Aug 26 18:24:48.893057: FIPS Product: YES Aug 26 18:24:48.893095: FIPS Kernel: NO Aug 26 18:24:48.893099: FIPS Mode: NO Aug 26 18:24:48.893101: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:24:48.893251: Initializing NSS Aug 26 18:24:48.893259: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:24:48.932717: NSS initialized Aug 26 18:24:48.932734: NSS crypto library initialized Aug 26 18:24:48.932737: FIPS HMAC integrity support [enabled] Aug 26 18:24:48.932739: FIPS mode disabled for pluto daemon Aug 26 18:24:48.975591: FIPS HMAC integrity verification self-test FAILED Aug 26 18:24:48.975773: libcap-ng support [enabled] Aug 26 18:24:48.975784: Linux audit support [enabled] Aug 26 18:24:48.976030: Linux audit activated Aug 26 18:24:48.976043: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:28880 Aug 26 18:24:48.976046: core dump dir: /tmp Aug 26 18:24:48.976048: secrets file: /etc/ipsec.secrets Aug 26 18:24:48.976049: leak-detective enabled Aug 26 18:24:48.976051: NSS crypto [enabled] Aug 26 18:24:48.976052: XAUTH PAM support [enabled] Aug 26 18:24:48.976109: | libevent is using pluto's memory allocator Aug 26 18:24:48.976114: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:24:48.976127: | libevent_malloc: new ptr-libevent@0x55d4a0b1d868 size 40 Aug 26 18:24:48.976132: | libevent_malloc: new ptr-libevent@0x55d4a0b1ccd8 size 40 Aug 26 18:24:48.976135: | libevent_malloc: new ptr-libevent@0x55d4a0b1cdd8 size 40 Aug 26 18:24:48.976136: | creating event base Aug 26 18:24:48.976138: | libevent_malloc: new ptr-libevent@0x55d4a0ba1578 size 56 Aug 26 18:24:48.976142: | libevent_malloc: new ptr-libevent@0x55d4a0b45d28 size 664 Aug 26 18:24:48.976150: | libevent_malloc: new ptr-libevent@0x55d4a0ba15e8 size 24 Aug 26 18:24:48.976152: | libevent_malloc: new ptr-libevent@0x55d4a0ba1638 size 384 Aug 26 18:24:48.976160: | libevent_malloc: new ptr-libevent@0x55d4a0ba1538 size 16 Aug 26 18:24:48.976161: | libevent_malloc: new ptr-libevent@0x55d4a0b1c908 size 40 Aug 26 18:24:48.976163: | libevent_malloc: new ptr-libevent@0x55d4a0b1cd38 size 48 Aug 26 18:24:48.976166: | libevent_realloc: new ptr-libevent@0x55d4a0b459b8 size 256 Aug 26 18:24:48.976168: | libevent_malloc: new ptr-libevent@0x55d4a0ba17e8 size 16 Aug 26 18:24:48.976173: | libevent_free: release ptr-libevent@0x55d4a0ba1578 Aug 26 18:24:48.976175: | libevent initialized Aug 26 18:24:48.976178: | libevent_realloc: new ptr-libevent@0x55d4a0ba1578 size 64 Aug 26 18:24:48.976182: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:24:48.976194: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:24:48.976196: NAT-Traversal support [enabled] Aug 26 18:24:48.976198: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:24:48.976202: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:24:48.976205: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:24:48.976233: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:24:48.976235: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:24:48.976238: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:24:48.976278: Encryption algorithms: Aug 26 18:24:48.976285: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:24:48.976322: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:24:48.976333: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:24:48.976338: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:24:48.976342: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:24:48.976351: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:24:48.976356: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:24:48.976360: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:24:48.976364: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:24:48.976368: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:24:48.976372: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:24:48.976376: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:24:48.976380: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:24:48.976384: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:24:48.976388: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:24:48.976391: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:24:48.976394: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:24:48.976404: Hash algorithms: Aug 26 18:24:48.976410: MD5 IKEv1: IKE IKEv2: Aug 26 18:24:48.976415: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:24:48.976419: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:24:48.976423: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:24:48.976427: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:24:48.976447: PRF algorithms: Aug 26 18:24:48.976451: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:24:48.976453: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:24:48.976456: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:24:48.976458: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:24:48.976461: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:24:48.976465: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:24:48.976488: Integrity algorithms: Aug 26 18:24:48.976492: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:24:48.976494: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:24:48.976496: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:24:48.976499: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:24:48.976501: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:24:48.976503: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:24:48.976506: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:24:48.976507: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:24:48.976509: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:24:48.976517: DH algorithms: Aug 26 18:24:48.976519: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:24:48.976521: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:24:48.976523: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:24:48.976527: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:24:48.976529: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:24:48.976531: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:24:48.976533: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:24:48.976535: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:24:48.976537: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:24:48.976539: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:24:48.976541: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:24:48.976543: testing CAMELLIA_CBC: Aug 26 18:24:48.976545: Camellia: 16 bytes with 128-bit key Aug 26 18:24:48.976636: Camellia: 16 bytes with 128-bit key Aug 26 18:24:48.976656: Camellia: 16 bytes with 256-bit key Aug 26 18:24:48.976674: Camellia: 16 bytes with 256-bit key Aug 26 18:24:48.976692: testing AES_GCM_16: Aug 26 18:24:48.976694: empty string Aug 26 18:24:48.976715: one block Aug 26 18:24:48.976732: two blocks Aug 26 18:24:48.976748: two blocks with associated data Aug 26 18:24:48.976764: testing AES_CTR: Aug 26 18:24:48.976767: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:24:48.976793: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:24:48.976827: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:24:48.976860: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:24:48.976888: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:24:48.976917: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:24:48.976948: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:24:48.976977: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:24:48.977028: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:24:48.977062: testing AES_CBC: Aug 26 18:24:48.977065: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:24:48.977090: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:24:48.977126: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:24:48.977150: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:24:48.977179: testing AES_XCBC: Aug 26 18:24:48.977183: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:24:48.977283: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:24:48.977434: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:24:48.977565: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:24:48.977718: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:24:48.977871: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:24:48.978024: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:24:48.978401: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:24:48.978574: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:24:48.978741: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:24:48.979030: testing HMAC_MD5: Aug 26 18:24:48.979035: RFC 2104: MD5_HMAC test 1 Aug 26 18:24:48.979250: RFC 2104: MD5_HMAC test 2 Aug 26 18:24:48.979453: RFC 2104: MD5_HMAC test 3 Aug 26 18:24:48.979720: 8 CPU cores online Aug 26 18:24:48.979725: starting up 7 crypto helpers Aug 26 18:24:48.979771: started thread for crypto helper 0 Aug 26 18:24:48.979797: | starting up helper thread 0 Aug 26 18:24:48.979813: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:24:48.979816: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:48.979900: started thread for crypto helper 1 Aug 26 18:24:48.979926: | starting up helper thread 1 Aug 26 18:24:48.979938: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:24:48.979941: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:48.979955: started thread for crypto helper 2 Aug 26 18:24:48.980009: | starting up helper thread 2 Aug 26 18:24:48.980019: started thread for crypto helper 3 Aug 26 18:24:48.980022: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:24:48.980023: | starting up helper thread 3 Aug 26 18:24:48.980025: | crypto helper 2 waiting (nothing to do) Aug 26 18:24:48.980043: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:24:48.980051: | crypto helper 3 waiting (nothing to do) Aug 26 18:24:48.980058: started thread for crypto helper 4 Aug 26 18:24:48.980062: | starting up helper thread 4 Aug 26 18:24:48.980069: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:24:48.980071: | crypto helper 4 waiting (nothing to do) Aug 26 18:24:48.980083: started thread for crypto helper 5 Aug 26 18:24:48.980084: | starting up helper thread 5 Aug 26 18:24:48.980092: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:24:48.980094: | crypto helper 5 waiting (nothing to do) Aug 26 18:24:48.980114: started thread for crypto helper 6 Aug 26 18:24:48.980116: | starting up helper thread 6 Aug 26 18:24:48.980123: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:24:48.980125: | checking IKEv1 state table Aug 26 18:24:48.980125: | crypto helper 6 waiting (nothing to do) Aug 26 18:24:48.980137: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980140: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:24:48.980143: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980146: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:24:48.980149: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:24:48.980151: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:24:48.980154: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:48.980157: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:48.980159: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:24:48.980162: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:24:48.980164: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:48.980167: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:24:48.980170: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:24:48.980172: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:48.980175: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:48.980177: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:48.980180: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:24:48.980182: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:48.980185: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:48.980187: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:24:48.980190: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:24:48.980193: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980195: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:24:48.980198: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980201: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980204: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:24:48.980207: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980209: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:48.980212: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:24:48.980214: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:24:48.980217: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:48.980219: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:24:48.980222: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:24:48.980225: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980228: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:24:48.980230: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980233: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:24:48.980235: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:24:48.980242: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:24:48.980244: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:24:48.980247: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:24:48.980250: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:24:48.980253: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:24:48.980255: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980258: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:24:48.980261: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980263: | INFO: category: informational flags: 0: Aug 26 18:24:48.980266: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980269: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:24:48.980271: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980274: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:24:48.980277: | -> XAUTH_R1 EVENT_NULL Aug 26 18:24:48.980279: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:24:48.980282: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:24:48.980284: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:24:48.980287: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:24:48.980326: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:24:48.980329: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:24:48.980331: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:24:48.980333: | -> UNDEFINED EVENT_NULL Aug 26 18:24:48.980336: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:24:48.980338: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:24:48.980340: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:24:48.980343: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:24:48.980345: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:24:48.980347: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:24:48.980352: | checking IKEv2 state table Aug 26 18:24:48.980358: | PARENT_I0: category: ignore flags: 0: Aug 26 18:24:48.980361: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:24:48.980364: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980367: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:24:48.980370: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:24:48.980374: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:24:48.980377: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:24:48.980380: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:24:48.980383: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:24:48.980385: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:24:48.980388: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:24:48.980391: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:24:48.980394: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:24:48.980397: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:24:48.980399: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:24:48.980402: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:24:48.980405: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980408: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:24:48.980411: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:24:48.980414: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:24:48.980417: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:24:48.980420: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:24:48.980422: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:24:48.980428: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:24:48.980431: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:24:48.980433: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:24:48.980436: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:24:48.980439: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:24:48.980442: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:24:48.980444: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:24:48.980447: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:24:48.980450: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:48.980453: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:24:48.980456: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:24:48.980459: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:24:48.980462: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:24:48.980465: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:24:48.980468: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:24:48.980471: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:24:48.980475: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:24:48.980477: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:24:48.980480: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:24:48.980483: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:24:48.980486: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:24:48.980489: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:24:48.980492: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:24:48.980495: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:24:48.980529: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:24:48.980904: | Hard-wiring algorithms Aug 26 18:24:48.980910: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:24:48.980914: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:24:48.980917: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:24:48.980920: | adding 3DES_CBC to kernel algorithm db Aug 26 18:24:48.980922: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:24:48.980925: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:24:48.980927: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:24:48.980930: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:24:48.980933: | adding AES_CTR to kernel algorithm db Aug 26 18:24:48.980935: | adding AES_CBC to kernel algorithm db Aug 26 18:24:48.980938: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:24:48.980940: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:24:48.980943: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:24:48.980946: | adding NULL to kernel algorithm db Aug 26 18:24:48.980948: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:24:48.980951: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:24:48.980954: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:24:48.980957: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:24:48.980959: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:24:48.980962: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:24:48.980965: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:24:48.980967: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:24:48.980970: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:24:48.980972: | adding NONE to kernel algorithm db Aug 26 18:24:48.980996: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:24:48.981003: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:24:48.981006: | setup kernel fd callback Aug 26 18:24:48.981010: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55d4a0ba6248 Aug 26 18:24:48.981014: | libevent_malloc: new ptr-libevent@0x55d4a0b8a5f8 size 128 Aug 26 18:24:48.981018: | libevent_malloc: new ptr-libevent@0x55d4a0ba6358 size 16 Aug 26 18:24:48.981024: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55d4a0ba6d88 Aug 26 18:24:48.981027: | libevent_malloc: new ptr-libevent@0x55d4a0b48f28 size 128 Aug 26 18:24:48.981030: | libevent_malloc: new ptr-libevent@0x55d4a0ba6d48 size 16 Aug 26 18:24:48.981281: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:24:48.981326: selinux support is enabled. Aug 26 18:24:48.981731: | unbound context created - setting debug level to 5 Aug 26 18:24:48.981760: | /etc/hosts lookups activated Aug 26 18:24:48.981775: | /etc/resolv.conf usage activated Aug 26 18:24:48.981858: | outgoing-port-avoid set 0-65535 Aug 26 18:24:48.981903: | outgoing-port-permit set 32768-60999 Aug 26 18:24:48.981907: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:24:48.981910: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:24:48.981913: | Setting up events, loop start Aug 26 18:24:48.981917: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55d4a0ba6df8 Aug 26 18:24:48.981920: | libevent_malloc: new ptr-libevent@0x55d4a0bb3008 size 128 Aug 26 18:24:48.981924: | libevent_malloc: new ptr-libevent@0x55d4a0bbe2d8 size 16 Aug 26 18:24:48.981930: | libevent_realloc: new ptr-libevent@0x55d4a0bbe318 size 256 Aug 26 18:24:48.981934: | libevent_malloc: new ptr-libevent@0x55d4a0bbe448 size 8 Aug 26 18:24:48.981937: | libevent_realloc: new ptr-libevent@0x55d4a0b18918 size 144 Aug 26 18:24:48.981940: | libevent_malloc: new ptr-libevent@0x55d4a0b51988 size 152 Aug 26 18:24:48.981944: | libevent_malloc: new ptr-libevent@0x55d4a0bbe488 size 16 Aug 26 18:24:48.981961: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:24:48.981965: | libevent_malloc: new ptr-libevent@0x55d4a0bbe4c8 size 8 Aug 26 18:24:48.981969: | libevent_malloc: new ptr-libevent@0x55d4a0b497b8 size 152 Aug 26 18:24:48.981972: | signal event handler PLUTO_SIGTERM installed Aug 26 18:24:48.981975: | libevent_malloc: new ptr-libevent@0x55d4a0bbe508 size 8 Aug 26 18:24:48.981978: | libevent_malloc: new ptr-libevent@0x55d4a0bbe548 size 152 Aug 26 18:24:48.981981: | signal event handler PLUTO_SIGHUP installed Aug 26 18:24:48.981984: | libevent_malloc: new ptr-libevent@0x55d4a0bbe618 size 8 Aug 26 18:24:48.981999: | libevent_realloc: release ptr-libevent@0x55d4a0b18918 Aug 26 18:24:48.982002: | libevent_realloc: new ptr-libevent@0x55d4a0bbe658 size 256 Aug 26 18:24:48.982005: | libevent_malloc: new ptr-libevent@0x55d4a0bbe788 size 152 Aug 26 18:24:48.982008: | signal event handler PLUTO_SIGSYS installed Aug 26 18:24:48.982372: | created addconn helper (pid:28947) using fork+execve Aug 26 18:24:48.982416: | forked child 28947 Aug 26 18:24:48.982461: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:48.982799: listening for IKE messages Aug 26 18:24:48.983120: | Inspecting interface lo Aug 26 18:24:48.983129: | found lo with address 127.0.0.1 Aug 26 18:24:48.983133: | Inspecting interface eth0 Aug 26 18:24:48.983138: | found eth0 with address 192.0.2.254 Aug 26 18:24:48.983142: | Inspecting interface eth1 Aug 26 18:24:48.983146: | found eth1 with address 192.1.2.23 Aug 26 18:24:48.983246: Kernel supports NIC esp-hw-offload Aug 26 18:24:48.983260: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:24:48.983283: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:48.983292: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:48.983299: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:48.983332: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:24:48.983354: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:48.983359: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:48.983363: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:48.983388: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:24:48.983409: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:24:48.983413: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:24:48.983417: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:24:48.983479: | no interfaces to sort Aug 26 18:24:48.983485: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:48.983494: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbec58 Aug 26 18:24:48.983497: | libevent_malloc: new ptr-libevent@0x55d4a0bb2f58 size 128 Aug 26 18:24:48.983501: | libevent_malloc: new ptr-libevent@0x55d4a0bbecc8 size 16 Aug 26 18:24:48.983511: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:24:48.983514: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbed08 Aug 26 18:24:48.983520: | libevent_malloc: new ptr-libevent@0x55d4a0b461c8 size 128 Aug 26 18:24:48.983523: | libevent_malloc: new ptr-libevent@0x55d4a0bbed78 size 16 Aug 26 18:24:48.983527: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:24:48.983530: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbedb8 Aug 26 18:24:48.983532: | libevent_malloc: new ptr-libevent@0x55d4a0b46118 size 128 Aug 26 18:24:48.983535: | libevent_malloc: new ptr-libevent@0x55d4a0bbee28 size 16 Aug 26 18:24:48.983540: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:24:48.983542: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbee68 Aug 26 18:24:48.983544: | libevent_malloc: new ptr-libevent@0x55d4a0b496e8 size 128 Aug 26 18:24:48.983547: | libevent_malloc: new ptr-libevent@0x55d4a0bbeed8 size 16 Aug 26 18:24:48.983551: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:24:48.983554: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbef18 Aug 26 18:24:48.983558: | libevent_malloc: new ptr-libevent@0x55d4a0b1d4e8 size 128 Aug 26 18:24:48.983561: | libevent_malloc: new ptr-libevent@0x55d4a0bbef88 size 16 Aug 26 18:24:48.983566: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:48.983568: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbefc8 Aug 26 18:24:48.983571: | libevent_malloc: new ptr-libevent@0x55d4a0b1d1d8 size 128 Aug 26 18:24:48.983574: | libevent_malloc: new ptr-libevent@0x55d4a0bbf038 size 16 Aug 26 18:24:48.983579: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:48.983583: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:48.983585: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:48.983605: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:48.983623: | saving Modulus Aug 26 18:24:48.983628: | saving PublicExponent Aug 26 18:24:48.983632: | ignoring PrivateExponent Aug 26 18:24:48.983635: | ignoring Prime1 Aug 26 18:24:48.983638: | ignoring Prime2 Aug 26 18:24:48.983641: | ignoring Exponent1 Aug 26 18:24:48.983644: | ignoring Exponent2 Aug 26 18:24:48.983647: | ignoring Coefficient Aug 26 18:24:48.983651: | ignoring CKAIDNSS Aug 26 18:24:48.983688: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:48.983692: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:48.983698: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Aug 26 18:24:48.983705: | certs and keys locked by 'process_secret' Aug 26 18:24:48.983709: | certs and keys unlocked by 'process_secret' Aug 26 18:24:48.983717: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:48.983723: | spent 1.27 milliseconds in whack Aug 26 18:24:49.001366: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.001398: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:49.001422: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:49.001424: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:49.001439: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:24:49.001442: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:49.001447: | Added new connection north-east with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:49.001450: | No AUTH policy was set - defaulting to RSASIG Aug 26 18:24:49.001488: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:24:49.001491: | from whack: got --esp= Aug 26 18:24:49.001515: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 18:24:49.001519: | counting wild cards for @north is 0 Aug 26 18:24:49.001521: | counting wild cards for @east is 0 Aug 26 18:24:49.001524: | based upon policy narrowing=yes, the connection is a template. Aug 26 18:24:49.001529: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 18:24:49.001531: | new hp@0x55d4a0bc1588 Aug 26 18:24:49.001534: added connection description "north-east" Aug 26 18:24:49.001542: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:24:49.001550: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.254/32 Aug 26 18:24:49.001555: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.001560: | spent 0.202 milliseconds in whack Aug 26 18:24:49.001639: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.001651: add keyid @north Aug 26 18:24:49.001655: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 18:24:49.001656: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 18:24:49.001658: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 18:24:49.001660: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 18:24:49.001661: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 18:24:49.001663: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 18:24:49.001664: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 18:24:49.001666: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 18:24:49.001667: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 18:24:49.001669: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 18:24:49.001670: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 18:24:49.001672: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 18:24:49.001673: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 18:24:49.001675: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 18:24:49.001676: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 18:24:49.001678: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 18:24:49.001679: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 18:24:49.001681: | add pubkey c7 5e a5 99 Aug 26 18:24:49.001699: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 18:24:49.001701: | computed rsa CKAID 88 aa 7c 5d Aug 26 18:24:49.001709: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.001716: | spent 0.0835 milliseconds in whack Aug 26 18:24:49.001731: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.001737: add keyid @east Aug 26 18:24:49.001740: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 18:24:49.001741: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 18:24:49.001743: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 18:24:49.001744: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 18:24:49.001746: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 18:24:49.001747: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 18:24:49.001749: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 18:24:49.001750: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 18:24:49.001752: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 18:24:49.001753: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 18:24:49.001755: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 18:24:49.001756: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 18:24:49.001758: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 18:24:49.001759: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 18:24:49.001761: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 18:24:49.001762: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 18:24:49.001764: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 18:24:49.001765: | add pubkey 51 51 48 ef Aug 26 18:24:49.001772: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:49.001774: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:49.001780: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.001783: | spent 0.0558 milliseconds in whack Aug 26 18:24:49.001841: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.001853: listening for IKE messages Aug 26 18:24:49.001914: | Inspecting interface lo Aug 26 18:24:49.001919: | found lo with address 127.0.0.1 Aug 26 18:24:49.001921: | Inspecting interface eth0 Aug 26 18:24:49.001924: | found eth0 with address 192.0.2.254 Aug 26 18:24:49.001925: | Inspecting interface eth1 Aug 26 18:24:49.001928: | found eth1 with address 192.1.2.23 Aug 26 18:24:49.002096: | no interfaces to sort Aug 26 18:24:49.002103: | libevent_free: release ptr-libevent@0x55d4a0bb2f58 Aug 26 18:24:49.002105: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbec58 Aug 26 18:24:49.002108: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbec58 Aug 26 18:24:49.002110: | libevent_malloc: new ptr-libevent@0x55d4a0bb2f58 size 128 Aug 26 18:24:49.002115: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:24:49.002118: | libevent_free: release ptr-libevent@0x55d4a0b461c8 Aug 26 18:24:49.002120: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbed08 Aug 26 18:24:49.002122: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbed08 Aug 26 18:24:49.002123: | libevent_malloc: new ptr-libevent@0x55d4a0b461c8 size 128 Aug 26 18:24:49.002127: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:24:49.002129: | libevent_free: release ptr-libevent@0x55d4a0b46118 Aug 26 18:24:49.002131: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbedb8 Aug 26 18:24:49.002133: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbedb8 Aug 26 18:24:49.002134: | libevent_malloc: new ptr-libevent@0x55d4a0b46118 size 128 Aug 26 18:24:49.002137: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:24:49.002140: | libevent_free: release ptr-libevent@0x55d4a0b496e8 Aug 26 18:24:49.002142: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbee68 Aug 26 18:24:49.002146: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbee68 Aug 26 18:24:49.002148: | libevent_malloc: new ptr-libevent@0x55d4a0b496e8 size 128 Aug 26 18:24:49.002151: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:24:49.002154: | libevent_free: release ptr-libevent@0x55d4a0b1d4e8 Aug 26 18:24:49.002155: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbef18 Aug 26 18:24:49.002157: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbef18 Aug 26 18:24:49.002159: | libevent_malloc: new ptr-libevent@0x55d4a0b1d4e8 size 128 Aug 26 18:24:49.002162: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:24:49.002164: | libevent_free: release ptr-libevent@0x55d4a0b1d1d8 Aug 26 18:24:49.002166: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbefc8 Aug 26 18:24:49.002168: | add_fd_read_event_handler: new ethX-pe@0x55d4a0bbefc8 Aug 26 18:24:49.002169: | libevent_malloc: new ptr-libevent@0x55d4a0b1d1d8 size 128 Aug 26 18:24:49.002172: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:24:49.002175: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:49.002176: forgetting secrets Aug 26 18:24:49.002182: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:49.002193: loading secrets from "/etc/ipsec.secrets" Aug 26 18:24:49.002203: | saving Modulus Aug 26 18:24:49.002206: | saving PublicExponent Aug 26 18:24:49.002208: | ignoring PrivateExponent Aug 26 18:24:49.002210: | ignoring Prime1 Aug 26 18:24:49.002212: | ignoring Prime2 Aug 26 18:24:49.002214: | ignoring Exponent1 Aug 26 18:24:49.002216: | ignoring Exponent2 Aug 26 18:24:49.002218: | ignoring Coefficient Aug 26 18:24:49.002220: | ignoring CKAIDNSS Aug 26 18:24:49.002228: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:24:49.002230: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:24:49.002232: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Aug 26 18:24:49.002236: | certs and keys locked by 'process_secret' Aug 26 18:24:49.002238: | certs and keys unlocked by 'process_secret' Aug 26 18:24:49.002245: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.002249: | spent 0.413 milliseconds in whack Aug 26 18:24:49.002261: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:49.002268: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:24:49.002270: | start processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:106) Aug 