26 18:24:47.233949: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233952: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:47.233955: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233957: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233960: | length: 8 (0x8) Aug 26 18:24:47.233962: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233965: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:47.233968: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233971: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233973: | length: 8 (0x8) Aug 26 18:24:47.233976: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233979: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:47.233982: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.233988: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.233990: | length: 8 (0x8) Aug 26 18:24:47.233993: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.233996: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:47.233999: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234001: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.234004: | length: 8 (0x8) Aug 26 18:24:47.234007: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234009: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:47.234013: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:24:47.234016: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:24:47.234019: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.234022: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.234025: | length: 116 (0x74) Aug 26 18:24:47.234027: | prop #: 3 (0x3) Aug 26 18:24:47.234030: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.234032: | spi size: 0 (0x0) Aug 26 18:24:47.234035: | # transforms: 13 (0xd) Aug 26 18:24:47.234038: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.234041: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234044: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234046: | length: 12 (0xc) Aug 26 18:24:47.234049: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.234052: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.234054: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.234057: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.234060: | length/value: 256 (0x100) Aug 26 18:24:47.234063: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234066: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234069: | length: 8 (0x8) Aug 26 18:24:47.234071: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.234074: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:47.234077: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234080: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234082: | length: 8 (0x8) Aug 26 18:24:47.234085: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.234087: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.234090: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234093: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234096: | length: 8 (0x8) Aug 26 18:24:47.234098: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.234101: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.234104: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234107: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234109: | length: 8 (0x8) Aug 26 18:24:47.234112: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.234115: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.234118: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234121: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234123: | length: 8 (0x8) Aug 26 18:24:47.234126: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234129: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.234132: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234134: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234137: | length: 8 (0x8) Aug 26 18:24:47.234140: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234142: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.234145: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234148: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234152: | length: 8 (0x8) Aug 26 18:24:47.234155: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234157: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:47.234160: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234163: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234165: | length: 8 (0x8) Aug 26 18:24:47.234168: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234171: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:47.234174: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234177: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234179: | length: 8 (0x8) Aug 26 18:24:47.234182: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234184: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:47.234187: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234190: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234193: | length: 8 (0x8) Aug 26 18:24:47.234195: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234198: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:47.234201: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234204: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234206: | length: 8 (0x8) Aug 26 18:24:47.234209: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234211: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:47.234214: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234217: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.234220: | length: 8 (0x8) Aug 26 18:24:47.234222: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234225: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:47.234229: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:24:47.234232: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:24:47.234235: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.234238: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.234240: | length: 116 (0x74) Aug 26 18:24:47.234243: | prop #: 4 (0x4) Aug 26 18:24:47.234245: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.234248: | spi size: 0 (0x0) Aug 26 18:24:47.234250: | # transforms: 13 (0xd) Aug 26 18:24:47.234254: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.234257: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234260: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234263: | length: 12 (0xc) Aug 26 18:24:47.234265: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.234268: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.234271: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.234273: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.234276: | length/value: 128 (0x80) Aug 26 18:24:47.234279: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234282: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234284: | length: 8 (0x8) Aug 26 18:24:47.234287: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.234296: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:47.234299: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234302: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234305: | length: 8 (0x8) Aug 26 18:24:47.234307: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.234310: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:47.234313: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234316: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234322: | length: 8 (0x8) Aug 26 18:24:47.234325: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.234332: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.234341: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234346: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234351: | length: 8 (0x8) Aug 26 18:24:47.234355: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.234363: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.234368: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234371: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234373: | length: 8 (0x8) Aug 26 18:24:47.234376: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234379: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.234382: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234384: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234387: | length: 8 (0x8) Aug 26 18:24:47.234389: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234392: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:47.234395: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234398: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234400: | length: 8 (0x8) Aug 26 18:24:47.234403: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234405: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:47.234408: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234411: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234413: | length: 8 (0x8) Aug 26 18:24:47.234416: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234419: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:47.234422: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234425: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234427: | length: 8 (0x8) Aug 26 18:24:47.234430: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234432: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:47.234435: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234438: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234440: | length: 8 (0x8) Aug 26 18:24:47.234443: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234446: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:47.234449: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234451: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.234454: | length: 8 (0x8) Aug 26 18:24:47.234456: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234459: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:47.234462: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.234465: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.234467: | length: 8 (0x8) Aug 26 18:24:47.234470: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.234472: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:47.234477: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:24:47.234480: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:24:47.234486: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:24:47.234493: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:24:47.234496: | converting proposal to internal trans attrs Aug 26 18:24:47.234501: | natd_hash: rcookie is zero Aug 26 18:24:47.234516: | natd_hash: hasher=0x56407ccb7800(20) Aug 26 18:24:47.234519: | natd_hash: icookie= 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.234521: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:47.234524: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:47.234526: | natd_hash: port=500 Aug 26 18:24:47.234529: | natd_hash: hash= b5 b1 14 1b bf 47 01 28 05 09 b0 28 65 42 e8 67 Aug 26 18:24:47.234531: | natd_hash: hash= a8 33 2e 30 Aug 26 18:24:47.234534: | natd_hash: rcookie is zero Aug 26 18:24:47.234540: | natd_hash: hasher=0x56407ccb7800(20) Aug 26 18:24:47.234543: | natd_hash: icookie= 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.234546: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:47.234548: | natd_hash: ip= c0 01 02 2d Aug 26 18:24:47.234550: | natd_hash: port=500 Aug 26 18:24:47.234553: | natd_hash: hash= e6 81 8b 9d 87 ab 86 e0 62 d7 1b 08 0c 1f 86 21 Aug 26 18:24:47.234556: | natd_hash: hash= a3 88 12 a6 Aug 26 18:24:47.234558: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:24:47.234561: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:24:47.234563: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:24:47.234567: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 