26 18:24:49.002273: | could_route called for north-east (kind=CK_TEMPLATE) Aug 26 18:24:49.002274: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:49.002276: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:49.002278: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:49.002281: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Aug 26 18:24:49.002283: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:24:49.002285: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:49.002286: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:49.002292: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:49.002313: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Aug 26 18:24:49.002316: | route_and_eroute with c: north-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 Aug 26 18:24:49.002321: | shunt_eroute() called for connection 'north-east' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:24:49.002323: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:49.002325: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:49.002331: | IPsec Sa SPD priority set to 1042399 Aug 26 18:24:49.002390: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:49.002393: | route_and_eroute: firewall_notified: true Aug 26 18:24:49.002395: | running updown command "ipsec _updown" for verb prepare Aug 26 18:24:49.002397: | command executing prepare-client Aug 26 18:24:49.002446: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' Aug 26 18:24:49.002452: | popen cmd is 1049 chars long Aug 26 18:24:49.002456: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Aug 26 18:24:49.002459: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_: Aug 26 18:24:49.002463: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Aug 26 18:24:49.002466: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Aug 26 18:24:49.002468: | cmd( 320):REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north: Aug 26 18:24:49.002469: | cmd( 400):' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_P: Aug 26 18:24:49.002471: | cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 18:24:49.002473: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Aug 26 18:24:49.002474: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+: Aug 26 18:24:49.002476: | cmd( 720):ESN_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=: Aug 26 18:24:49.002478: | cmd( 800):0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO: Aug 26 18:24:49.002479: | cmd( 880):_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0: Aug 26 18:24:49.002481: | cmd( 960):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _up: Aug 26 18:24:49.002482: | cmd(1040):down 2>&1: Aug 26 18:24:49.012685: | running updown command "ipsec _updown" for verb route Aug 26 18:24:49.012702: | command executing route-client Aug 26 18:24:49.012725: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI Aug 26 18:24:49.012727: | popen cmd is 1047 chars long Aug 26 18:24:49.012729: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUT: Aug 26 18:24:49.012731: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Aug 26 18:24:49.012737: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Aug 26 18:24:49.012739: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Aug 26 18:24:49.012740: | cmd( 320):QID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' : Aug 26 18:24:49.012742: | cmd( 400):PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEE: Aug 26 18:24:49.012743: | cmd( 480):R_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 18:24:49.012745: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Aug 26 18:24:49.012747: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ES: Aug 26 18:24:49.012748: | cmd( 720):N_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 18:24:49.012750: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 18:24:49.012766: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 18:24:49.012768: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updo: Aug 26 18:24:49.012770: | cmd(1040):wn 2>&1: Aug 26 18:24:49.027608: | stop processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:116) Aug 26 18:24:49.027634: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:49.027644: | spent 1.22 milliseconds in whack Aug 26 18:24:49.027659: | processing signal PLUTO_SIGCHLD Aug 26 18:24:49.027663: | waitpid returned nothing left to do (all child processes are busy) Aug 26 18:24:49.027666: | spent 0.004 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:49.027668: | processing signal PLUTO_SIGCHLD Aug 26 18:24:49.027671: | waitpid returned nothing left to do (all child processes are busy) Aug 26 18:24:49.027673: | spent 0.00251 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:49.028185: | processing signal PLUTO_SIGCHLD Aug 26 18:24:49.028199: | waitpid returned pid 28947 (exited with status 0) Aug 26 18:24:49.028202: | reaped addconn helper child (status 0) Aug 26 18:24:49.028210: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:49.028214: | spent 0.0211 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:50.148653: | spent 0.00391 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:50.148695: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:50.148700: | 95 9c 0b 68 d1 11 81 2d 00 00 00 00 00 00 00 00 Aug 26 18:24:50.148702: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:24:50.148705: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:24:50.148707: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:24:50.148710: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:24:50.148712: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:24:50.148715: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:24:50.148717: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:24:50.148720: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:24:50.148722: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:24:50.148724: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:24:50.148727: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:24:50.148729: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:24:50.148732: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:24:50.148734: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:24:50.148737: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:24:50.148739: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:24:50.148742: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:24:50.148748: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:24:50.148750: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:24:50.148753: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:24:50.148756: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:24:50.148758: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:24:50.148761: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:24:50.148763: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:24:50.148766: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:24:50.148768: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:24:50.148771: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:24:50.148773: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:24:50.148776: | 28 00 01 08 00 0e 00 00 9b 7e 87 62 64 64 dd 72 Aug 26 18:24:50.148778: | 3a f3 cf 0f f1 b7 c7 63 75 29 69 bb 1f ce 08 f9 Aug 26 18:24:50.148781: | 49 ba b7 22 b4 27 61 9f f0 cf 96 ff 0c 23 04 26 Aug 26 18:24:50.148783: | 26 56 15 e3 98 41 93 ff ca 84 e3 8e 3e da 64 96 Aug 26 18:24:50.148786: | 2b a5 1e 2e ec ae 12 f2 dd 79 a0 b1 59 9b e2 2b Aug 26 18:24:50.148788: | f4 c5 88 7f d8 94 bb 8b dd 1c b8 9d e5 3f 27 80 Aug 26 18:24:50.148791: | c4 6b b1 0f 02 e8 4e e8 bd 93 59 96 f4 13 aa a6 Aug 26 18:24:50.148793: | af 08 30 5c 96 b9 74 6d 9f 57 3d 35 9f e5 87 15 Aug 26 18:24:50.148796: | b9 9b 3f df b0 b4 3b ef fc 7c b7 79 4c 2d 03 3b Aug 26 18:24:50.148798: | 94 ce c9 c5 16 e7 f6 7d ff 49 2c 24 bb 1f 29 ea Aug 26 18:24:50.148801: | ba ac ef 75 5e c7 45 2f 7a ac 27 4a d4 5a c6 e9 Aug 26 18:24:50.148803: | 11 99 f0 47 ee a3 28 de c4 f6 f4 d4 16 d5 37 21 Aug 26 18:24:50.148806: | b7 a0 1b ac e2 3c f8 65 21 5d 64 db af d4 b1 76 Aug 26 18:24:50.148808: | e8 fc 9f 83 8a 42 ab d7 06 bf c0 55 87 2d 42 18 Aug 26 18:24:50.148811: | 7d 24 46 85 f1 56 24 b3 0c 78 ab ce 96 03 39 32 Aug 26 18:24:50.148813: | dc ca 82 c7 5e 51 ec 4c 98 b4 7b 38 10 e7 53 96 Aug 26 18:24:50.148816: | 0f 52 d7 0f f5 b3 0f 7f 29 00 00 24 c2 6a 45 c0 Aug 26 18:24:50.148818: | 53 61 55 20 55 19 a6 7b e8 48 b3 81 17 54 6c f7 Aug 26 18:24:50.148821: | 8e f8 7b 24 ac 6e 16 67 b2 d6 0a 90 29 00 00 08 Aug 26 18:24:50.148823: | 00 00 40 2e 29 00 00 1c 00 00 40 04 01 8e 4e c1 Aug 26 18:24:50.148826: | 4b b6 a2 26 65 b6 05 20 42 82 dc d1 22 f8 85 9f Aug 26 18:24:50.148828: | 00 00 00 1c 00 00 40 05 24 f4 42 82 2c 71 93 91 Aug 26 18:24:50.148831: | 20 c3 4b 57 32 72 25 6e 0e 56 c0 41 Aug 26 18:24:50.148838: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:50.148842: | **parse ISAKMP Message: Aug 26 18:24:50.148845: | initiator cookie: Aug 26 18:24:50.148847: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.148850: | responder cookie: Aug 26 18:24:50.148853: | 00 00 00 00 00 00 00 00 Aug 26 18:24:50.148856: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:50.148859: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.148862: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:50.148866: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:50.148869: | Message ID: 0 (0x0) Aug 26 18:24:50.148872: | length: 828 (0x33c) Aug 26 18:24:50.148875: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:24:50.148879: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:24:50.148882: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:24:50.148887: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:50.148891: | ***parse IKEv2 Security Association Payload: Aug 26 18:24:50.148894: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:24:50.148897: | flags: none (0x0) Aug 26 18:24:50.148899: | length: 436 (0x1b4) Aug 26 18:24:50.148904: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:24:50.148907: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:24:50.148910: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:24:50.148913: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:24:50.148916: | flags: none (0x0) Aug 26 18:24:50.148918: | length: 264 (0x108) Aug 26 18:24:50.148921: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.148924: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:24:50.148926: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:24:50.148929: | ***parse IKEv2 Nonce Payload: Aug 26 18:24:50.148931: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:50.148934: | flags: none (0x0) Aug 26 18:24:50.148936: | length: 36 (0x24) Aug 26 18:24:50.148939: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:24:50.148942: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:50.148944: | ***parse IKEv2 Notify Payload: Aug 26 18:24:50.148947: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:50.148949: | flags: none (0x0) Aug 26 18:24:50.148952: | length: 8 (0x8) Aug 26 18:24:50.148955: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.148957: | SPI size: 0 (0x0) Aug 26 18:24:50.148960: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:50.148963: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:24:50.148966: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:50.148968: | ***parse IKEv2 Notify Payload: Aug 26 18:24:50.148971: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:50.148973: | flags: none (0x0) Aug 26 18:24:50.148976: | length: 28 (0x1c) Aug 26 18:24:50.148978: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.148981: | SPI size: 0 (0x0) Aug 26 18:24:50.148984: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:50.148986: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:50.148989: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:24:50.148991: | ***parse IKEv2 Notify Payload: Aug 26 18:24:50.148994: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.148997: | flags: none (0x0) Aug 26 18:24:50.148999: | length: 28 (0x1c) Aug 26 18:24:50.149001: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.149004: | SPI size: 0 (0x0) Aug 26 18:24:50.149007: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:50.149009: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:24:50.149012: | DDOS disabled and no cookie sent, continuing Aug 26 18:24:50.149018: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:50.149023: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:50.149027: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:50.149031: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-east) Aug 26 18:24:50.149034: | find_next_host_connection returns empty Aug 26 18:24:50.149038: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:24:50.149041: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:24:50.149043: | find_next_host_connection returns empty Aug 26 18:24:50.149047: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:24:50.149052: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:24:50.149057: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:50.149059: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:50.149063: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-east) Aug 26 18:24:50.149066: | find_next_host_connection returns north-east Aug 26 18:24:50.149070: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:24:50.149073: | find_next_host_connection returns empty Aug 26 18:24:50.149075: | local endpoint has narrowing=yes - needs instantiation Aug 26 18:24:50.149084: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:50.149089: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x55d4a0bc1588: north-east Aug 26 18:24:50.149094: | rw_instantiate() instantiated "north-east"[1] 192.1.3.33 for 192.1.3.33 Aug 26 18:24:50.149098: | found connection: north-east[1] 192.1.3.33 with policy RSASIG+IKEV2_ALLOW Aug 26 18:24:50.149127: | creating state object #1 at 0x55d4a0bc4158 Aug 26 18:24:50.149131: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:24:50.149140: | pstats #1 ikev2.ike started Aug 26 18:24:50.149145: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:24:50.149149: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:24:50.149155: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:50.149165: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:50.149168: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:50.149174: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:50.149177: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:24:50.149182: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:24:50.149186: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:24:50.149189: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:24:50.149192: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:24:50.149195: | Now let's proceed with state specific processing Aug 26 18:24:50.149198: | calling processor Respond to IKE_SA_INIT Aug 26 18:24:50.149209: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:50.149212: | constructing local IKE proposals for north-east (IKE SA responder matching remote proposals) Aug 26 18:24:50.149221: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:50.149229: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:50.149233: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:50.149238: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:50.149242: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:50.149248: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:50.149251: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:24:50.149257: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:50.149267: "north-east"[1] 192.1.3.33: constructed local IKE proposals for north-east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:24:50.149276: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:24:50.149282: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:50.149285: | local proposal 1 type PRF has 2 transforms Aug 26 18:24:50.149293: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:50.149299: | local proposal 1 type DH has 8 transforms Aug 26 18:24:50.149302: | local proposal 1 type ESN has 0 transforms Aug 26 18:24:50.149308: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:24:50.149324: | local proposal 2 type ENCR has 1 transforms Aug 26 18:24:50.149327: | local proposal 2 type PRF has 2 transforms Aug 26 18:24:50.149329: | local proposal 2 type INTEG has 1 transforms Aug 26 18:24:50.149331: | local proposal 2 type DH has 8 transforms Aug 26 18:24:50.149334: | local proposal 2 type ESN has 0 transforms Aug 26 18:24:50.149336: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:24:50.149339: | local proposal 3 type ENCR has 1 transforms Aug 26 18:24:50.149341: | local proposal 3 type PRF has 2 transforms Aug 26 18:24:50.149343: | local proposal 3 type INTEG has 2 transforms Aug 26 18:24:50.149345: | local proposal 3 type DH has 8 transforms Aug 26 18:24:50.149347: | local proposal 3 type ESN has 0 transforms Aug 26 18:24:50.149350: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:24:50.149352: | local proposal 4 type ENCR has 1 transforms Aug 26 18:24:50.149355: | local proposal 4 type PRF has 2 transforms Aug 26 18:24:50.149357: | local proposal 4 type INTEG has 2 transforms Aug 26 18:24:50.149359: | local proposal 4 type DH has 8 transforms Aug 26 18:24:50.149361: | local proposal 4 type ESN has 0 transforms Aug 26 18:24:50.149364: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:24:50.149367: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.149370: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.149372: | length: 100 (0x64) Aug 26 18:24:50.149374: | prop #: 1 (0x1) Aug 26 18:24:50.149376: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:50.149379: | spi size: 0 (0x0) Aug 26 18:24:50.149381: | # transforms: 11 (0xb) Aug 26 