18:24:47.234573: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:24:47.234576: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56407da8a238 Aug 26 18:24:47.234580: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:24:47.234584: | libevent_malloc: new ptr-libevent@0x56407da8c9b8 size 128 Aug 26 18:24:47.234597: | #1 spent 1.13 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:24:47.234602: | crypto helper 0 resuming Aug 26 18:24:47.234620: | crypto helper 0 starting work-order 1 for state #1 Aug 26 18:24:47.234626: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:24:47.235285: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000659 seconds Aug 26 18:24:47.235314: | (#1) spent 0.672 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:24:47.235318: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 18:24:47.235321: | scheduling resume sending helper answer for #1 Aug 26 18:24:47.235325: | libevent_malloc: new ptr-libevent@0x7f27cc002888 size 128 Aug 26 18:24:47.235331: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:47.234606: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.235340: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:47.235342: | suspending state #1 and saving MD Aug 26 18:24:47.235344: | #1 is busy; has a suspended MD Aug 26 18:24:47.235349: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.235352: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.235356: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:47.235360: | #1 spent 1.74 milliseconds in ikev2_process_packet() Aug 26 18:24:47.235363: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 18:24:47.235365: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:47.235369: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:47.235372: | spent 1.75 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:47.235380: | processing resume sending helper answer for #1 Aug 26 18:24:47.235385: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.235387: | crypto helper 0 replies to request ID 1 Aug 26 18:24:47.235389: | calling continuation function 0x56407cbe2b50 Aug 26 18:24:47.235391: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:24:47.235415: | **emit ISAKMP Message: Aug 26 18:24:47.235417: | initiator cookie: Aug 26 18:24:47.235419: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.235421: | responder cookie: Aug 26 18:24:47.235422: | 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.235424: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:47.235426: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.235428: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:47.235430: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:47.235432: | Message ID: 0 (0x0) Aug 26 18:24:47.235434: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:47.235436: | Emitting ikev2_proposal ... Aug 26 18:24:47.235438: | ***emit IKEv2 Security Association Payload: Aug 26 18:24:47.235440: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.235441: | flags: none (0x0) Aug 26 18:24:47.235444: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:47.235446: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235448: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.235450: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.235451: | prop #: 1 (0x1) Aug 26 18:24:47.235453: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:47.235455: | spi size: 0 (0x0) Aug 26 18:24:47.235456: | # transforms: 3 (0x3) Aug 26 18:24:47.235458: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:47.235460: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.235462: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.235464: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.235466: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.235468: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.235470: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.235472: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.235473: | length/value: 256 (0x100) Aug 26 18:24:47.235475: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:47.235477: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.235479: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.235480: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:47.235482: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:47.235484: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.235486: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.235488: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.235489: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.235491: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.235493: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:47.235494: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.235498: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.235500: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.235502: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.235503: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:24:47.235505: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:47.235507: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:24:47.235509: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:47.235511: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:24:47.235513: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.235515: | flags: none (0x0) Aug 26 18:24:47.235516: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:47.235518: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:24:47.235520: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235523: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:24:47.235525: | ikev2 g^x b1 25 76 3e 38 27 74 32 25 50 d6 19 07 5b 26 ec Aug 26 18:24:47.235526: | ikev2 g^x e2 4d 33 0e ac 26 02 0b d1 80 8b db 3e c7 e2 90 Aug 26 18:24:47.235528: | ikev2 g^x be 89 32 94 1f 09 ed 1c b1 b8 97 7d fa 87 94 84 Aug 26 18:24:47.235529: | ikev2 g^x 66 0b a7 1b 3d a1 42 44 a3 d9 a6 c7 04 21 e1 df Aug 26 18:24:47.235531: | ikev2 g^x ac a1 13 f8 77 03 a9 ba 9a 84 1a a1 8e 08 34 b5 Aug 26 18:24:47.235532: | ikev2 g^x 0a f3 a9 27 34 e2 a0 81 60 8d 8b 59 c8 24 fa dd Aug 26 18:24:47.235534: | ikev2 g^x 5b 91 87 00 bb a8 65 f4 b8 28 ab be 43 23 55 bb Aug 26 18:24:47.235535: | ikev2 g^x 6a c5 5d dc 91 2b 29 85 16 38 f1 cc 83 c9 74 f0 Aug 26 18:24:47.235537: | ikev2 g^x d3 30 df 9f 31 77 1d b6 ce e9 be d3 e4 cf 05 25 Aug 26 18:24:47.235539: | ikev2 g^x 56 e0 46 c7 cc 14 43 23 bd 8e 5b 5a 43 9b f1 91 Aug 26 18:24:47.235540: | ikev2 g^x a4 84 48 70 5f b3 7e 3b 43 04 cc 7d b5 c3 49 3f Aug 26 18:24:47.235542: | ikev2 g^x da 33 84 e1 e0 00 36 43 49 2d fe 57 14 38 d9 75 Aug 26 18:24:47.235543: | ikev2 g^x e8 bd f9 92 e1 ec 6c 7c fe 93 0b 6d 4d eb 17 87 Aug 26 18:24:47.235545: | ikev2 g^x cf 70 a1 84 e5 fb 5c ee 80 45 6f e5 b2 54 c1 d0 Aug 26 18:24:47.235546: | ikev2 g^x 5e af 4e 0a ba 2a 20 aa 72 6a 52 bf bd 71 6a 31 Aug 26 18:24:47.235548: | ikev2 g^x 59 68 07 1e 11 8b 58 f4 ba 6d 65 ac 97 8f 77 3f Aug 26 18:24:47.235549: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:24:47.235551: | ***emit IKEv2 Nonce Payload: Aug 26 18:24:47.235553: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:47.235554: | flags: none (0x0) Aug 26 18:24:47.235556: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:24:47.235559: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:24:47.235560: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235562: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:24:47.235564: | IKEv2 nonce 1d 79 db 12 cf 6d 5c 92 35 2f f0 b8 6a b4 44 d5 Aug 26 18:24:47.235566: | IKEv2 nonce fc 3f d0 33 d6 a6 44 96 4d 27 98 da 18 9e 98 08 Aug 26 18:24:47.235567: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:24:47.235569: | Adding a v2N Payload Aug 26 18:24:47.235571: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.235574: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.235575: | flags: none (0x0) Aug 26 18:24:47.235577: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.235578: | SPI size: 0 (0x0) Aug 26 18:24:47.235580: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:47.235582: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.235584: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235586: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:24:47.235588: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:24:47.235595: | natd_hash: hasher=0x56407ccb7800(20) Aug 26 18:24:47.235597: | natd_hash: icookie= 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.235599: | natd_hash: rcookie= 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.235600: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:47.235602: | natd_hash: port=500 Aug 26 18:24:47.235604: | natd_hash: hash= e8 49 f1 2d 18 73 94 a1 bd 78 00 dd 22 f9 f7 25 Aug 26 18:24:47.235605: | natd_hash: hash= ac 8e da 06 Aug 26 18:24:47.235607: | Adding a v2N Payload Aug 26 18:24:47.235608: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.235610: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.235611: | flags: none (0x0) Aug 26 18:24:47.235613: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.235615: | SPI size: 0 (0x0) Aug 26 18:24:47.235616: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:47.235618: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.235620: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235622: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:47.235624: | Notify data e8 49 f1 2d 18 73 94 a1 bd 78 00 dd 22 f9 f7 25 Aug 26 18:24:47.235625: | Notify data ac 8e da 06 Aug 26 18:24:47.235627: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:47.235631: | natd_hash: hasher=0x56407ccb7800(20) Aug 26 18:24:47.235633: | natd_hash: icookie= 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.235634: | natd_hash: rcookie= 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.235636: | natd_hash: ip= c0 01 02 2d Aug 26 18:24:47.235637: | natd_hash: port=500 Aug 26 18:24:47.235639: | natd_hash: hash= 73 59 9e 6b 8b 70 a2 8d 9d 92 10 b5 3f ac a7 fa Aug 26 18:24:47.235640: | natd_hash: hash= a0 c7 e3 ba Aug 26 18:24:47.235642: | Adding a v2N Payload Aug 26 18:24:47.235643: | ***emit IKEv2 Notify Payload: Aug 26 18:24:47.235645: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.235647: | flags: none (0x0) Aug 26 18:24:47.235648: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:47.235650: | SPI size: 0 (0x0) Aug 26 18:24:47.235651: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:47.235653: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:47.235655: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.235657: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:47.235659: | Notify data 73 59 9e 6b 8b 70 a2 8d 9d 92 10 b5 3f ac a7 fa Aug 26 18:24:47.235660: | Notify data a0 c7 e3 ba Aug 26 18:24:47.235662: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:47.235663: | emitting length of ISAKMP Message: 432 Aug 26 18:24:47.235668: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.235671: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:24:47.235673: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:24:47.235676: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:24:47.235678: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:24:47.235682: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:24:47.235685: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:24:47.235688: "eastnet-any"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:24:47.235691: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 18:24:47.235696: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 18:24:47.235700: | 11 80 aa 5c 40 d8 5b be 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.235701: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 18:24:47.235703: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:24:47.235705: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:24:47.235706: | 04 00 00 0e 28 00 01 08 00 0e 00 00 b1 25 76 3e Aug 26 18:24:47.235708: | 38 27 74 32 25 50 d6 19 07 5b 26 ec e2 4d 33 0e Aug 26 18:24:47.235709: | ac 26 02 0b d1 80 8b db 3e c7 e2 90 be 89 32 94 Aug 26 18:24:47.235711: | 1f 09 ed 1c b1 b8 97 7d fa 87 94 84 66 0b a7 1b Aug 26 18:24:47.235712: | 3d a1 42 44 a3 d9 a6 c7 04 21 e1 df ac a1 13 f8 Aug 26 18:24:47.235714: | 77 03 a9 ba 9a 84 1a a1 8e 08 34 b5 0a f3 a9 27 Aug 26 18:24:47.235715: | 34 e2 a0 81 60 8d 8b 59 c8 24 fa dd 5b 91 87 00 Aug 26 18:24:47.235717: | bb a8 65 f4 b8 28 ab be 43 23 55 bb 6a c5 5d dc Aug 26 18:24:47.235718: | 91 2b 29 85 16 38 f1 cc 83 c9 74 f0 d3 30 df 9f Aug 26 18:24:47.235720: | 31 77 1d b6 ce e9 be d3 e4 cf 05 25 56 e0 46 c7 Aug 26 18:24:47.235721: | cc 14 43 23 bd 8e 5b 5a 43 9b f1 91 a4 84 48 70 Aug 26 18:24:47.235723: | 5f b3 7e 3b 43 04 cc 7d b5 c3 49 3f da 33 84 e1 Aug 26 18:24:47.235724: | e0 00 36 43 49 2d fe 57 14 38 d9 75 e8 bd f9 92 Aug 26 18:24:47.235726: | e1 ec 6c 7c fe 93 0b 6d 4d eb 17 87 cf 70 a1 84 Aug 26 18:24:47.235727: | e5 fb 5c ee 80 45 6f e5 b2 54 c1 d0 5e af 4e 0a Aug 26 18:24:47.235729: | ba 2a 20 aa 72 6a 52 bf bd 71 6a 31 59 68 07 1e Aug 26 18:24:47.235730: | 11 8b 58 f4 ba 6d 65 ac 97 8f 77 3f 29 00 00 24 Aug 26 18:24:47.235732: | 1d 79 db 12 cf 6d 5c 92 35 2f f0 b8 6a b4 44 d5 Aug 26 18:24:47.235733: | fc 3f d0 33 d6 a6 44 96 4d 27 98 da 18 9e 98 08 Aug 26 18:24:47.235735: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:24:47.235736: | e8 49 f1 2d 18 73 94 a1 bd 78 00 dd 22 f9 f7 25 Aug 26 18:24:47.235738: | ac 8e da 06 00 00 00 1c 00 00 40 05 73 59 9e 6b Aug 26 18:24:47.235739: | 8b 70 a2 8d 9d 92 10 b5 3f ac a7 fa a0 c7 e3 ba Aug 26 18:24:47.235772: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.235777: | libevent_free: release ptr-libevent@0x56407da8c9b8 Aug 26 18:24:47.235780: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56407da8a238 Aug 26 18:24:47.235783: | event_schedule: new EVENT_SO_DISCARD-pe@0x56407da8a238 Aug 26 18:24:47.235787: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:24:47.235790: | libevent_malloc: new ptr-libevent@0x56407da8db08 size 128 Aug 26 18:24:47.235793: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:24:47.235799: | #1 spent 0.394 milliseconds in resume sending helper answer Aug 26 18:24:47.235805: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.235809: | libevent_free: release ptr-libevent@0x7f27cc002888 Aug 26 18:24:47.238688: | spent 0.00256 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:47.238716: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 18:24:47.238720: | 11 80 aa 5c 40 d8 5b be 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.238722: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 18:24:47.238723: | 15 00 e6 ca 96 fa 18 06 af cb f3 b5 6a d9 9e 6d Aug 26 18:24:47.238725: | 04 27 ef f8 05 14 41 97 ba ac 7c 52 3f 45 96 5c Aug 26 18:24:47.238726: | fc 5d 20 0b b9 0e 7f 2d 12 2b 37 b2 41 3d bf 48 Aug 26 18:24:47.238728: | 93 ea be 9f 72 4e 7b 39 f8 a1 8f 65 22 30 c9 5b Aug 26 18:24:47.238729: | 2b c4 0d 2f 6f 78 1a 30 c0 6b dd 22 ab 1f 27 9e Aug 26 18:24:47.238731: | ff 35 d1 c8 b6 36 bf 6a a1 58 00 91 68 0e e2 ae Aug 26 18:24:47.238732: | 3a 5e ff 0a bd de 43 7b 67 36 b3 0b 09 2b 87 9a Aug 26 18:24:47.238734: | 5b 03 46 eb 74 8d 02 9c db 79 ae f9 95 69 3c 9a Aug 26 18:24:47.238735: | 55 39 d1 ed 4a 9b a6 9a 28 8a 72 9a bc 7e e6 42 Aug 26 18:24:47.238737: | ce 52 44 4c fd 2e b9 71 cd 5b 5f 41 0d 6f 1a 44 Aug 26 18:24:47.238738: | 1a 86 49 b5 10 c3 c6 77 cf 6c 11 b9 37 a0 43 69 Aug 26 18:24:47.238740: | 93 ad c1 28 9d a5 67 59 fc c8 3c b4 37 6e fd d8 Aug 26 18:24:47.238741: | d3 af bb f0 30 56 3f b6 bc 0e c6 49 64 52 c8 ca Aug 26 18:24:47.238743: | 4f 4a 29 1f 85 a3 cd 06 f2 32 7d 77 3b 85 49 6c Aug 26 18:24:47.238744: | 46 9a f9 c6 2c aa 43 31 ab 45 14 1d 74 04 a3 4c Aug 26 18:24:47.238746: | df 8b 5d 68 b6 91 f6 74 63 8c 1a 26 34 4c 3b 48 Aug 26 18:24:47.238747: | ff 46 a1 08 ae 9c c4 db ff 30 54 00 a7 42 07 83 Aug 26 18:24:47.238749: | ff 7c 7b 9b d9 70 b2 27 87 97 a9 27 80 64 90 8d Aug 26 18:24:47.238750: | e7 ac f4 3d a7 3b 89 9e 7c 70 75 52 b2 ae f0 a2 Aug 26 18:24:47.238752: | d5 0e 43 31 2f 7e 86 12 7a 63 e8 b2 da 1f 86 ed Aug 26 18:24:47.238754: | 03 ff d5 5f 57 ba 71 da 69 95 93 7c 34 Aug 26 18:24:47.238757: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 18:24:47.238760: | **parse ISAKMP Message: Aug 26 18:24:47.238762: | initiator cookie: Aug 26 18:24:47.238764: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.238765: | responder cookie: Aug 26 18:24:47.238767: | 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.238769: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:24:47.238771: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.238772: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:47.238774: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:47.238776: | Message ID: 1 (0x1) Aug 26 18:24:47.238778: | length: 365 (0x16d) Aug 26 18:24:47.238779: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:24:47.238782: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:24:47.238785: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:24:47.238790: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:47.238792: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:47.238796: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:47.238798: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:24:47.238801: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:24:47.238803: | unpacking clear payload Aug 26 18:24:47.238804: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:24:47.238810: | ***parse IKEv2 Encryption Payload: Aug 26 18:24:47.238813: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:24:47.238816: | flags: none (0x0) Aug 26 18:24:47.238818: | length: 337 (0x151) Aug 26 18:24:47.238821: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 18:24:47.238826: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:47.238833: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:47.238837: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:47.238840: | Now let's proceed with state specific processing Aug 26 18:24:47.238842: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:47.238846: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:24:47.238851: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:24:47.238855: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:24:47.238858: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:24:47.238862: | libevent_free: release ptr-libevent@0x56407da8db08 Aug 26 18:24:47.238866: | free_event_entry: release EVENT_SO_DISCARD-pe@0x56407da8a238 Aug 26 18:24:47.238869: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56407da8a238 Aug 26 18:24:47.238873: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:24:47.238877: | libevent_malloc: new ptr-libevent@0x7f27cc002888 size 128 Aug 26 18:24:47.238888: | #1 spent 0.0403 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:24:47.238894: | crypto helper 1 resuming Aug 26 18:24:47.238896: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.238909: | crypto helper 1 starting work-order 2 for state #1 Aug 26 18:24:47.238915: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:47.238923: | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:24:47.238924: | suspending state #1 and saving MD Aug 26 18:24:47.238930: | #1 is busy; has a suspended MD Aug 26 18:24:47.238934: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:47.238937: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:47.238940: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:47.238944: | #1 spent 0.229 milliseconds in ikev2_process_packet() Aug 26 18:24:47.238947: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 18:24:47.238949: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:47.238950: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:47.238953: | spent 0.239 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:47.239903: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:24:47.240352: | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001429 seconds Aug 26 18:24:47.240364: | (#1) spent 1.42 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:24:47.240368: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Aug 26 18:24:47.240371: | scheduling resume sending helper answer for #1 Aug 26 18:24:47.240375: | libevent_malloc: new ptr-libevent@0x7f27c4000f48 size 128 Aug 26 18:24:47.240384: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:47.240392: | processing resume sending helper answer for #1 Aug 26 18:24:47.240402: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 18:24:47.240406: | crypto helper 1 replies to request ID 2 Aug 26 18:24:47.240408: | calling continuation function 0x56407cbe2b50 Aug 26 18:24:47.240410: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:24:47.240413: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:47.240431: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:24:47.240435: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:24:47.240440: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:24:47.240443: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 18:24:47.240446: | flags: none (0x0) Aug 26 18:24:47.240449: | length: 12 (0xc) Aug 26 18:24:47.240452: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:24:47.240455: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 18:24:47.240458: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 18:24:47.240461: | **parse IKEv2 Identification - Responder - Payload: Aug 26 18:24:47.240464: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:24:47.240466: | flags: none (0x0) Aug 26 18:24:47.240468: | length: 12 (0xc) Aug 26 18:24:47.240472: | ID type: ID_FQDN (0x2) Aug 26 18:24:47.240474: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 18:24:47.240477: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:24:47.240480: | **parse IKEv2 Authentication Payload: Aug 26 18:24:47.240483: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.240485: | flags: none (0x0) Aug 26 18:24:47.240487: | length: 72 (0x48) Aug 26 18:24:47.240490: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:24:47.240493: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 18:24:47.240495: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:47.240498: | **parse IKEv2 Security Association Payload: Aug 26 18:24:47.240501: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:24:47.240503: | flags: none (0x0) Aug 26 18:24:47.240506: | length: 164 (0xa4) Aug 26 18:24:47.240509: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 18:24:47.240511: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.240514: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.240517: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:24:47.240519: | flags: none (0x0) Aug 26 18:24:47.240522: | length: 24 (0x18) Aug 26 18:24:47.240525: | number of TS: 1 (0x1) Aug 26 18:24:47.240527: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:24:47.240530: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.240533: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.240535: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.240538: | flags: none (0x0) Aug 26 18:24:47.240541: | length: 24 (0x18) Aug 26 18:24:47.240543: | number of TS: 1 (0x1) Aug 26 18:24:47.240546: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:24:47.240548: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:24:47.240550: | Now let's proceed with state specific processing Aug 26 18:24:47.240552: | calling