18:24:50.149384: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:24:50.149387: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149389: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149392: | length: 12 (0xc) Aug 26 18:24:50.149394: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.149396: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.149399: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.149401: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.149403: | length/value: 256 (0x100) Aug 26 18:24:50.149407: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:50.149410: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149412: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149414: | length: 8 (0x8) Aug 26 18:24:50.149417: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149419: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:50.149424: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:24:50.149427: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:24:50.149429: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:24:50.149432: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:24:50.149435: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149437: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149439: | length: 8 (0x8) Aug 26 18:24:50.149441: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149443: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:50.149446: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149448: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149450: | length: 8 (0x8) Aug 26 18:24:50.149452: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149455: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.149459: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:24:50.149464: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:24:50.149468: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:24:50.149472: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:24:50.149474: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149476: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149478: | length: 8 (0x8) Aug 26 18:24:50.149481: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149483: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:50.149485: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149488: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149490: | length: 8 (0x8) Aug 26 18:24:50.149492: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149494: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:50.149497: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149499: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149501: | length: 8 (0x8) Aug 26 18:24:50.149503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149505: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:50.149508: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149510: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149512: | length: 8 (0x8) Aug 26 18:24:50.149514: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149516: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:50.149519: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149521: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149523: | length: 8 (0x8) Aug 26 18:24:50.149525: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149528: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:50.149530: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149532: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149534: | length: 8 (0x8) Aug 26 18:24:50.149537: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149539: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:50.149541: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149544: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.149546: | length: 8 (0x8) Aug 26 18:24:50.149548: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149550: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:50.149555: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:24:50.149559: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:24:50.149562: | remote proposal 1 matches local proposal 1 Aug 26 18:24:50.149564: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.149567: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.149569: | length: 100 (0x64) Aug 26 18:24:50.149571: | prop #: 2 (0x2) Aug 26 18:24:50.149573: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:50.149575: | spi size: 0 (0x0) Aug 26 18:24:50.149577: | # transforms: 11 (0xb) Aug 26 18:24:50.149581: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.149583: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149585: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149587: | length: 12 (0xc) Aug 26 18:24:50.149590: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.149592: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.149594: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.149596: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.149599: | length/value: 128 (0x80) Aug 26 18:24:50.149601: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149603: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149606: | length: 8 (0x8) Aug 26 18:24:50.149608: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149610: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:50.149612: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149617: | length: 8 (0x8) Aug 26 18:24:50.149619: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149621: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:50.149624: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149626: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149628: | length: 8 (0x8) Aug 26 18:24:50.149630: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149632: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.149635: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149637: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149639: | length: 8 (0x8) Aug 26 18:24:50.149641: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149644: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:50.149646: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149648: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149650: | length: 8 (0x8) Aug 26 18:24:50.149652: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149655: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:50.149657: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149659: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149661: | length: 8 (0x8) Aug 26 18:24:50.149663: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149666: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:50.149668: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149670: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149672: | length: 8 (0x8) Aug 26 18:24:50.149675: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149677: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:50.149679: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149681: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149683: | length: 8 (0x8) Aug 26 18:24:50.149686: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149688: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:50.149692: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149694: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149696: | length: 8 (0x8) Aug 26 18:24:50.149698: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149700: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:50.149703: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149705: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.149707: | length: 8 (0x8) Aug 26 18:24:50.149709: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149711: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:50.149715: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:24:50.149717: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:24:50.149720: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.149722: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.149724: | length: 116 (0x74) Aug 26 18:24:50.149726: | prop #: 3 (0x3) Aug 26 18:24:50.149728: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:50.149730: | spi size: 0 (0x0) Aug 26 18:24:50.149733: | # transforms: 13 (0xd) Aug 26 18:24:50.149735: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.149738: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149742: | length: 12 (0xc) Aug 26 18:24:50.149744: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.149747: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:50.149749: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.149751: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.149753: | length/value: 256 (0x100) Aug 26 18:24:50.149756: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149758: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149760: | length: 8 (0x8) Aug 26 18:24:50.149762: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149765: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:50.149767: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149769: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149771: | length: 8 (0x8) Aug 26 18:24:50.149774: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149776: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:50.149778: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149780: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149782: | length: 8 (0x8) Aug 26 18:24:50.149785: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.149787: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:50.149789: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149792: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149794: | length: 8 (0x8) Aug 26 18:24:50.149796: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.149798: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:50.149800: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149803: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149805: | length: 8 (0x8) Aug 26 18:24:50.149807: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149809: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.149812: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149814: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149816: | length: 8 (0x8) Aug 26 18:24:50.149818: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149820: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:50.149823: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149826: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149828: | length: 8 (0x8) Aug 26 18:24:50.149830: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149833: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:50.149835: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149837: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149839: | length: 8 (0x8) Aug 26 18:24:50.149841: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149844: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:50.149846: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149850: | length: 8 (0x8) Aug 26 18:24:50.149853: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149855: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:50.149857: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149859: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149861: | length: 8 (0x8) Aug 26 18:24:50.149864: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149866: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:50.149868: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149870: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149873: | length: 8 (0x8) Aug 26 18:24:50.149875: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149877: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:50.149879: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149882: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.149884: | length: 8 (0x8) Aug 26 18:24:50.149886: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149888: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:50.149891: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:24:50.149894: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:24:50.149897: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.149899: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:50.149901: | length: 116 (0x74) Aug 26 18:24:50.149903: | prop #: 4 (0x4) Aug 26 18:24:50.149905: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:50.149907: | spi size: 0 (0x0) Aug 26 18:24:50.149910: | # transforms: 13 (0xd) Aug 26 18:24:50.149912: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.149915: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149919: | length: 12 (0xc) Aug 26 18:24:50.149921: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.149923: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:50.149926: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.149928: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.149930: | length/value: 128 (0x80) Aug 26 18:24:50.149933: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149935: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149937: | length: 8 (0x8) Aug 26 18:24:50.149939: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149941: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:50.149944: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149946: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149948: | length: 8 (0x8) Aug 26 18:24:50.149950: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.149952: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:24:50.149955: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149957: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149962: | length: 8 (0x8) Aug 26 18:24:50.149964: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.149966: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:50.149969: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149971: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149973: | length: 8 (0x8) Aug 26 18:24:50.149975: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.149977: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:50.149980: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149982: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149984: | length: 8 (0x8) Aug 26 18:24:50.149986: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.149989: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.149991: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.149993: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.149995: | length: 8 (0x8) Aug 26 18:24:50.149997: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150000: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:24:50.150002: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150004: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.150006: | length: 8 (0x8) Aug 26 18:24:50.150009: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150011: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:24:50.150013: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150015: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.150017: | length: 8 (0x8) Aug 26 18:24:50.150020: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150022: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:24:50.150024: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150027: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.150029: | length: 8 (0x8) Aug 26 18:24:50.150031: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150033: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:24:50.150035: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150038: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.150040: | length: 8 (0x8) Aug 26 18:24:50.150042: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150044: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:24:50.150047: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.150051: | length: 8 (0x8) Aug 26 18:24:50.150053: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150055: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:24:50.150058: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.150060: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.150062: | length: 8 (0x8) Aug 26 18:24:50.150064: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.150066: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:24:50.150070: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:24:50.150072: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:24:50.150077: "north-east"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:24:50.150083: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:24:50.150085: | converting proposal to internal trans attrs Aug 26 18:24:50.150089: | natd_hash: rcookie is zero Aug 26 18:24:50.150100: | natd_hash: hasher=0x55d4a09c9800(20) Aug 26 18:24:50.150102: | natd_hash: icookie= 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.150105: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:50.150107: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:50.150109: | natd_hash: port=500 Aug 26 18:24:50.150111: | natd_hash: hash= 24 f4 42 82 2c 71 93 91 20 c3 4b 57 32 72 25 6e Aug 26 18:24:50.150114: | natd_hash: hash= 0e 56 c0 41 Aug 26 18:24:50.150116: | natd_hash: rcookie is zero Aug 26 18:24:50.150121: | natd_hash: hasher=0x55d4a09c9800(20) Aug 26 18:24:50.150123: | natd_hash: icookie= 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.150125: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:24:50.150127: | natd_hash: ip= c0 01 03 21 Aug 26 18:24:50.150129: | natd_hash: port=500 Aug 26 18:24:50.150132: | natd_hash: hash= 01 8e 4e c1 4b b6 a2 26 65 b6 05 20 42 82 dc d1 Aug 26 18:24:50.150134: | natd_hash: hash= 22 f8 85 9f Aug 26 18:24:50.150136: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:24:50.150138: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:24:50.150140: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:24:50.150143: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 