processor Responder: process IKE_AUTH request Aug 26 18:24:47.240557: "eastnet-any"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 18:24:47.240561: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:47.240564: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 18:24:47.240566: | peer ID c0 01 02 2d Aug 26 18:24:47.240568: | received IDr payload - extracting our alleged ID Aug 26 18:24:47.240571: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.45 Aug 26 18:24:47.240575: | match_id a=192.1.2.45 Aug 26 18:24:47.240577: | b=192.1.2.45 Aug 26 18:24:47.240578: | results matched Aug 26 18:24:47.240582: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:24:47.240584: | Warning: not switching back to template of current instance Aug 26 18:24:47.240587: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 18:24:47.240588: | This connection's local id is @east (ID_FQDN) Aug 26 18:24:47.240594: | refine_host_connection: checked eastnet-any[1] 192.1.2.45 against eastnet-any[1] 192.1.2.45, now for see if best Aug 26 18:24:47.240596: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.240599: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.240603: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:24:47.240607: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.240610: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.240613: | line 1: match=002 Aug 26 18:24:47.240616: | match 002 beats previous best_match 000 match=0x56407d9e1c48 (line=1) Aug 26 18:24:47.240619: | concluding with best_match=002 best=0x56407d9e1c48 (lineno=1) Aug 26 18:24:47.240622: | returning because exact peer id match Aug 26 18:24:47.240624: | offered CA: '%none' Aug 26 18:24:47.240627: "eastnet-any"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' Aug 26 18:24:47.240643: | verifying AUTH payload Aug 26 18:24:47.240646: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 18:24:47.240649: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.240651: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.240654: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:24:47.240655: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.240657: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.240659: | line 1: match=002 Aug 26 18:24:47.240661: | match 002 beats previous best_match 000 match=0x56407d9e1c48 (line=1) Aug 26 18:24:47.240662: | concluding with best_match=002 best=0x56407d9e1c48 (lineno=1) Aug 26 18:24:47.240721: "eastnet-any"[1] 192.1.2.45 #1: Authenticated using authby=secret Aug 26 18:24:47.240728: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:24:47.240734: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:47.240737: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:47.240742: | libevent_free: release ptr-libevent@0x7f27cc002888 Aug 26 18:24:47.240745: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56407da8a238 Aug 26 18:24:47.240748: | event_schedule: new EVENT_SA_REKEY-pe@0x56407da8a238 Aug 26 18:24:47.240752: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 18:24:47.240755: | libevent_malloc: new ptr-libevent@0x56407da8db08 size 128 Aug 26 18:24:47.240832: | pstats #1 ikev2.ike established Aug 26 18:24:47.240841: | **emit ISAKMP Message: Aug 26 18:24:47.240845: | initiator cookie: Aug 26 18:24:47.240848: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:47.240851: | responder cookie: Aug 26 18:24:47.240853: | 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.240856: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:47.240859: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:47.240862: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:47.240864: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:47.240867: | Message ID: 1 (0x1) Aug 26 18:24:47.240870: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:47.240874: | IKEv2 CERT: send a certificate? Aug 26 18:24:47.240877: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 18:24:47.240880: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:47.240883: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.240885: | flags: none (0x0) Aug 26 18:24:47.240888: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:47.240891: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.240895: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:47.240909: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:47.240923: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:24:47.240927: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.240930: | flags: none (0x0) Aug 26 18:24:47.240933: | ID type: ID_FQDN (0x2) Aug 26 18:24:47.240936: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:24:47.240940: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.240944: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:24:47.240947: | my identity 65 61 73 74 Aug 26 18:24:47.240951: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:24:47.240959: | assembled IDr payload Aug 26 18:24:47.240962: | CHILD SA proposals received Aug 26 18:24:47.240964: | going to assemble AUTH payload Aug 26 18:24:47.240967: | ****emit IKEv2 Authentication Payload: Aug 26 18:24:47.240970: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:47.240973: | flags: none (0x0) Aug 26 18:24:47.240976: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:24:47.240979: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:24:47.240982: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:24:47.240985: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.240989: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 18:24:47.240994: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.240998: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 18:24:47.241002: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:24:47.241005: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.241009: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 18:24:47.241011: | line 1: match=002 Aug 26 18:24:47.241014: | match 002 beats previous best_match 000 match=0x56407d9e1c48 (line=1) Aug 26 18:24:47.241017: | concluding with best_match=002 best=0x56407d9e1c48 (lineno=1) Aug 26 18:24:47.241072: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 18:24:47.241078: | PSK auth e5 8b fe 3f 54 91 35 7c 1f c6 d1 23 85 16 d3 cb Aug 26 18:24:47.241081: | PSK auth 20 4e 46 12 b0 28 ab e3 a8 f7 ab 3b 91 f6 eb 79 Aug 26 18:24:47.241084: | PSK auth af 3a a9 d1 30 78 7a 1d bd b9 9d ca 22 d0 ea 46 Aug 26 18:24:47.241086: | PSK auth d0 f3 e3 3e 3a d9 65 64 66 7e 20 8f f3 15 1c 2f Aug 26 18:24:47.241089: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 18:24:47.241097: | creating state object #2 at 0x56407da8e668 Aug 26 18:24:47.241100: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:24:47.241105: | pstats #2 ikev2.child started Aug 26 18:24:47.241110: | duplicating state object #1 "eastnet-any"[1] 192.1.2.45 as #2 for IPSEC SA Aug 26 18:24:47.241116: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:24:47.241122: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:47.241126: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:47.241129: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:47.241131: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:24:47.241135: | TSi: parsing 1 traffic selectors Aug 26 18:24:47.241137: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.241139: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.241141: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.241142: | length: 16 (0x10) Aug 26 18:24:47.241144: | start port: 0 (0x0) Aug 26 18:24:47.241146: | end port: 65535 (0xffff) Aug 26 18:24:47.241148: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.241149: | TS low c0 00 01 00 Aug 26 18:24:47.241151: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.241153: | TS high c0 00 01 ff Aug 26 18:24:47.241154: | TSi: parsed 1 traffic selectors Aug 26 18:24:47.241156: | TSr: parsing 1 traffic selectors Aug 26 18:24:47.241158: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:47.241160: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.241162: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.241165: | length: 16 (0x10) Aug 26 18:24:47.241168: | start port: 0 (0x0) Aug 26 18:24:47.241170: | end port: 65535 (0xffff) Aug 26 18:24:47.241173: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:47.241176: | TS low c0 00 02 00 Aug 26 18:24:47.241179: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:47.241182: | TS high c0 00 02 ff Aug 26 18:24:47.241186: | TSr: parsed 1 traffic selectors Aug 26 18:24:47.241189: | looking for best SPD in current connection Aug 26 18:24:47.241198: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:47.241205: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.241213: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 18:24:47.241216: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.241218: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.241222: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.241225: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.241230: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.241236: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:47.241239: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:24:47.241242: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:47.241245: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:24:47.241248: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.241251: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:47.241253: | found better spd route for TSi[0],TSr[0] Aug 26 18:24:47.241256: | looking for better host pair Aug 26 18:24:47.241261: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 18:24:47.241266: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 18:24:47.241269: | investigating connection "eastnet-any" as a better match Aug 26 18:24:47.241274: | match_id a=192.1.2.45 Aug 26 18:24:47.241276: | b=192.1.2.45 Aug 26 18:24:47.241279: | results matched Aug 26 18:24:47.241285: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:47.241294: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.241304: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 18:24:47.241307: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:24:47.241310: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:47.241313: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:24:47.241316: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.241320: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:47.241329: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:47.241332: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:24:47.241335: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:47.241338: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:24:47.241341: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:47.241344: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:47.241346: | did not find a better connection using host pair Aug 26 18:24:47.241349: | printing contents struct traffic_selector Aug 26 18:24:47.241352: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.241355: | ipprotoid: 0 Aug 26 18:24:47.241358: | port range: 0-65535 Aug 26 18:24:47.241362: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:24:47.241364: | printing contents struct traffic_selector Aug 26 18:24:47.241367: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:47.241369: | ipprotoid: 0 Aug 26 18:24:47.241372: | port range: 0-65535 Aug 26 18:24:47.241376: | ip range: 192.0.1.0-192.0.1.255 Aug 26 18:24:47.241381: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:24:47.241388: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 18:24:47.241396: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:24:47.241399: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 18:24:47.241403: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:24:47.241407: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:24:47.241411: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:47.241415: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:24:47.241419: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:47.241429: "eastnet-any"[1] 192.1.2.45: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:47.241434: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 18:24:47.241438: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:47.241441: | local proposal 1 type PRF has 0 transforms Aug 26 18:24:47.241444: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:47.241446: | local proposal 1 type DH has 1 transforms Aug 26 18:24:47.241449: | local proposal 1 type ESN has 1 transforms Aug 26 18:24:47.241453: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:24:47.241456: | local proposal 2 type ENCR has 1 transforms Aug 26 18:24:47.241459: | local proposal 2 type PRF has 0 transforms Aug 26 18:24:47.241461: | local proposal 2 type INTEG has 1 transforms Aug 26 18:24:47.241464: | local proposal 2 type DH has 1 transforms Aug 26 18:24:47.241467: | local proposal 2 type ESN has 1 transforms Aug 26 18:24:47.241470: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:24:47.241473: | local proposal 3 type ENCR has 1 transforms Aug 26 18:24:47.241475: | local proposal 3 type PRF has 0 transforms Aug 26 18:24:47.241478: | local proposal 3 type INTEG has 2 transforms Aug 26 18:24:47.241481: | local proposal 3 type DH has 1 transforms Aug 26 18:24:47.241484: | local proposal 3 type ESN has 1 transforms Aug 26 18:24:47.241487: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:24:47.241492: | local proposal 4 type ENCR has 1 transforms Aug 26 18:24:47.241494: | local proposal 4 type PRF has 0 transforms Aug 26 18:24:47.241497: | local proposal 4 type INTEG has 2 transforms Aug 26 18:24:47.241500: | local proposal 4 type DH has 1 transforms Aug 26 18:24:47.241503: | local proposal 4 type ESN has 1 transforms Aug 26 18:24:47.241506: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:24:47.241509: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.241513: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.241516: | length: 32 (0x20) Aug 26 18:24:47.241518: | prop #: 1 (0x1) Aug 26 18:24:47.241521: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.241524: | spi size: 4 (0x4) Aug 26 18:24:47.241527: | # transforms: 2 (0x2) Aug 26 18:24:47.241530: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.241533: | remote SPI 4e 76 f7 7f Aug 26 18:24:47.241537: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:24:47.241540: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241543: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241546: | length: 12 (0xc) Aug 26 18:24:47.241549: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.241552: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.241555: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.241558: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.241560: | length/value: 256 (0x100) Aug 26 18:24:47.241565: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:47.241568: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241571: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.241573: | length: 8 (0x8) Aug 26 18:24:47.241576: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.241578: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.241582: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:24:47.241585: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 18:24:47.241588: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 18:24:47.241592: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 18:24:47.241595: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 18:24:47.241600: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 18:24:47.241602: | remote proposal 1 matches local proposal 1 Aug 26 18:24:47.241606: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.241609: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.241612: | length: 32 (0x20) Aug 26 18:24:47.241615: | prop #: 2 (0x2) Aug 26 18:24:47.241617: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.241620: | spi size: 4 (0x4) Aug 26 18:24:47.241622: | # transforms: 2 (0x2) Aug 26 18:24:47.241626: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.241628: | remote SPI 4e 76 f7 7f Aug 26 18:24:47.241632: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.241634: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241637: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241639: | length: 12 (0xc) Aug 26 18:24:47.241642: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.241645: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.241647: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.241650: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.241655: | length/value: 128 (0x80) Aug 26 18:24:47.241659: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241662: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.241665: | length: 8 (0x8) Aug 26 18:24:47.241667: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.241670: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.241674: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 18:24:47.241677: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 18:24:47.241680: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.241683: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:47.241685: | length: 48 (0x30) Aug 26 18:24:47.241688: | prop #: 3 (0x3) Aug 26 18:24:47.241690: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.241693: | spi size: 4 (0x4) Aug 26 18:24:47.241695: | # transforms: 4 (0x4) Aug 26 18:24:47.241699: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.241701: | remote SPI 4e 76 f7 7f Aug 26 18:24:47.241704: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.241707: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241710: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241712: | length: 12 (0xc) Aug 26 18:24:47.241715: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.241718: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.241721: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.241723: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.241726: | length/value: 256 (0x100) Aug 26 18:24:47.241729: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241734: | length: 8 (0x8) Aug 26 18:24:47.241737: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.241740: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.241743: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241746: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241748: | length: 8 (0x8) Aug 26 18:24:47.241751: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.241753: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.241756: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241759: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.241762: | length: 8 (0x8) Aug 26 18:24:47.241765: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.241767: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.241771: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:24:47.241775: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:24:47.241777: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.241780: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.241783: | length: 48 (0x30) Aug 26 18:24:47.241785: | prop #: 4 (0x4) Aug 26 18:24:47.241788: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.241791: | spi size: 4 (0x4) Aug 26 18:24:47.241793: | # transforms: 4 (0x4) Aug 26 18:24:47.241797: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:47.241799: | remote SPI 4e 76 f7 7f Aug 26 18:24:47.241802: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:47.241805: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241808: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241811: | length: 12 (0xc) Aug 26 18:24:47.241813: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.241816: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:47.241819: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.241823: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.241826: | length/value: 128 (0x80) Aug 26 18:24:47.241829: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241835: | length: 8 (0x8) Aug 26 18:24:47.241837: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.241840: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:47.241843: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241845: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241848: | length: 8 (0x8) Aug 26 18:24:47.241851: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:47.241853: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:47.241856: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241859: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.241861: | length: 8 (0x8) Aug 26 18:24:47.241864: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.241867: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.241871: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:24:47.241874: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:24:47.241881: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:ESP:SPI=4e76f77f;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 18:24:47.241886: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=4e76f77f;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 18:24:47.241889: | converting proposal to internal trans attrs Aug 26 18:24:47.241909: | netlink_get_spi: allocated 0xb9586e41 for esp.0@192.1.2.23 Aug 26 18:24:47.241912: | Emitting ikev2_proposal ... Aug 26 18:24:47.241915: | ****emit IKEv2 Security Association Payload: Aug 26 18:24:47.241918: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.241921: | flags: none (0x0) Aug 26 18:24:47.241925: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:47.241928: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.241931: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:47.241934: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:47.241937: | prop #: 1 (0x1) Aug 26 18:24:47.241939: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:47.241942: | spi size: 4 (0x4) Aug 26 18:24:47.241945: | # transforms: 2 (0x2) Aug 26 18:24:47.241948: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:47.241951: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:24:47.241954: | our spi b9 58 6e 41 Aug 26 18:24:47.241957: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241960: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.241962: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:47.241965: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:47.241968: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.241971: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:47.241974: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:47.241977: | length/value: 256 (0x100) Aug 26 18:24:47.241980: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:47.241983: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:47.241988: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:47.241991: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:47.241994: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:47.241997: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:47.242000: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:47.242003: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:47.242006: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 18:24:47.242009: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:47.242012: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 