18:24:50.150146: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:24:50.150149: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d4a0bc1668 Aug 26 18:24:50.150153: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:24:50.150156: | libevent_malloc: new ptr-libevent@0x55d4a0bc2c58 size 128 Aug 26 18:24:50.150167: | #1 spent 0.96 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:24:50.150176: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:50.150180: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:50.150184: | suspending state #1 and saving MD Aug 26 18:24:50.150188: | #1 is busy; has a suspended MD Aug 26 18:24:50.150195: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:50.150201: | "north-east"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:50.150202: | crypto helper 0 resuming Aug 26 18:24:50.150209: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:50.150221: | crypto helper 0 starting work-order 1 for state #1 Aug 26 18:24:50.150226: | #1 spent 1.55 milliseconds in ikev2_process_packet() Aug 26 18:24:50.150227: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:24:50.150236: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:50.150241: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:50.150246: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:50.150252: | spent 1.57 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:50.151506: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001277 seconds Aug 26 18:24:50.151525: | (#1) spent 1.27 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:24:50.151531: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 18:24:50.151540: | scheduling resume sending helper answer for #1 Aug 26 18:24:50.151545: | libevent_malloc: new ptr-libevent@0x7f6794002888 size 128 Aug 26 18:24:50.151558: | crypto helper 0 waiting (nothing to do) Aug 26 18:24:50.151569: | processing resume sending helper answer for #1 Aug 26 18:24:50.151587: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:50.151595: | crypto helper 0 replies to request ID 1 Aug 26 18:24:50.151600: | calling continuation function 0x55d4a08f4b50 Aug 26 18:24:50.151603: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:24:50.151643: | **emit ISAKMP Message: Aug 26 18:24:50.151646: | initiator cookie: Aug 26 18:24:50.151649: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.151651: | responder cookie: Aug 26 18:24:50.151653: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.151656: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:50.151658: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.151661: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:24:50.151664: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:50.151666: | Message ID: 0 (0x0) Aug 26 18:24:50.151669: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:50.151672: | Emitting ikev2_proposal ... Aug 26 18:24:50.151674: | ***emit IKEv2 Security Association Payload: Aug 26 18:24:50.151677: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.151679: | flags: none (0x0) Aug 26 18:24:50.151682: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:50.151685: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151688: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.151690: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:50.151692: | prop #: 1 (0x1) Aug 26 18:24:50.151695: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:24:50.151697: | spi size: 0 (0x0) Aug 26 18:24:50.151699: | # transforms: 3 (0x3) Aug 26 18:24:50.151702: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:50.151704: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:50.151707: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.151709: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.151712: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.151714: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:50.151717: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.151719: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.151722: | length/value: 256 (0x100) Aug 26 18:24:50.151724: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:50.151727: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:50.151729: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.151731: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:24:50.151734: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:24:50.151737: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.151739: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:50.151742: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:50.151744: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:24:50.151746: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.151748: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:24:50.151753: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.151756: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.151759: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:50.151761: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:50.151764: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:24:50.151766: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:50.151769: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:24:50.151771: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:50.151774: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:24:50.151777: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.151779: | flags: none (0x0) Aug 26 18:24:50.151781: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:24:50.151784: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:24:50.151787: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151790: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:24:50.151792: | ikev2 g^x c9 de 99 f7 09 c8 9c ec 17 cf 54 75 56 d1 d1 f8 Aug 26 18:24:50.151795: | ikev2 g^x 10 b6 b6 7b 7b f0 cf d8 03 5f b1 f9 45 f7 65 96 Aug 26 18:24:50.151797: | ikev2 g^x da fb ba 10 c4 2f 5b d2 a9 e2 c2 f3 cf 6c 0d f9 Aug 26 18:24:50.151799: | ikev2 g^x d5 8c 54 0e fa f5 3c c8 ee 80 5b f0 ba eb 72 9d Aug 26 18:24:50.151801: | ikev2 g^x 6c 72 19 a3 d5 8f 6f b0 96 6a ce 45 0f 30 d6 c0 Aug 26 18:24:50.151803: | ikev2 g^x 1a 3d aa e0 7c 72 28 06 e7 7b 9b 7a bc dd c1 6c Aug 26 18:24:50.151805: | ikev2 g^x b8 41 47 5c 76 51 00 86 6b b1 88 f7 1a d8 9b cc Aug 26 18:24:50.151807: | ikev2 g^x 95 32 98 fa 32 63 e9 a2 0e 55 1f 18 87 9c 49 ec Aug 26 18:24:50.151810: | ikev2 g^x a4 23 64 41 d1 80 7e c7 88 1d dd f4 93 1f bf 00 Aug 26 18:24:50.151812: | ikev2 g^x d2 35 1a 5a d9 ea 36 c9 df 59 9e f9 d5 25 bf be Aug 26 18:24:50.151814: | ikev2 g^x 2d 85 b9 3f 65 14 f1 89 2d 66 69 f1 f8 0e 5b 2a Aug 26 18:24:50.151816: | ikev2 g^x 70 95 5e f7 13 55 1e 13 40 08 1e 7a 71 da 20 2d Aug 26 18:24:50.151818: | ikev2 g^x 83 94 e6 d4 2e a8 70 41 96 7b 4a 54 cd 0c 73 d0 Aug 26 18:24:50.151820: | ikev2 g^x 11 21 5f 13 60 e3 3c ea d2 12 4b cb cb 09 f8 55 Aug 26 18:24:50.151822: | ikev2 g^x 7f ed 5c 6d 5a df 8e 91 cb 4d ee be 0c 90 33 4b Aug 26 18:24:50.151824: | ikev2 g^x 66 a7 4b 15 bd 59 86 72 83 91 96 39 23 f6 42 98 Aug 26 18:24:50.151827: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:24:50.151829: | ***emit IKEv2 Nonce Payload: Aug 26 18:24:50.151831: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:24:50.151833: | flags: none (0x0) Aug 26 18:24:50.151836: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:24:50.151839: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:24:50.151842: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151844: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:24:50.151846: | IKEv2 nonce 11 bd 5e d1 f8 ee 4c 32 76 9a 8a a9 27 1d 78 3e Aug 26 18:24:50.151849: | IKEv2 nonce c4 22 83 f5 47 a2 ff 44 a5 7d ac 05 c5 84 b9 ea Aug 26 18:24:50.151851: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:24:50.151853: | Adding a v2N Payload Aug 26 18:24:50.151857: | ***emit IKEv2 Notify Payload: Aug 26 18:24:50.151860: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.151862: | flags: none (0x0) Aug 26 18:24:50.151864: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.151866: | SPI size: 0 (0x0) Aug 26 18:24:50.151869: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:24:50.151872: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:50.151874: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151877: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:24:50.151880: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:24:50.151892: | natd_hash: hasher=0x55d4a09c9800(20) Aug 26 18:24:50.151895: | natd_hash: icookie= 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.151897: | natd_hash: rcookie= 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.151899: | natd_hash: ip= c0 01 02 17 Aug 26 18:24:50.151901: | natd_hash: port=500 Aug 26 18:24:50.151903: | natd_hash: hash= 19 09 47 e1 44 13 f3 12 15 f9 85 79 f8 5d 0b 22 Aug 26 18:24:50.151906: | natd_hash: hash= f6 4e 94 c7 Aug 26 18:24:50.151908: | Adding a v2N Payload Aug 26 18:24:50.151910: | ***emit IKEv2 Notify Payload: Aug 26 18:24:50.151912: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.151914: | flags: none (0x0) Aug 26 18:24:50.151917: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.151919: | SPI size: 0 (0x0) Aug 26 18:24:50.151921: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:24:50.151924: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:50.151926: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151929: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:50.151932: | Notify data 19 09 47 e1 44 13 f3 12 15 f9 85 79 f8 5d 0b 22 Aug 26 18:24:50.151934: | Notify data f6 4e 94 c7 Aug 26 18:24:50.151936: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:50.151941: | natd_hash: hasher=0x55d4a09c9800(20) Aug 26 18:24:50.151944: | natd_hash: icookie= 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.151946: | natd_hash: rcookie= 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.151948: | natd_hash: ip= c0 01 03 21 Aug 26 18:24:50.151950: | natd_hash: port=500 Aug 26 18:24:50.151952: | natd_hash: hash= 07 93 f7 04 4e 95 a8 40 e4 0b 8d 51 9d e9 6c b3 Aug 26 18:24:50.151954: | natd_hash: hash= 0e 77 3e 6c Aug 26 18:24:50.151956: | Adding a v2N Payload Aug 26 18:24:50.151958: | ***emit IKEv2 Notify Payload: Aug 26 18:24:50.151961: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.151963: | flags: none (0x0) Aug 26 18:24:50.151965: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:24:50.151967: | SPI size: 0 (0x0) Aug 26 18:24:50.151969: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:24:50.151972: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:24:50.151975: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.151977: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:24:50.151980: | Notify data 07 93 f7 04 4e 95 a8 40 e4 0b 8d 51 9d e9 6c b3 Aug 26 18:24:50.151983: | Notify data 0e 77 3e 6c Aug 26 18:24:50.151987: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:24:50.151990: | going to send a certreq Aug 26 18:24:50.151993: | connection->kind is not CK_PERMANENT (instance), so collect CAs Aug 26 18:24:50.151998: | Not a roadwarrior instance, sending empty CA in CERTREQ Aug 26 18:24:50.152002: | ***emit IKEv2 Certificate Request Payload: Aug 26 18:24:50.152005: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.152013: | flags: none (0x0) Aug 26 18:24:50.152017: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Aug 26 18:24:50.152022: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) Aug 26 18:24:50.152026: | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.152030: | emitting length of IKEv2 Certificate Request Payload: 5 Aug 26 18:24:50.152034: | emitting length of ISAKMP Message: 437 Aug 26 18:24:50.152045: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:50.152051: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:24:50.152055: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:24:50.152060: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:24:50.152064: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:24:50.152071: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:24:50.152078: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:24:50.152086: "north-east"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:24:50.152093: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:50.152105: | sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:50.152108: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.152110: | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 Aug 26 18:24:50.152112: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:24:50.152115: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:24:50.152117: | 04 00 00 0e 28 00 01 08 00 0e 00 00 c9 de 99 f7 Aug 26 18:24:50.152119: | 09 c8 9c ec 17 cf 54 75 56 d1 d1 f8 10 b6 b6 7b Aug 26 18:24:50.152121: | 7b f0 cf d8 03 5f b1 f9 45 f7 65 96 da fb ba 10 Aug 26 18:24:50.152123: | c4 2f 5b d2 a9 e2 c2 f3 cf 6c 0d f9 d5 8c 54 0e Aug 26 18:24:50.152125: | fa f5 3c c8 ee 80 5b f0 ba eb 72 9d 6c 72 19 a3 Aug 26 18:24:50.152127: | d5 8f 6f b0 96 6a ce 45 0f 30 d6 c0 1a 3d aa e0 Aug 26 18:24:50.152129: | 7c 72 28 06 e7 7b 9b 7a bc dd c1 6c b8 41 47 5c Aug 26 18:24:50.152131: | 76 51 00 86 6b b1 88 f7 1a d8 9b cc 95 32 98 fa Aug 26 18:24:50.152133: | 32 63 e9 a2 0e 55 1f 18 87 9c 49 ec a4 23 64 41 Aug 26 18:24:50.152135: | d1 80 7e c7 88 1d dd f4 93 1f bf 00 d2 35 1a 5a Aug 26 18:24:50.152137: | d9 ea 36 c9 df 59 9e f9 d5 25 bf be 2d 85 b9 3f Aug 26 18:24:50.152139: | 65 14 f1 89 2d 66 69 f1 f8 0e 5b 2a 70 95 5e f7 Aug 26 18:24:50.152141: | 13 55 1e 13 40 08 1e 7a 71 da 20 2d 83 94 e6 d4 Aug 26 18:24:50.152144: | 2e a8 70 41 96 7b 4a 54 cd 0c 73 d0 11 21 5f 13 Aug 26 18:24:50.152146: | 60 e3 3c ea d2 12 4b cb cb 09 f8 55 7f ed 5c 6d Aug 26 18:24:50.152148: | 5a df 8e 91 cb 4d ee be 0c 90 33 4b 66 a7 4b 15 Aug 26 18:24:50.152150: | bd 59 86 72 83 91 96 39 23 f6 42 98 29 00 00 24 Aug 26 18:24:50.152152: | 11 bd 5e d1 f8 ee 4c 32 76 9a 8a a9 27 1d 78 3e Aug 26 18:24:50.152154: | c4 22 83 f5 47 a2 ff 44 a5 7d ac 05 c5 84 b9 ea Aug 26 18:24:50.152156: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:24:50.152158: | 19 09 47 e1 44 13 f3 12 15 f9 85 79 f8 5d 0b 22 Aug 26 18:24:50.152160: | f6 4e 94 c7 26 00 00 1c 00 00 40 05 07 93 f7 04 Aug 26 18:24:50.152162: | 4e 95 a8 40 e4 0b 8d 51 9d e9 6c b3 0e 77 3e 6c Aug 26 18:24:50.152164: | 00 00 00 05 04 Aug 26 18:24:50.152207: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:50.152213: | libevent_free: release ptr-libevent@0x55d4a0bc2c58 Aug 26 18:24:50.152216: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d4a0bc1668 Aug 26 18:24:50.152219: | event_schedule: new EVENT_SO_DISCARD-pe@0x55d4a0bc1668 Aug 26 18:24:50.152223: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:24:50.152226: | libevent_malloc: new ptr-libevent@0x55d4a0bc2868 size 128 Aug 26 18:24:50.152230: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:24:50.152236: | #1 spent 0.617 milliseconds in resume sending helper answer Aug 26 18:24:50.152242: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:50.152245: | libevent_free: release ptr-libevent@0x7f6794002888 Aug 26 18:24:50.163213: | spent 0.00312 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:50.163238: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:50.163242: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.163244: | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff Aug 26 18:24:50.163247: | 00 01 00 02 20 90 14 02 9c 36 e2 68 46 44 1c e8 Aug 26 18:24:50.163249: | f1 15 fb 00 f7 9e 25 6f 8f e4 cc 9b ce 79 91 71 Aug 26 18:24:50.163251: | 86 a5 e8 b5 07 93 73 6c 15 b6 9c e4 31 20 bf ce Aug 26 18:24:50.163253: | 61 70 fd 2a da 91 b2 b8 d0 6f 65 fe c4 2b 62 6b Aug 26 18:24:50.163255: | 37 d5 51 fa c5 dd e3 bd 6e d4 bf 80 4f 1c e1 4b Aug 26 18:24:50.163257: | 09 0d 42 4a cf fa e8 b3 54 12 35 72 2b bb 9b dc Aug 26 18:24:50.163259: | 76 21 77 d5 f3 4d 23 4b 84 1e 0b a1 8a 78 aa ae Aug 26 18:24:50.163261: | c6 6e f6 9e f2 ee 2d 56 df d1 94 35 f2 b0 0c fe Aug 26 18:24:50.163263: | dc 93 7b 7c ec ad 80 53 4e 8a 58 c0 74 25 70 ec Aug 26 18:24:50.163266: | 1c cf eb 75 e8 b1 1c 70 29 21 55 29 ef ac e6 21 Aug 26 18:24:50.163268: | 08 f6 6a d4 6d b4 32 ca c1 09 5b 3e 66 2a 06 eb Aug 26 18:24:50.163270: | 2e 46 c9 cb fd 66 63 56 bd ca 2c c8 fd 5a 90 bb Aug 26 18:24:50.163272: | b9 42 b1 94 a1 7b a9 db 20 62 3f ca fd 52 63 1c Aug 26 18:24:50.163274: | d0 7d 12 63 67 e5 37 62 f1 8b 9f 32 01 9a 38 fa Aug 26 18:24:50.163276: | 72 76 04 5c d2 e2 38 48 cb 98 76 11 5e 75 b7 a2 Aug 26 18:24:50.163278: | 16 11 7b f2 91 bf 04 fc 5c d4 03 09 4d 19 67 45 Aug 26 18:24:50.163280: | 6b 24 0f 3c 02 f3 25 89 2b 91 80 e8 b2 95 62 ba Aug 26 18:24:50.163282: | 20 03 8f 71 54 10 50 df 54 ab ce 12 5a 89 3d 55 Aug 26 18:24:50.163284: | 6b 51 8b 59 4f 8d 6b 80 57 30 f2 61 1c 3a 0d 7b Aug 26 18:24:50.163286: | c6 d7 93 ee be 57 96 fa 0b 84 23 87 d3 b1 58 fa Aug 26 18:24:50.163296: | 83 72 5c 49 e4 c5 af e7 9d ea 55 84 69 2a fa 1e Aug 26 18:24:50.163299: | 66 5a db 1d b5 0c f2 9f f8 1f ea 09 1e 42 8f e3 Aug 26 18:24:50.163301: | ba be 22 a9 1e 02 bc a5 fd cb 23 e7 2e 73 50 0f Aug 26 18:24:50.163303: | ac a6 a6 b8 ee e1 52 4a 8d 0b df 6c 03 be dd 4b Aug 26 18:24:50.163305: | e4 98 cb ac ac af 56 2b 8d 15 45 3c 47 44 50 68 Aug 26 18:24:50.163307: | 77 28 14 f7 b5 22 b4 fa f3 a2 8e 69 83 94 fc 43 Aug 26 18:24:50.163309: | 0d 9f d6 34 e9 42 62 f2 00 e5 f3 ab 9f 91 ba bb Aug 26 18:24:50.163311: | 3a 45 9f 07 9b b8 44 ef 68 77 b8 e6 32 af 90 ce Aug 26 18:24:50.163313: | dc 48 63 5b 22 5b eb 5e 9a 9f c2 d6 a2 7f a9 af Aug 26 18:24:50.163315: | 7d 20 fa 9a 85 94 0b c3 c6 74 83 a3 4c 47 1a a7 Aug 26 18:24:50.163318: | 77 bf 10 4f 60 1f 88 6e ea 3e be 6f ad a6 07 22 Aug 26 18:24:50.163320: | d2 ef 5c b3 7f 89 ac 25 47 9f e2 Aug 26 18:24:50.163324: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:50.163328: | **parse ISAKMP Message: Aug 26 18:24:50.163330: | initiator cookie: Aug 26 18:24:50.163332: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.163335: | responder cookie: Aug 26 18:24:50.163340: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.163343: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Aug 26 18:24:50.163346: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.163348: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:50.163351: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:50.163353: | Message ID: 1 (0x1) Aug 26 18:24:50.163355: | length: 539 (0x21b) Aug 26 18:24:50.163358: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:24:50.163361: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:24:50.163365: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:24:50.163372: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:50.163375: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:24:50.163380: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:24:50.163382: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:24:50.163387: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:24:50.163389: | unpacking clear payload Aug 26 18:24:50.163391: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Aug 26 18:24:50.163394: | ***parse IKEv2 Encrypted Fragment: Aug 26 18:24:50.163396: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:24:50.163399: | flags: none (0x0) Aug 26 18:24:50.163401: | length: 511 (0x1ff) Aug 26 18:24:50.163403: | fragment number: 1 (0x1) Aug 26 18:24:50.163406: | total fragments: 2 (0x2) Aug 26 18:24:50.163408: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Aug 26 18:24:50.163412: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:50.163415: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:50.163418: | received IKE encrypted fragment number '1', total number '2', next payload '35' Aug 26 18:24:50.163420: | updated IKE fragment state to respond using fragments without waiting for re-transmits Aug 26 18:24:50.163426: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:50.163431: | #1 spent 0.198 milliseconds in ikev2_process_packet() Aug 26 18:24:50.163434: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:50.163437: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:50.163440: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:50.163444: | spent 0.212 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:50.163452: | spent 0.00163 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:24:50.163461: | *received 102 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:24:50.163463: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.163465: | 35 20 23 08 00 00 00 01 00 00 00 66 00 00 00 4a Aug 26 18:24:50.163467: | 00 02 00 02 74 0d cc 69 0a 19 fb a1 87 b5 08 f5 Aug 26 18:24:50.163470: | 7f ec 47 03 b7 84 f2 93 94 6d 54 f9 0e fd c2 68 Aug 26 18:24:50.163472: | 5f 23 87 3f bc 8b 52 a1 18 b2 5a d7 e7 57 0d 3e Aug 26 18:24:50.163474: | ae fd 23 34 fa 5c 88 3f 5f d6 e3 d9 28 aa 2d ae Aug 26 18:24:50.163476: | a1 35 51 25 d3 da Aug 26 18:24:50.163479: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:24:50.163482: | **parse ISAKMP Message: Aug 26 18:24:50.163484: | initiator cookie: Aug 26 18:24:50.163486: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.163488: | responder cookie: Aug 26 18:24:50.163490: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.163493: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Aug 26 18:24:50.163497: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.163499: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:50.163502: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:24:50.163504: | Message ID: 1 (0x1) Aug 26 18:24:50.163506: | length: 102 (0x66) Aug 26 18:24:50.163509: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:24:50.163511: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:24:50.163514: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:24:50.163520: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:24:50.163524: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 18:24:50.163527: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:24:50.163529: | #1 is idle Aug 26 18:24:50.163531: | #1 idle Aug 26 18:24:50.163535: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Aug 26 18:24:50.163537: | unpacking clear payload Aug 26 18:24:50.163540: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Aug 26 18:24:50.163542: | ***parse IKEv2 Encrypted Fragment: Aug 26 18:24:50.163544: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.163547: | flags: none (0x0) Aug 26 18:24:50.163549: | length: 74 (0x4a) Aug 26 18:24:50.163551: | fragment number: 2 (0x2) Aug 26 18:24:50.163553: | total fragments: 2 (0x2) Aug 26 18:24:50.163555: | processing payload: ISAKMP_NEXT_v2SKF (len=66) Aug 26 18:24:50.163558: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:50.163561: | received IKE encrypted fragment number '2', total number '2', next payload '0' Aug 26 18:24:50.163564: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:50.163566: | Now let's proceed with state specific processing Aug 26 18:24:50.163568: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:24:50.163571: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:24:50.163579: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:24:50.163583: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:24:50.163585: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:24:50.163588: | libevent_free: release ptr-libevent@0x55d4a0bc2868 Aug 26 18:24:50.163591: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55d4a0bc1668 Aug 26 18:24:50.163594: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d4a0bc1668 Aug 26 18:24:50.163597: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:24:50.163600: | libevent_malloc: new ptr-libevent@0x7f6794002888 size 128 Aug 26 18:24:50.163612: | #1 spent 0.0386 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:24:50.163618: | crypto helper 1 resuming Aug 26 18:24:50.163621: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:50.163632: | crypto helper 1 starting work-order 2 for state #1 Aug 26 18:24:50.163640: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:24:50.163644: | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:24:50.163645: | suspending state #1 and saving MD Aug 26 18:24:50.163654: | #1 is busy; has a suspended MD Aug 26 18:24:50.163662: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:24:50.163668: | "north-east"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:24:50.163679: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:24:50.163686: | #1 spent 0.223 milliseconds in ikev2_process_packet() Aug 26 18:24:50.163692: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:24:50.163696: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:24:50.163700: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:24:50.163705: | spent 0.243 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:24:50.164408: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:24:50.164785: | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001142 seconds Aug 26 18:24:50.164793: | (#1) spent 1.15 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:24:50.164797: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Aug 26 18:24:50.164799: | scheduling resume sending helper answer for #1 Aug 26 18:24:50.164802: | libevent_malloc: new ptr-libevent@0x7f678c000f48 size 128 Aug 26 18:24:50.164810: | crypto helper 1 waiting (nothing to do) Aug 26 18:24:50.164819: | processing resume sending helper answer for #1 Aug 26 18:24:50.164828: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:24:50.164831: | crypto helper 1 replies to request ID 2 Aug 26 18:24:50.164834: | calling continuation function 0x55d4a08f4b50 Aug 26 18:24:50.164836: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:24:50.164839: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:24:50.164842: | already have all fragments, skipping fragment collection Aug 26 18:24:50.164844: | already have all fragments, skipping fragment collection Aug 26 18:24:50.164859: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:24:50.164862: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:24:50.164865: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:24:50.164868: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 18:24:50.164870: | flags: none (0x0) Aug 26 18:24:50.164873: | length: 13 (0xd) Aug 26 18:24:50.164875: | ID type: ID_FQDN (0x2) Aug 26 18:24:50.164877: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Aug 26 18:24:50.164880: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 18:24:50.164882: | **parse IKEv2 Identification - Responder - Payload: Aug 26 18:24:50.164884: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:24:50.164886: | flags: none (0x0) Aug 26 18:24:50.164889: | length: 12 (0xc) Aug 26 18:24:50.164891: | ID type: ID_FQDN (0x2) Aug 26 18:24:50.164893: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 18:24:50.164895: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:24:50.164897: | **parse IKEv2 Authentication Payload: Aug 26 18:24:50.164900: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:50.164902: | flags: none (0x0) Aug 26 18:24:50.164904: | length: 282 (0x11a) Aug 26 18:24:50.164906: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 18:24:50.164909: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Aug 26 18:24:50.164911: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:24:50.164913: | **parse IKEv2 Security Association Payload: Aug 26 18:24:50.164915: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:24:50.164917: | flags: none (0x0) Aug 26 18:24:50.164920: | length: 164 (0xa4) Aug 26 18:24:50.164922: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 18:24:50.164924: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:24:50.164926: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:50.164929: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:24:50.164931: | flags: none (0x0) Aug 26 18:24:50.164935: | length: 24 (0x18) Aug 26 18:24:50.164938: | number of TS: 1 (0x1) Aug 26 18:24:50.164940: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:24:50.164942: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:24:50.164944: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:50.164947: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.164949: | flags: none (0x0) Aug 26 18:24:50.164951: | length: 24 (0x18) Aug 26 18:24:50.164953: | number of TS: 1 (0x1) Aug 26 18:24:50.164955: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:24:50.164957: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:24:50.164960: | Now let's proceed with state specific processing Aug 26 18:24:50.164962: | calling processor Responder: process IKE_AUTH request Aug 26 18:24:50.164968: "north-east"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 18:24:50.164973: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:24:50.164976: | received IDr payload - extracting our alleged ID Aug 26 18:24:50.164980: | refine_host_connection for IKEv2: starting with "north-east"[1] 192.1.3.33 Aug 26 18:24:50.164985: | match_id a=@north Aug 26 18:24:50.164987: | b=@north Aug 26 18:24:50.164989: | results matched Aug 26 18:24:50.164994: | refine_host_connection: checking "north-east"[1] 192.1.3.33 against "north-east"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:24:50.164997: | Warning: not switching back to template of current instance Aug 26 18:24:50.164999: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 18:24:50.165002: | This connection's local id is @east (ID_FQDN) Aug 26 18:24:50.165006: | refine_host_connection: checked north-east[1] 192.1.3.33 against north-east[1] 192.1.3.33, now for see if best Aug 26 18:24:50.165009: | started looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:50.165012: | actually looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:50.165015: | line 1: key type PKK_RSA(@east) to type PKK_RSA Aug 26 18:24:50.165018: | 1: compared key (none) to @east / @north -> 002 Aug 26 18:24:50.165021: | 2: compared key (none) to @east / @north -> 002 Aug 26 18:24:50.165023: | line 1: match=002 Aug 26 18:24:50.165026: | match 002 beats previous best_match 000 match=0x55d4a0b18b58 (line=1) Aug 26 18:24:50.165028: | concluding with best_match=002 best=0x55d4a0b18b58 (lineno=1) Aug 26 18:24:50.165031: | returning because exact peer id match Aug 26 18:24:50.165033: | offered CA: '%none' Aug 26 18:24:50.165037: "north-east"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_FQDN: '@north' Aug 26 18:24:50.165054: | verifying AUTH payload Aug 26 18:24:50.165065: | required RSA CA is '%any' Aug 26 18:24:50.165069: | checking RSA keyid '@east' for match with '@north' Aug 26 18:24:50.165071: | checking RSA keyid '@north' for match with '@north' Aug 26 18:24:50.165074: | key issuer CA is '%any' Aug 26 18:24:50.165134: | an RSA Sig check passed with *AQPl33O2P [preloaded key] Aug 26 18:24:50.165141: | #1 spent 0.0626 milliseconds in try_all_RSA_keys() trying a pubkey Aug 26 18:24:50.165145: "north-east"[1] 192.1.3.33 #1: Authenticated using RSA Aug 26 18:24:50.165149: | #1 spent 0.0906 milliseconds in ikev2_verify_rsa_hash() Aug 26 18:24:50.165153: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:24:50.165157: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:50.165159: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:24:50.165162: | libevent_free: release ptr-libevent@0x7f6794002888 Aug 26 18:24:50.165165: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d4a0bc1668 Aug 26 18:24:50.165168: | event_schedule: new EVENT_SA_REKEY-pe@0x55d4a0bc1668 Aug 26 18:24:50.165171: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 18:24:50.165176: | libevent_malloc: new ptr-libevent@0x55d4a0bc2868 size 128 Aug 26 18:24:50.165269: | pstats #1 ikev2.ike established Aug 26 18:24:50.165277: | **emit ISAKMP Message: Aug 26 18:24:50.165280: | initiator cookie: Aug 26 18:24:50.165282: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:50.165285: | responder cookie: Aug 26 18:24:50.165287: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.165298: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:50.165302: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:50.165306: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:24:50.165310: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:24:50.165313: | Message ID: 1 (0x1) Aug 26 18:24:50.165317: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:50.165321: | IKEv2 CERT: send a certificate? Aug 26 18:24:50.165324: | IKEv2 CERT: no certificate to send Aug 26 18:24:50.165328: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:50.165332: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.165335: | flags: none (0x0) Aug 26 18:24:50.165340: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:50.165344: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.165349: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:50.165356: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:50.165370: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:24:50.165373: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.165376: | flags: none (0x0) Aug 26 18:24:50.165378: | ID type: ID_FQDN (0x2) Aug 26 18:24:50.165381: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:24:50.165384: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.165387: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:24:50.165389: | my identity 65 61 73 74 Aug 26 18:24:50.165392: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:24:50.165399: | assembled IDr payload Aug 26 18:24:50.165401: | CHILD SA proposals received Aug 26 18:24:50.165403: | going to assemble AUTH payload Aug 26 18:24:50.165406: | ****emit IKEv2 Authentication Payload: Aug 26 18:24:50.165408: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:24:50.165410: | flags: none (0x0) Aug 26 18:24:50.165413: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 18:24:50.165415: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:24:50.165418: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:24:50.165421: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.165426: | started looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:50.165429: | actually looking for secret for @east->@north of kind PKK_RSA Aug 26 18:24:50.165432: | line 1: key type PKK_RSA(@east) to type PKK_RSA Aug 26 18:24:50.165435: | 1: compared key (none) to @east / @north -> 002 Aug 26 18:24:50.165437: | 2: compared key (none) to @east / @north -> 002 Aug 26 18:24:50.165440: | line 1: match=002 Aug 26 18:24:50.165442: | match 002 beats previous best_match 000 match=0x55d4a0b18b58 (line=1) Aug 26 18:24:50.165445: | concluding with best_match=002 best=0x55d4a0b18b58 (lineno=1) Aug 26 18:24:50.169451: | #1 spent 3.97 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Aug 26 18:24:50.169463: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Aug 26 18:24:50.169467: | rsa signature 0b 3d 3c 85 50 f9 ec d7 d0 63 db 46 25 5a 5f 34 Aug 26 18:24:50.169469: | rsa signature e9 8a e3 fe 76 93 a8 5f c0 b0 a5 a9 06 3d 7d bd Aug 26 18:24:50.169471: | rsa signature 2e de 2d 69 59 fa c4 b3 fa 65 1b 7d 92 21 e0 9e Aug 26 18:24:50.169473: | rsa signature f2 34 04 6c 83 f6 ac 50 66 ca 4f 17 92 07 15 1c Aug 26 18:24:50.169476: | rsa signature 27 05 17 00 79 1c 73 0f e1 b1 c8 1b 1d 51 31 2b Aug 26 18:24:50.169478: | rsa signature c8 42 5a 02 d2 68 1a d3 2c a8 10 0b a8 d4 7b 0b Aug 26 18:24:50.169480: | rsa signature b6 f2 09 25 22 ce c9 7f 46 ed 7f c9 4c b9 41 86 Aug 26 18:24:50.169482: | rsa signature 5e 3e 03 2c 5b 8c 41 8c 4e e3 81 bb 51 f7 87 93 Aug 26 18:24:50.169484: | rsa signature e9 47 4a 36 8b a4 3a 1e ed 6a c5 93 24 ba fa 0c Aug 26 18:24:50.169486: | rsa signature 5b 60 56 b4 0d 20 54 77 c4 fa 22 39 c5 2c aa d6 Aug 26 18:24:50.169488: | rsa signature b6 87 07 10 cf 70 68 51 50 89 5d 08 0e c7 39 65 Aug 26 18:24:50.169490: | rsa signature bf e1 bf c9 2e 6f 11 93 99 02 c2 0c 99 52 35 79 Aug 26 18:24:50.169493: | rsa