18:24:47.242015: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:47.242018: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:47.242021: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.242024: | flags: none (0x0) Aug 26 18:24:47.242026: | number of TS: 1 (0x1) Aug 26 18:24:47.242030: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:24:47.242033: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.242036: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.242039: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.242041: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.242044: | start port: 0 (0x0) Aug 26 18:24:47.242047: | end port: 65535 (0xffff) Aug 26 18:24:47.242050: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.242053: | ipv4 start c0 00 01 00 Aug 26 18:24:47.242056: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.242058: | ipv4 end c0 00 01 ff Aug 26 18:24:47.242061: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.242064: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:24:47.242066: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:47.242069: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:47.242072: | flags: none (0x0) Aug 26 18:24:47.242074: | number of TS: 1 (0x1) Aug 26 18:24:47.242078: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:24:47.242081: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:47.242084: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:47.242087: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:47.242089: | IP Protocol ID: 0 (0x0) Aug 26 18:24:47.242091: | start port: 0 (0x0) Aug 26 18:24:47.242094: | end port: 65535 (0xffff) Aug 26 18:24:47.242097: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:47.242099: | ipv4 start c0 00 02 00 Aug 26 18:24:47.242102: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:47.242104: | ipv4 end c0 00 02 ff Aug 26 18:24:47.242107: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:47.242109: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:24:47.242112: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:47.242116: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 18:24:47.242256: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:24:47.242266: | #1 spent 1.71 milliseconds Aug 26 18:24:47.242271: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:24:47.242274: | could_route called for eastnet-any (kind=CK_INSTANCE) Aug 26 18:24:47.242276: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.242279: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.242281: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:47.242284: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.242286: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:47.242295: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Aug 26 18:24:47.242302: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:24:47.242305: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:24:47.242308: | AES_GCM_16 requires 4 salt bytes Aug 26 18:24:47.242310: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:24:47.242314: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.242317: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 18:24:47.242320: | netlink: enabling tunnel mode Aug 26 18:24:47.242323: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.242326: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.242400: | netlink response for Add SA esp.4e76f77f@192.1.2.45 included non-error error Aug 26 18:24:47.242407: | set up outgoing SA, ref=0/0 Aug 26 18:24:47.242411: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:24:47.242415: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:24:47.242419: | AES_GCM_16 requires 4 salt bytes Aug 26 18:24:47.242422: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:24:47.242427: | setting IPsec SA replay-window to 32 Aug 26 18:24:47.242430: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 18:24:47.242433: | netlink: enabling tunnel mode Aug 26 18:24:47.242437: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:47.242440: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:47.242479: | netlink response for Add SA esp.b9586e41@192.1.2.23 included non-error error Aug 26 18:24:47.242484: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:47.242492: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:47.242496: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.242523: | raw_eroute result=success Aug 26 18:24:47.242527: | set up incoming SA, ref=0/0 Aug 26 18:24:47.242530: | sr for #2: unrouted Aug 26 18:24:47.242534: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:24:47.242537: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:47.242541: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.242545: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:47.242549: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:47.242552: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:47.242559: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Aug 26 18:24:47.242563: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 18:24:47.242567: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:47.242576: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 18:24:47.242580: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:47.242593: | raw_eroute result=success Aug 26 18:24:47.242598: | running updown command "ipsec _updown" for verb up Aug 26 18:24:47.242602: | command executing up-client Aug 26 18:24:47.242637: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4e76f77f SP Aug 26 18:24:47.242645: | popen cmd is 1031 chars long Aug 26 18:24:47.242649: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Aug 26 18:24:47.242653: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': Aug 26 18:24:47.242657: | cmd( 160):@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_C: Aug 26 18:24:47.242661: | cmd( 240):LIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQI: Aug 26 18:24:47.242665: | cmd( 320):D='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45': Aug 26 18:24:47.242669: | cmd( 400): PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_C: Aug 26 18:24:47.242673: | cmd( 480):LIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEE: Aug 26 18:24:47.242676: | cmd( 560):R_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TU: Aug 26 18:24:47.242680: | cmd( 640):NNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INST: Aug 26 18:24:47.242684: | cmd( 720):ANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Aug 26 18:24:47.242687: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Aug 26 18:24:47.242691: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Aug 26 18:24:47.242695: | cmd( 960):VTI_SHARED='no' SPI_IN=0x4e76f77f SPI_OUT=0xb9586e41 ipsec _updown 2>&1: Aug 26 18:24:47.251347: | route_and_eroute: firewall_notified: true Aug 26 18:24:47.252078: | running updown command "ipsec _updown" for verb prepare Aug 26 18:24:47.252083: | command executing prepare-client Aug 26 18:24:47.252108: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4 Aug 26 18:24:47.252112: | popen cmd is 1036 chars long Aug 26 18:24:47.252114: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 18:24:47.252116: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 18:24:47.252117: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 18:24:47.252122: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Aug 26 18:24:47.252363: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.: Aug 26 18:24:47.252373: | cmd( 400):2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Aug 26 18:24:47.252376: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 18:24:47.252379: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Aug 26 18:24:47.252382: | cmd( 640):PT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK: Aug 26 18:24:47.252385: | cmd( 720):_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Aug 26 18:24:47.252387: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Aug 26 18:24:47.252390: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Aug 26 18:24:47.252393: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x4e76f77f SPI_OUT=0xb9586e41 ipsec _updown 2>&1: Aug 26 18:24:47.263085: | running updown command "ipsec _updown" for verb route Aug 26 18:24:47.263105: | command executing route-client Aug 26 18:24:47.263142: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4e76f Aug 26 18:24:47.263149: | popen cmd is 1034 chars long Aug 26 18:24:47.263153: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Aug 26 18:24:47.263156: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Aug 26 18:24:47.263158: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Aug 26 18:24:47.263161: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Aug 26 18:24:47.263164: | cmd( 320):EQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.: Aug 26 18:24:47.263167: | cmd( 400):45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Aug 26 18:24:47.263170: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 18:24:47.263173: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Aug 26 18:24:47.263175: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Aug 26 18:24:47.263178: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Aug 26 18:24:47.263181: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Aug 26 18:24:47.263184: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Aug 26 18:24:47.263187: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0x4e76f77f SPI_OUT=0xb9586e41 ipsec _updown 2>&1: Aug 26 18:24:47.278522: | route_and_eroute: instance "eastnet-any"[1] 192.1.2.45, setting eroute_owner {spd=0x56407da89b28,sr=0x56407da89b28} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:24:47.278825: | #1 spent 1.82 milliseconds in install_ipsec_sa() Aug 26 18:24:47.278837: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:24:47.278841: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:47.278845: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:47.278850: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:47.278853: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 18:24:47.278856: | emitting length of ISAKMP Message: 225 Aug 26 18:24:47.278897: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:24:47.278905: | #1 spent 3.6 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:24:47.278915: | suspend processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.278923: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:47.278928: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:24:47.278932: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:24:47.278936: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:24:47.278941: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:24:47.278947: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:47.278953: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:24:47.278957: | pstats #2 ikev2.child established Aug 26 18:24:47.278968: "eastnet-any"[1] 192.1.2.45 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 18:24:47.278975: | NAT-T: encaps is 'auto' Aug 26 18:24:47.278980: "eastnet-any"[1] 192.1.2.45 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x4e76f77f <0xb9586e41 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 18:24:47.278986: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 18:24:47.278995: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 18:24:47.278999: | 11 80 aa 5c 40 d8 5b be 59 62 39 99 48 ad dc 34 Aug 26 18:24:47.279001: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 18:24:47.279004: | b1 84 a1 76 ac fd 78 24 6b 82 6a 02 c2 db 7d 82 Aug 26 18:24:47.279007: | 67 fb 64 71 b2 5c f0 9b de 54 3d 69 e8 5f 0e 1c Aug 26 18:24:47.279010: | b4 24 fb e0 20 e5 e8 6b bb f0 6b c7 03 8f fc 44 Aug 26 18:24:47.279013: | ef 86 7e 4a e5 8d 86 07 06 19 de da d4 89 c4 0e Aug 26 18:24:47.279015: | f0 0d 9d 20 69 2a 49 92 21 8a 54 0a ea 96 cd 80 Aug 26 18:24:47.279018: | 20 61 56 cf 2f 61 47 07 8d f1 06 e5 b0 92 e4 0a Aug 26 18:24:47.279021: | 29 8c 19 42 39 27 08 99 63 0f 02 32 cf f8 76 45 Aug 26 18:24:47.279024: | 08 61 b4 79 de 64 c0 78 a6 bb 67 9a 91 55 de 96 Aug 26 18:24:47.279027: | 23 a1 3d 11 7f 39 4d c2 5d 26 2a a6 ba 8a 6e 36 Aug 26 18:24:47.279029: | 56 fd 00 d4 27 91 bd 18 a1 3a 23 56 9a e0 6a 91 Aug 26 18:24:47.279032: | 41 63 6f 21 bf e7 10 df 87 ad 82 0a c9 ff b6 fc Aug 26 18:24:47.279034: | af d2 64 79 95 fa 25 69 4a da f7 9f d8 37 93 04 Aug 26 18:24:47.279037: | 2e Aug 26 18:24:47.279086: | releasing whack for #2 (sock=fd@-1) Aug 26 18:24:47.279092: | releasing whack and unpending for parent #1 Aug 26 18:24:47.279096: | unpending state #1 connection "eastnet-any"[1] 192.1.2.45 Aug 26 18:24:47.279101: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:47.279107: | event_schedule: new EVENT_SA_REKEY-pe@0x7f27cc002b78 Aug 26 18:24:47.279112: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 18:24:47.279117: | libevent_malloc: new ptr-libevent@0x56407da8e5b8 size 128 Aug 26 18:24:47.279133: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:24:47.279141: | #1 spent 3.97 milliseconds in resume sending helper answer Aug 26 18:24:47.279148: | stop processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 18:24:47.279155: | libevent_free: release ptr-libevent@0x7f27c4000f48 Aug 26 18:24:47.279171: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.279178: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.279183: | spent 0.00591 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:47.279186: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.279190: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.279195: | spent 0.00438 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:47.279198: | processing signal PLUTO_SIGCHLD Aug 26 18:24:47.279202: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:47.279206: | spent 0.00418 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:48.562386: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:48.562777: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 18:24:48.562787: | FOR_EACH_STATE_... in sort_states Aug 26 18:24:48.562797: | get_sa_info esp.b9586e41@192.1.2.23 Aug 26 18:24:48.562816: | get_sa_info esp.4e76f77f@192.1.2.45 Aug 26 18:24:48.562836: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:48.562843: | spent 0.467 milliseconds in whack Aug 26 18:24:48.680956: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:48.681519: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:48.681533: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:48.681647: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:24:48.681652: | FOR_EACH_STATE_... in sort_states Aug 26 18:24:48.681671: | get_sa_info esp.b9586e41@192.1.2.23 Aug 26 18:24:48.682004: | get_sa_info esp.4e76f77f@192.1.2.45 Aug 26 18:24:48.682036: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:48.682045: | spent 1.33 milliseconds in whack Aug 26 18:24:49.359022: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.359042: shutting down Aug 26 18:24:49.359048: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:24:49.359054: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:49.359056: forgetting secrets Aug 26 18:24:49.359062: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:49.359067: | start processing: connection "eastnet-any"[1] 192.1.2.45 (in delete_connection() at connections.c:189) Aug 26 18:24:49.359071: "eastnet-any"[1] 192.1.2.45: deleting connection "eastnet-any"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#1/ipsec=#2} Aug 26 18:24:49.359074: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:49.359077: | pass 0 Aug 26 18:24:49.359079: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:49.359081: | state #2 Aug 26 18:24:49.359085: | suspend processing: connection "eastnet-any"[1] 192.1.2.45 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:49.359091: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:49.359094: | pstats #2 ikev2.child deleted completed Aug 26 18:24:49.359099: | [RE]START processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 18:24:49.359107: "eastnet-any"[1] 192.1.2.45 #2: deleting state (STATE_V2_IPSEC_R) aged 2.118s and sending notification Aug 26 18:24:49.359111: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:24:49.359116: | get_sa_info esp.4e76f77f@192.1.2.45 Aug 26 18:24:49.359128: | get_sa_info esp.b9586e41@192.1.2.23 Aug 26 18:24:49.359133: "eastnet-any"[1] 192.1.2.45 #2: ESP traffic information: in=168B out=168B Aug 26 18:24:49.359136: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:24:49.359138: | Opening output PBS informational exchange delete request Aug 26 18:24:49.359141: | **emit ISAKMP Message: Aug 26 18:24:49.359143: | initiator cookie: Aug 26 18:24:49.359144: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:49.359146: | responder cookie: Aug 26 18:24:49.359147: | 59 62 39 99 48 ad dc 34 Aug 26 18:24:49.359149: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:49.359151: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:49.359153: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:49.359155: | flags: none (0x0) Aug 26 18:24:49.359157: | Message ID: 0 (0x0) Aug 26 18:24:49.359159: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:49.359161: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:49.359163: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:49.359164: | flags: none (0x0) Aug 26 18:24:49.359166: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:49.359168: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:49.359171: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:49.359183: | ****emit IKEv2 Delete Payload: Aug 26 18:24:49.359185: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:49.359187: | flags: none (0x0) Aug 26 18:24:49.359189: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:24:49.359190: | SPI size: 4 (0x4) Aug 26 18:24:49.359192: | number of SPIs: 1 (0x1) Aug 26 18:24:49.359194: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:49.359196: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:49.359198: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:24:49.359200: | local spis b9 58 6e 41 Aug 26 18:24:49.359201: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:24:49.359203: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:49.359205: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:49.359207: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:49.359209: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 18:24:49.359211: | emitting length of ISAKMP Message: 69 Aug 26 18:24:49.359232: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Aug 26 18:24:49.359234: | 11 80 aa 5c 40 d8 5b be 59 62 39 99 48 ad dc 34 Aug 26 18:24:49.359236: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 18:24:49.359238: | 8e b8 05 f6 9e f1 5b f7 29 a9 93 40 14 7a 29 32 Aug 26 18:24:49.359239: | b1 e5 4f 8a 66 18 ad 14 c5 58 ba 9f 66 16 94 9c Aug 26 18:24:49.359241: | 95 dd c4 37 cf Aug 26 18:24:49.359269: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:24:49.359272: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 18:24:49.359275: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:24:49.359279: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:49.359282: | libevent_free: release ptr-libevent@0x56407da8e5b8 Aug 26 18:24:49.359284: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f27cc002b78 Aug 26 18:24:49.359345: | running updown command "ipsec _updown" for verb down Aug 26 18:24:49.359353: | command executing down-client Aug 26 18:24:49.359402: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Aug 26 18:24:49.359408: | popen cmd is 1044 chars long Aug 26 18:24:49.359412: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Aug 26 18:24:49.359415: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Aug 26 18:24:49.359418: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Aug 26 18:24:49.359422: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Aug 26 18:24:49.359425: | cmd( 320):QID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.4: Aug 26 18:24:49.359428: | cmd( 400):5' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER: Aug 26 18:24:49.359432: | cmd( 480):_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_P: Aug 26 18:24:49.359435: | cmd( 560):EER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843887' PLUTO_CONN_POLICY='PSK: Aug 26 18:24:49.359438: | cmd( 640):+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Aug 26 18:24:49.359441: | cmd( 720):ND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Aug 26 18:24:49.359445: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Aug 26 18:24:49.359448: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Aug 26 18:24:49.359452: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x4e76f77f SPI_OUT=0xb9586e41 ipsec _updown : Aug 26 18:24:49.359454: | cmd(1040):2>&1: Aug 26 18:24:49.366573: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:24:49.366586: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:49.366589: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:49.366593: | IPsec Sa SPD priority set to 1042407 Aug 26 18:24:49.366642: | delete esp.4e76f77f@192.1.2.45 Aug 26 18:24:49.366660: | netlink response for Del SA esp.4e76f77f@192.1.2.45 included non-error error Aug 26 18:24:49.366669: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:49.366677: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:49.366703: | raw_eroute result=success Aug 26 18:24:49.366709: | delete esp.b9586e41@192.1.2.23 Aug 26 18:24:49.366722: | netlink response for Del SA esp.b9586e41@192.1.2.23 included non-error error Aug 26 18:24:49.366741: | stop processing: connection "eastnet-any"[1] 192.1.2.45 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:24:49.366747: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:24:49.366751: | in connection_discard for connection eastnet-any Aug 26 18:24:49.366755: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 18:24:49.366764: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:24:49.366773: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 18:24:49.366783: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:49.366785: | state #1 Aug 26 18:24:49.366787: | pass 1 Aug 26 18:24:49.366789: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:49.366790: | state #1 Aug 26 18:24:49.366794: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:49.366796: | pstats #1 ikev2.ike deleted completed Aug 26 18:24:49.366801: | #1 spent 8.42 milliseconds in total Aug 26 18:24:49.366804: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 18:24:49.366807: "eastnet-any"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R2) aged 2.133s and sending notification Aug 26 18:24:49.366809: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 18:24:49.366857: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:24:49.366866: | Opening output PBS informational exchange delete request Aug 26 18:24:49.366870: | **emit ISAKMP Message: Aug 26 18:24:49.366874: | initiator cookie: Aug 26 18:24:49.366876: | 11 80 aa 5c 40 d8 5b be Aug 26 18:24:49.366879: | responder cookie: Aug 26 18:24:49.366881: | 59 62 39 99 48 ad dc 34 Aug 26 18:24:49.366885: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:49.366888: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:49.366891: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:49.366895: | flags: none (0x0) Aug 26 18:24:49.366898: | Message ID: 1 (0x1) Aug 26 18:24:49.366914: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:49.366918: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:49.366921: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:49.366924: | flags: none (0x0) Aug 26 18:24:49.366927: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:49.366930: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:49.366934: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:49.366947: | ****emit IKEv2 Delete Payload: Aug 26 18:24:49.366950: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:49.366953: | flags: none (0x0) Aug 26 18:24:49.366955: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:24:49.366958: | SPI size: 0 (0x0) Aug 26 18:24:49.366960: | number of SPIs: 0 (0x0) Aug 26 18:24:49.366964: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:49.366967: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:49.366970: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:24:49.366973: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:49.366977: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:49.366980: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:49.366983: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 18:24:49.366989: | emitting length of ISAKMP Message: 65 Aug 26 18:24:49.367016: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 18:24:49.367020: | 11 80 aa 5c 40 d8 5b be 59 62 39 99 48 ad dc 34 Aug 26 18:24:49.367024: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 18:24:49.367026: | f6 36 d6 1a fd bb 15 1c 8d d9 5b 05 25 71 bd 44 Aug 26 18:24:49.367029: | 2e 66 e3 89 c2 41 af 5b 29 fb 2e 85 84 27 ec d4 Aug 26 18:24:49.367031: | c9 Aug 26 18:24:49.367062: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:24:49.367066: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 18:24:49.367072: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Aug 26 18:24:49.367078: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Aug 26 18:24:49.367081: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:49.367091: | libevent_free: release ptr-libevent@0x56407da8db08 Aug 26 18:24:49.367094: | free_event_entry: release EVENT_SA_REKEY-pe@0x56407da8a238 Aug 26 18:24:49.367100: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:24:49.367103: | in connection_discard for connection eastnet-any Aug 26 18:24:49.367106: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 18:24:49.367109: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:24:49.367137: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 18:24:49.367158: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:49.367161: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:24:49.367163: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:49.367165: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:49.367196: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 18:24:49.367204: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:49.367206: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:49.367208: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:49.367210: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 18:24:49.367212: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 18:24:49.367214: | route owner of "eastnet-any" unrouted: NULL Aug 26 18:24:49.367216: | running updown command "ipsec _updown" for verb unroute Aug 26 18:24:49.367218: | command executing unroute-client Aug 26 18:24:49.367236: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Aug 26 18:24:49.367238: | popen cmd is 1025 chars long Aug 26 18:24:49.367242: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 18:24:49.367244: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 18:24:49.367246: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 18:24:49.367248: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Aug 26 18:24:49.367250: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1: Aug 26 18:24:49.367251: | cmd( 400):.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Aug 26 18:24:49.367253: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Aug 26 18:24:49.367255: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Aug 26 18:24:49.367256: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Aug 26 18:24:49.367258: | cmd( 720):K_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Aug 26 18:24:49.367260: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Aug 26 18:24:49.367261: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Aug 26 18:24:49.367263: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 18:24:49.377349: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377372: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377376: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377381: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377395: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377408: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377424: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377437: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377449: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377462: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377475: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377491: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377503: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377517: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.377530: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.378064: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.378081: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:49.385559: | free hp@0x56407da8a108 Aug 26 18:24:49.385572: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 18:24:49.385575: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:24:49.385585: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Aug 26 18:24:49.385587: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:49.385589: | pass 0 Aug 26 18:24:49.385591: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:49.385592: | pass 1 Aug 26 18:24:49.385594: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:49.385597: | free hp@0x56407da88178 Aug 26 18:24:49.385599: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 18:24:49.385601: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Aug 26 18:24:49.385610: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:24:49.385611: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:24:49.385622: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:24:49.385625: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:24:49.385627: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:49.385629: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:24:49.385631: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:49.385633: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:24:49.385636: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:24:49.385645: | libevent_free: release ptr-libevent@0x56407da79d28 Aug 26 18:24:49.385648: | free_event_entry: release EVENT_NULL-pe@0x56407da85bb8 Aug 26 18:24:49.385656: | libevent_free: release ptr-libevent@0x56407da163a8 Aug 26 18:24:49.385658: | free_event_entry: release EVENT_NULL-pe@0x56407da85c68 Aug 26 18:24:49.385663: | libevent_free: release ptr-libevent@0x56407da162a8 Aug 26 18:24:49.385665: | free_event_entry: release EVENT_NULL-pe@0x56407da85d18 Aug 26 18:24:49.385670: | libevent_free: release ptr-libevent@0x56407da17688 Aug 26 18:24:49.385672: | free_event_entry: release EVENT_NULL-pe@0x56407da85dc8 Aug 26 18:24:49.385678: | libevent_free: release ptr-libevent@0x56407d9e64e8 Aug 26 18:24:49.385680: | free_event_entry: release EVENT_NULL-pe@0x56407da85e78 Aug 26 18:24:49.385684: | libevent_free: release ptr-libevent@0x56407d9e61d8 Aug 26 18:24:49.385686: | free_event_entry: release EVENT_NULL-pe@0x56407da85f28 Aug 26 18:24:49.385689: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:49.386053: | libevent_free: release ptr-libevent@0x56407da79dd8 Aug 26 18:24:49.386058: | free_event_entry: release EVENT_NULL-pe@0x56407da6db18 Aug 26 18:24:49.386062: | libevent_free: release ptr-libevent@0x56407da17d58 Aug 26 18:24:49.386065: | free_event_entry: release EVENT_NULL-pe@0x56407da6cfd8 Aug 26 18:24:49.386070: | libevent_free: release ptr-libevent@0x56407da51398 Aug 26 18:24:49.386073: | free_event_entry: release EVENT_NULL-pe@0x56407da6db88 Aug 26 18:24:49.386077: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:24:49.386080: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:24:49.386083: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:24:49.386086: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:24:49.386088: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:24:49.386091: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:24:49.386093: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:24:49.386096: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:24:49.386098: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:24:49.386103: | libevent_free: release ptr-libevent@0x56407da18fc8 Aug 26 18:24:49.386106: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:24:49.386110: | libevent_free: release ptr-libevent@0x56407da85318 Aug 26 18:24:49.386112: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:24:49.386116: | libevent_free: release ptr-libevent@0x56407da85428 Aug 26 18:24:49.386118: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:24:49.386122: | libevent_free: release ptr-libevent@0x56407da85668 Aug 26 18:24:49.386124: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:24:49.386127: | releasing event base Aug 26 18:24:49.386139: | libevent_free: release ptr-libevent@0x56407da85538 Aug 26 18:24:49.386142: | libevent_free: release ptr-libevent@0x56407da683c8 Aug 26 18:24:49.386146: | libevent_free: release ptr-libevent@0x56407da68378 Aug 26 18:24:49.386149: | libevent_free: release ptr-libevent@0x56407da68308 Aug 26 18:24:49.386151: | libevent_free: release ptr-libevent@0x56407da682c8 Aug 26 18:24:49.386154: | libevent_free: release ptr-libevent@0x56407da850e8 Aug 26 18:24:49.386157: | libevent_free: release ptr-libevent@0x56407da85298 Aug 26 18:24:49.386159: | libevent_free: release ptr-libevent@0x56407da68578 Aug 26 18:24:49.386162: | libevent_free: release ptr-libevent@0x56407da6d0e8 Aug 26 18:24:49.386164: | libevent_free: release ptr-libevent@0x56407da6dad8 Aug 26 18:24:49.386169: | libevent_free: release ptr-libevent@0x56407da85f98 Aug 26 18:24:49.386172: | libevent_free: release ptr-libevent@0x56407da85ee8 Aug 26 18:24:49.386174: | libevent_free: release ptr-libevent@0x56407da85e38 Aug 26 18:24:49.386177: | libevent_free: release ptr-libevent@0x56407da85d88 Aug 26 18:24:49.386179: | libevent_free: release ptr-libevent@0x56407da85cd8 Aug 26 18:24:49.386181: | libevent_free: release ptr-libevent@0x56407da85c28 Aug 26 18:24:49.386184: | libevent_free: release ptr-libevent@0x56407da14ae8 Aug 26 18:24:49.386186: | libevent_free: release ptr-libevent@0x56407da853e8 Aug 26 18:24:49.386189: | libevent_free: release ptr-libevent@0x56407da852d8 Aug 26 18:24:49.386192: | libevent_free: release ptr-libevent@0x56407da85258 Aug 26 18:24:49.386195: | libevent_free: release ptr-libevent@0x56407da854f8 Aug 26 18:24:49.386197: | libevent_free: release ptr-libevent@0x56407da85128 Aug 26 18:24:49.386200: | libevent_free: release ptr-libevent@0x56407d9e5908 Aug 26 18:24:49.386203: | libevent_free: release ptr-libevent@0x56407d9e5d38 Aug 26 18:24:49.386206: | libevent_free: release ptr-libevent@0x56407da14e58 Aug 26 18:24:49.386208: | releasing global libevent data Aug 26 18:24:49.386211: | libevent_free: release ptr-libevent@0x56407d9ebbc8 Aug 26 18:24:49.386214: | libevent_free: release ptr-libevent@0x56407d9e5cd8 Aug 26 18:24:49.386217: | libevent_free: release ptr-libevent@0x56407d9e5dd8 Aug 26 18:24:49.386255: leak detective found no leaks