signature c2 23 26 5f 00 d5 a0 06 6a 5c ad 57 38 bc b4 78 Aug 26 18:24:50.169495: | rsa signature 06 9d 34 ec 1f a0 a4 42 6e 95 ba c7 f5 45 70 4e Aug 26 18:24:50.169497: | rsa signature a3 36 f4 9a bf d8 4f 36 da 5f 29 29 0c c3 40 ae Aug 26 18:24:50.169499: | rsa signature 79 34 8b 34 cb ac 54 8e 19 fd ab e9 59 fc e0 64 Aug 26 18:24:50.169501: | rsa signature 1e 43 8a 7f 7f 68 db 67 c7 3b a0 09 cc 17 02 68 Aug 26 18:24:50.169503: | rsa signature 7c 49 Aug 26 18:24:50.169507: | #1 spent 4.06 milliseconds in ikev2_calculate_rsa_hash() Aug 26 18:24:50.169510: | emitting length of IKEv2 Authentication Payload: 282 Aug 26 18:24:50.169515: | creating state object #2 at 0x55d4a0bcb428 Aug 26 18:24:50.169518: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:24:50.169521: | pstats #2 ikev2.child started Aug 26 18:24:50.169525: | duplicating state object #1 "north-east"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 18:24:50.169530: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:24:50.169536: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:24:50.169540: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:50.169544: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:24:50.169547: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:24:50.169549: | TSi: parsing 1 traffic selectors Aug 26 18:24:50.169552: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:50.169555: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:50.169557: | IP Protocol ID: 0 (0x0) Aug 26 18:24:50.169560: | length: 16 (0x10) Aug 26 18:24:50.169562: | start port: 0 (0x0) Aug 26 18:24:50.169564: | end port: 65535 (0xffff) Aug 26 18:24:50.169567: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:50.169569: | TS low c0 00 03 fe Aug 26 18:24:50.169571: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:50.169574: | TS high c0 00 03 fe Aug 26 18:24:50.169576: | TSi: parsed 1 traffic selectors Aug 26 18:24:50.169578: | TSr: parsing 1 traffic selectors Aug 26 18:24:50.169580: | ***parse IKEv2 Traffic Selector: Aug 26 18:24:50.169583: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:50.169585: | IP Protocol ID: 0 (0x0) Aug 26 18:24:50.169587: | length: 16 (0x10) Aug 26 18:24:50.169589: | start port: 0 (0x0) Aug 26 18:24:50.169591: | end port: 65535 (0xffff) Aug 26 18:24:50.169593: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:24:50.169597: | TS low c0 00 02 00 Aug 26 18:24:50.169600: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:24:50.169602: | TS high c0 00 02 ff Aug 26 18:24:50.169604: | TSr: parsed 1 traffic selectors Aug 26 18:24:50.169606: | looking for best SPD in current connection Aug 26 18:24:50.169612: | evaluating our conn="north-east"[1] 192.1.3.33 I=192.0.3.254/32:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:50.169617: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169623: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Aug 26 18:24:50.169626: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Aug 26 18:24:50.169628: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:50.169631: | narrow protocol end=*0 <= TSi[0]=*0: 0 Aug 26 18:24:50.169634: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169637: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169642: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:50.169645: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Aug 26 18:24:50.169647: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:50.169649: | narrow protocol end=*0 <= TSr[0]=*0: 0 Aug 26 18:24:50.169652: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169654: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:50.169656: | found better spd route for TSi[0],TSr[0] Aug 26 18:24:50.169659: | looking for better host pair Aug 26 18:24:50.169663: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:24:50.169667: | checking hostpair 192.0.2.0/24 -> 192.0.3.254/32 is found Aug 26 18:24:50.169669: | investigating connection "north-east" as a better match Aug 26 18:24:50.169672: | match_id a=@north Aug 26 18:24:50.169674: | b=@north Aug 26 18:24:50.169676: | results matched Aug 26 18:24:50.169681: | evaluating our conn="north-east"[1] 192.1.3.33 I=192.0.3.254/32:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:50.169685: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169690: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Aug 26 18:24:50.169692: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Aug 26 18:24:50.169694: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:50.169697: | narrow protocol end=*0 <= TSi[0]=*0: 0 Aug 26 18:24:50.169699: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169703: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169707: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:50.169710: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Aug 26 18:24:50.169712: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:50.169714: | narrow protocol end=*0 <= TSr[0]=*0: 0 Aug 26 18:24:50.169717: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169719: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:50.169721: | investigating connection "north-east" as a better match Aug 26 18:24:50.169724: | match_id a=@north Aug 26 18:24:50.169726: | b=@north Aug 26 18:24:50.169728: | results matched Aug 26 18:24:50.169732: | evaluating our conn="north-east" I=192.0.3.254/32:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:24:50.169735: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169740: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Aug 26 18:24:50.169742: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Aug 26 18:24:50.169746: | TSi[0] port match: YES fitness 65536 Aug 26 18:24:50.169748: | narrow protocol end=*0 <= TSi[0]=*0: 0 Aug 26 18:24:50.169751: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169755: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:24:50.169759: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:24:50.169761: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Aug 26 18:24:50.169763: | TSr[0] port match: YES fitness 65536 Aug 26 18:24:50.169766: | narrow protocol end=*0 <= TSr[0]=*0: 0 Aug 26 18:24:50.169768: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:24:50.169770: | best fit so far: TSi[0] TSr[0] Aug 26 18:24:50.169773: | did not find a better connection using host pair Aug 26 18:24:50.169775: | printing contents struct traffic_selector Aug 26 18:24:50.169777: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:50.169779: | ipprotoid: 0 Aug 26 18:24:50.169781: | port range: 0-65535 Aug 26 18:24:50.169785: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:24:50.169787: | printing contents struct traffic_selector Aug 26 18:24:50.169789: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:24:50.169791: | ipprotoid: 0 Aug 26 18:24:50.169793: | port range: 0-65535 Aug 26 18:24:50.169796: | ip range: 192.0.3.254-192.0.3.254 Aug 26 18:24:50.169800: | constructing ESP/AH proposals with all DH removed for north-east (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:24:50.169804: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 18:24:50.169810: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:24:50.169813: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 18:24:50.169816: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:24:50.169819: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:24:50.169823: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:50.169826: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:24:50.169830: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:50.169837: "north-east"[1] 192.1.3.33: constructed local ESP/AH proposals for north-east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:24:50.169840: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 18:24:50.169843: | local proposal 1 type ENCR has 1 transforms Aug 26 18:24:50.169846: | local proposal 1 type PRF has 0 transforms Aug 26 18:24:50.169848: | local proposal 1 type INTEG has 1 transforms Aug 26 18:24:50.169851: | local proposal 1 type DH has 1 transforms Aug 26 18:24:50.169853: | local proposal 1 type ESN has 1 transforms Aug 26 18:24:50.169856: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:24:50.169858: | local proposal 2 type ENCR has 1 transforms Aug 26 18:24:50.169860: | local proposal 2 type PRF has 0 transforms Aug 26 18:24:50.169863: | local proposal 2 type INTEG has 1 transforms Aug 26 18:24:50.169865: | local proposal 2 type DH has 1 transforms Aug 26 18:24:50.169867: | local proposal 2 type ESN has 1 transforms Aug 26 18:24:50.169870: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:24:50.169872: | local proposal 3 type ENCR has 1 transforms Aug 26 18:24:50.169874: | local proposal 3 type PRF has 0 transforms Aug 26 18:24:50.169876: | local proposal 3 type INTEG has 2 transforms Aug 26 18:24:50.169880: | local proposal 3 type DH has 1 transforms Aug 26 18:24:50.169882: | local proposal 3 type ESN has 1 transforms Aug 26 18:24:50.169885: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:24:50.169887: | local proposal 4 type ENCR has 1 transforms Aug 26 18:24:50.169889: | local proposal 4 type PRF has 0 transforms Aug 26 18:24:50.169892: | local proposal 4 type INTEG has 2 transforms Aug 26 18:24:50.169894: | local proposal 4 type DH has 1 transforms Aug 26 18:24:50.169896: | local proposal 4 type ESN has 1 transforms Aug 26 18:24:50.169899: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:24:50.169902: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.169904: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.169906: | length: 32 (0x20) Aug 26 18:24:50.169909: | prop #: 1 (0x1) Aug 26 18:24:50.169911: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:50.169913: | spi size: 4 (0x4) Aug 26 18:24:50.169915: | # transforms: 2 (0x2) Aug 26 18:24:50.169918: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:50.169921: | remote SPI 06 4f fb 8b Aug 26 18:24:50.169923: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:24:50.169926: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.169929: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.169931: | length: 12 (0xc) Aug 26 18:24:50.169933: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.169935: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.169938: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.169940: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.169942: | length/value: 256 (0x100) Aug 26 18:24:50.169946: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:24:50.169949: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.169951: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.169953: | length: 8 (0x8) Aug 26 18:24:50.169956: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:50.169958: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:50.169961: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:24:50.169964: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 18:24:50.169966: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 18:24:50.169969: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 18:24:50.169972: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 18:24:50.169976: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 18:24:50.169978: | remote proposal 1 matches local proposal 1 Aug 26 18:24:50.169981: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.169983: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.169985: | length: 32 (0x20) Aug 26 18:24:50.169988: | prop #: 2 (0x2) Aug 26 18:24:50.169990: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:50.169992: | spi size: 4 (0x4) Aug 26 18:24:50.169994: | # transforms: 2 (0x2) Aug 26 18:24:50.169997: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:50.169999: | remote SPI 06 4f fb 8b Aug 26 18:24:50.170001: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.170004: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170006: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170008: | length: 12 (0xc) Aug 26 18:24:50.170012: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.170014: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.170016: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.170019: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.170021: | length/value: 128 (0x80) Aug 26 18:24:50.170023: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170026: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.170028: | length: 8 (0x8) Aug 26 18:24:50.170030: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:50.170032: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:50.170035: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 18:24:50.170038: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 18:24:50.170040: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.170042: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:24:50.170045: | length: 48 (0x30) Aug 26 18:24:50.170047: | prop #: 3 (0x3) Aug 26 18:24:50.170049: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:50.170051: | spi size: 4 (0x4) Aug 26 18:24:50.170053: | # transforms: 4 (0x4) Aug 26 18:24:50.170056: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:50.170058: | remote SPI 06 4f fb 8b Aug 26 18:24:50.170060: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.170063: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170065: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170067: | length: 12 (0xc) Aug 26 18:24:50.170069: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.170071: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:50.170073: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.170076: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.170078: | length/value: 256 (0x100) Aug 26 18:24:50.170080: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170083: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170085: | length: 8 (0x8) Aug 26 18:24:50.170087: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.170089: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:50.170092: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170094: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170096: | length: 8 (0x8) Aug 26 18:24:50.170098: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.170101: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:50.170103: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170105: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.170107: | length: 8 (0x8) Aug 26 18:24:50.170109: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:50.170112: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:50.170115: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:24:50.170117: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:24:50.170120: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.170122: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:50.170124: | length: 48 (0x30) Aug 26 18:24:50.170126: | prop #: 4 (0x4) Aug 26 18:24:50.170128: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:50.170130: | spi size: 4 (0x4) Aug 26 18:24:50.170132: | # transforms: 4 (0x4) Aug 26 18:24:50.170135: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:24:50.170137: | remote SPI 06 4f fb 8b Aug 26 18:24:50.170140: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:24:50.170142: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170144: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170147: | length: 12 (0xc) Aug 26 18:24:50.170150: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.170152: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:24:50.170154: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.170156: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.170159: | length/value: 128 (0x80) Aug 26 18:24:50.170161: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170163: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170165: | length: 8 (0x8) Aug 26 18:24:50.170168: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.170170: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:24:50.170172: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170174: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170176: | length: 8 (0x8) Aug 26 18:24:50.170179: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:24:50.170181: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:24:50.170183: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170186: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.170188: | length: 8 (0x8) Aug 26 18:24:50.170190: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:50.170192: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:50.170195: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:24:50.170198: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:24:50.170203: "north-east"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=064ffb8b;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 18:24:50.170207: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=064ffb8b;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 18:24:50.170210: | converting proposal to internal trans attrs Aug 26 18:24:50.170230: | netlink_get_spi: allocated 0x3222c8da for esp.0@192.1.2.23 Aug 26 18:24:50.170233: | Emitting ikev2_proposal ... Aug 26 18:24:50.170235: | ****emit IKEv2 Security Association Payload: Aug 26 18:24:50.170238: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.170240: | flags: none (0x0) Aug 26 18:24:50.170244: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:24:50.170247: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.170250: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:24:50.170252: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:24:50.170254: | prop #: 1 (0x1) Aug 26 18:24:50.170256: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:24:50.170258: | spi size: 4 (0x4) Aug 26 18:24:50.170260: | # transforms: 2 (0x2) Aug 26 18:24:50.170263: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:24:50.170266: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:24:50.170268: | our spi 32 22 c8 da Aug 26 18:24:50.170271: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170273: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170275: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:24:50.170278: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:24:50.170280: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:50.170283: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:24:50.170286: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:24:50.170294: | length/value: 256 (0x100) Aug 26 18:24:50.170298: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:24:50.170301: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:24:50.170303: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:24:50.170305: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:24:50.170307: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:24:50.170310: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:24:50.170313: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:24:50.170315: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:24:50.170318: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 18:24:50.170320: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:24:50.170323: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 18:24:50.170327: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:24:50.170330: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:24:50.170332: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.170334: | flags: none (0x0) Aug 26 18:24:50.170337: | number of TS: 1 (0x1) Aug 26 18:24:50.170340: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:24:50.170342: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.170345: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:50.170347: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:50.170349: | IP Protocol ID: 0 (0x0) Aug 26 18:24:50.170351: | start port: 0 (0x0) Aug 26 18:24:50.170353: | end port: 65535 (0xffff) Aug 26 18:24:50.170356: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:50.170358: | ipv4 start c0 00 03 fe Aug 26 18:24:50.170361: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:50.170363: | ipv4 end c0 00 03 fe Aug 26 18:24:50.170365: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:50.170367: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:24:50.170370: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:24:50.170372: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:50.170374: | flags: none (0x0) Aug 26 18:24:50.170376: | number of TS: 1 (0x1) Aug 26 18:24:50.170379: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:24:50.170382: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:24:50.170384: | *****emit IKEv2 Traffic Selector: Aug 26 18:24:50.170386: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:24:50.170388: | IP Protocol ID: 0 (0x0) Aug 26 18:24:50.170390: | start port: 0 (0x0) Aug 26 18:24:50.170392: | end port: 65535 (0xffff) Aug 26 18:24:50.170395: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:24:50.170397: | ipv4 start c0 00 02 00 Aug 26 18:24:50.170399: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:24:50.170401: | ipv4 end c0 00 02 ff Aug 26 18:24:50.170403: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:24:50.170406: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:24:50.170408: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:24:50.170413: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 18:24:50.170549: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:24:50.170556: | #1 spent 1.04 milliseconds Aug 26 18:24:50.170559: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:24:50.170562: | could_route called for north-east (kind=CK_INSTANCE) Aug 26 18:24:50.170564: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:50.170567: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.170569: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:50.170572: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.170574: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:50.170580: | route owner of "north-east"[1] 192.1.3.33 unrouted: "north-east" prospective erouted; eroute owner: "north-east" prospective erouted Aug 26 18:24:50.170583: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:24:50.170586: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:24:50.170589: | AES_GCM_16 requires 4 salt bytes Aug 26 18:24:50.170591: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:24:50.170595: | setting IPsec SA replay-window to 32 Aug 26 18:24:50.170597: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Aug 26 18:24:50.170600: | netlink: enabling tunnel mode Aug 26 18:24:50.170603: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:50.170606: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:50.170676: | netlink response for Add SA esp.64ffb8b@192.1.3.33 included non-error error Aug 26 18:24:50.170680: | set up outgoing SA, ref=0/0 Aug 26 18:24:50.170683: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:24:50.170686: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:24:50.170688: | AES_GCM_16 requires 4 salt bytes Aug 26 18:24:50.170690: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:24:50.170693: | setting IPsec SA replay-window to 32 Aug 26 18:24:50.170696: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Aug 26 18:24:50.170698: | netlink: enabling tunnel mode Aug 26 18:24:50.170700: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:24:50.170703: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:24:50.170740: | netlink response for Add SA esp.3222c8da@192.1.2.23 included non-error error Aug 26 18:24:50.170745: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:50.170751: | add inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:50.170754: | IPsec Sa SPD priority set to 1042399 Aug 26 18:24:50.170781: | raw_eroute result=success Aug 26 18:24:50.170785: | set up incoming SA, ref=0/0 Aug 26 18:24:50.170787: | sr for #2: unrouted Aug 26 18:24:50.170790: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:24:50.170792: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:50.170795: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.170797: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:50.170800: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:50.170802: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:50.170807: | route owner of "north-east"[1] 192.1.3.33 unrouted: "north-east" prospective erouted; eroute owner: "north-east" prospective erouted Aug 26 18:24:50.170810: | route_and_eroute with c: north-east (next: none) ero:north-east esr:{0x55d4a0bbf8c8} ro:north-east rosr:{0x55d4a0bbf8c8} and state: #2 Aug 26 18:24:50.170813: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:50.170819: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.254/32:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Aug 26 18:24:50.170822: | IPsec Sa SPD priority set to 1042399 Aug 26 18:24:50.170838: | raw_eroute result=success Aug 26 18:24:50.170842: | running updown command "ipsec _updown" for verb up Aug 26 18:24:50.170844: | command executing up-client Aug 26 18:24:50.170868: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED Aug 26 18:24:50.170871: | popen cmd is 1056 chars long Aug 26 18:24:50.170874: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_I: Aug 26 18:24:50.170876: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@: Aug 26 18:24:50.170879: | cmd( 160):east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CL: Aug 26 18:24:50.170881: | cmd( 240):IENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID: Aug 26 18:24:50.170883: | cmd( 320):='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUT: Aug 26 18:24:50.170886: | cmd( 400):O_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CL: Aug 26 18:24:50.170888: | cmd( 480):IENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PE: Aug 26 18:24:50.170890: | cmd( 560):ER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYP: Aug 26 18:24:50.170893: | cmd( 640):T+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO: Aug 26 18:24:50.170895: | cmd( 720):' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT: Aug 26 18:24:50.170897: | cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_: Aug 26 18:24:50.170899: | cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_: Aug 26 18:24:50.170902: | cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x64ffb8b SPI_OUT=0x3222c8da ip: Aug 26 18:24:50.170904: | cmd(1040):sec _updown 2>&1: Aug 26 18:24:50.183521: | route_and_eroute: firewall_notified: true Aug 26 18:24:50.183542: | route_and_eroute: instance "north-east"[1] 192.1.3.33, setting eroute_owner {spd=0x55d4a0bc2108,sr=0x55d4a0bc2108} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:24:50.183618: | #1 spent 1.17 milliseconds in install_ipsec_sa() Aug 26 18:24:50.183626: | ISAKMP_v2_IKE_AUTH: instance north-east[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:24:50.183630: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:50.183634: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:50.183638: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:50.183641: | emitting length of IKEv2 Encryption Payload: 407 Aug 26 18:24:50.183643: | emitting length of ISAKMP Message: 435 Aug 26 18:24:50.183688: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:24:50.183702: | #1 spent 6.81 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:24:50.183716: | suspend processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:50.183733: | start processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:24:50.183740: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:24:50.183746: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:24:50.183749: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:24:50.183753: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:24:50.183759: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:24:50.183763: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:24:50.183766: | pstats #2 ikev2.child established Aug 26 18:24:50.183775: "north-east"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.254-192.0.3.254:0-65535 0] Aug 26 18:24:50.183779: | NAT-T: encaps is 'auto' Aug 26 18:24:50.183783: "north-east"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x064ffb8b <0x3222c8da xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 18:24:50.183788: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:24:50.183796: | sending 435 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:50.183799: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:50.183801: | 2e 20 23 20 00 00 00 01 00 00 01 b3 24 00 01 97 Aug 26 18:24:50.183803: | 6d 0b 8b 4a a4 64 83 2e 61 a8 1e 30 c2 8c b1 3e Aug 26 18:24:50.183805: | e1 ba 34 53 ee 41 ec 40 ed cb 7c 47 38 6e e0 e3 Aug 26 18:24:50.183808: | 0a 4b aa 05 78 33 5e 31 dd 88 de 73 99 f7 90 a4 Aug 26 18:24:50.183810: | 49 6e ea f5 9d 6f 94 75 1f ac ac d1 82 07 f0 05 Aug 26 18:24:50.183812: | 0b 95 bc 95 de 96 60 02 a3 89 5d 0d 6c 3c 18 f6 Aug 26 18:24:50.183814: | de d6 db db 13 14 f3 bb 02 ad 22 d8 a2 ba b6 4c Aug 26 18:24:50.183816: | 5b b8 f5 2c c7 6e e9 70 c8 65 52 95 13 84 17 30 Aug 26 18:24:50.183818: | ea 0b 10 61 65 ea ee 85 4b 15 c4 5f 40 c1 55 dd Aug 26 18:24:50.183820: | 93 e6 a6 40 fd dc 68 88 b2 d2 f2 c3 ef 16 1c be Aug 26 18:24:50.183822: | 0b d9 d2 67 e2 f5 8a ac b2 13 09 33 5b 90 f9 61 Aug 26 18:24:50.183824: | d4 9b ae 72 53 86 60 b9 85 cd 3e b9 86 d3 a2 58 Aug 26 18:24:50.183826: | 27 97 be 40 d5 b7 9a b7 cd 49 03 3a d8 0d ef c9 Aug 26 18:24:50.183828: | 21 cf 46 86 68 66 bd b7 1a 29 b4 68 24 46 a3 3f Aug 26 18:24:50.183830: | 21 07 3b c2 60 68 be 52 9f 34 10 e3 59 49 ee cb Aug 26 18:24:50.183832: | 8a 89 b5 fd 8c 36 82 11 10 2c e6 98 17 b1 d1 4c Aug 26 18:24:50.183834: | 3c 70 a4 3c 09 bf 2b 15 ca 6b ae 47 79 22 2f 9f Aug 26 18:24:50.183837: | 60 36 7a b9 84 85 fa 44 c6 95 b4 de fb 52 a5 15 Aug 26 18:24:50.183839: | 24 70 48 6b 3f 17 56 a1 1a c0 83 3a 21 df 0d 42 Aug 26 18:24:50.183841: | 73 2c 62 c9 98 a8 3f 79 5f 38 f6 da 03 0b 3e 33 Aug 26 18:24:50.183843: | 58 7b d4 ae 03 29 49 2c 87 81 13 1b 47 3f 80 c4 Aug 26 18:24:50.183845: | f4 1c af 6b e5 19 7f 0f 0c 3f 74 62 2a 17 7e b1 Aug 26 18:24:50.183847: | 1b 38 4c ba a9 a5 55 70 0b 44 a2 69 c1 fa 7b e9 Aug 26 18:24:50.183849: | 46 7e a2 38 46 39 6d b4 c0 15 cc a4 ee ec f8 19 Aug 26 18:24:50.183851: | 43 d5 65 c8 ba bc 90 f7 83 1f b6 5e 95 7c b2 bd Aug 26 18:24:50.183853: | 96 1e 57 40 68 2c f8 f2 8e 68 ca 8e c4 24 71 03 Aug 26 18:24:50.183855: | 60 6c f3 Aug 26 18:24:50.183903: | releasing whack for #2 (sock=fd@-1) Aug 26 18:24:50.183908: | releasing whack and unpending for parent #1 Aug 26 18:24:50.183914: | unpending state #1 connection "north-east"[1] 192.1.3.33 Aug 26 18:24:50.183923: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:24:50.183926: | event_schedule: new EVENT_SA_REKEY-pe@0x55d4a0bccec8 Aug 26 18:24:50.183930: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 18:24:50.183934: | libevent_malloc: new ptr-libevent@0x55d4a0bc2c38 size 128 Aug 26 18:24:50.183948: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:24:50.183956: | #1 spent 7.18 milliseconds in resume sending helper answer Aug 26 18:24:50.183962: | stop processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:24:50.183967: | libevent_free: release ptr-libevent@0x7f678c000f48 Aug 26 18:24:50.183987: | processing signal PLUTO_SIGCHLD Aug 26 18:24:50.183998: | waitpid returned ECHILD (no child processes left) Aug 26 18:24:50.184004: | spent 0.00716 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:24:54.694661: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:54.694948: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:54.694956: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:24:54.695064: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:24:54.695069: | FOR_EACH_STATE_... in sort_states Aug 26 18:24:54.695085: | get_sa_info esp.3222c8da@192.1.2.23 Aug 26 18:24:54.695105: | get_sa_info esp.64ffb8b@192.1.3.33 Aug 26 18:24:54.695130: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:24:54.695139: | spent 0.486 milliseconds in whack Aug 26 18:24:56.870719: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:24:56.870761: shutting down Aug 26 18:24:56.870784: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:24:56.870791: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:24:56.870794: forgetting secrets Aug 26 18:24:56.870804: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:24:56.870808: | unreference key: 0x55d4a0bc18f8 @east cnt 1-- Aug 26 18:24:56.870814: | unreference key: 0x55d4a0b18c48 @north cnt 2-- Aug 26 18:24:56.870820: | start processing: connection "north-east"[1] 192.1.3.33 (in delete_connection() at connections.c:189) Aug 26 18:24:56.870826: "north-east"[1] 192.1.3.33: deleting connection "north-east"[1] 192.1.3.33 instance with peer 192.1.3.33 {isakmp=#1/ipsec=#2} Aug 26 18:24:56.870830: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:56.870833: | pass 0 Aug 26 18:24:56.870848: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:56.870851: | state #2 Aug 26 18:24:56.870855: | suspend processing: connection "north-east"[1] 192.1.3.33 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:56.870862: | start processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:56.870865: | pstats #2 ikev2.child deleted completed Aug 26 18:24:56.870871: | [RE]START processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 18:24:56.870876: "north-east"[1] 192.1.3.33 #2: deleting state (STATE_V2_IPSEC_R) aged 6.701s and sending notification Aug 26 18:24:56.870879: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:24:56.870884: | get_sa_info esp.64ffb8b@192.1.3.33 Aug 26 18:24:56.870899: | get_sa_info esp.3222c8da@192.1.2.23 Aug 26 18:24:56.870908: "north-east"[1] 192.1.3.33 #2: ESP traffic information: in=336B out=336B Aug 26 18:24:56.870912: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:24:56.870915: | Opening output PBS informational exchange delete request Aug 26 18:24:56.870918: | **emit ISAKMP Message: Aug 26 18:24:56.870925: | initiator cookie: Aug 26 18:24:56.870927: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:56.870930: | responder cookie: Aug 26 18:24:56.870932: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:56.870935: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:56.870938: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:56.870941: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:56.870944: | flags: none (0x0) Aug 26 18:24:56.870946: | Message ID: 0 (0x0) Aug 26 18:24:56.870949: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:56.870953: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:56.870956: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:56.870958: | flags: none (0x0) Aug 26 18:24:56.870962: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:56.870965: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:56.870968: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:56.870983: | ****emit IKEv2 Delete Payload: Aug 26 18:24:56.870986: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:56.870988: | flags: none (0x0) Aug 26 18:24:56.870991: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:24:56.870993: | SPI size: 4 (0x4) Aug 26 18:24:56.870996: | number of SPIs: 1 (0x1) Aug 26 18:24:56.870999: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:56.871002: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:56.871005: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:24:56.871008: | local spis 32 22 c8 da Aug 26 18:24:56.871010: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:24:56.871014: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:56.871017: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:56.871020: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:56.871023: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 18:24:56.871025: | emitting length of ISAKMP Message: 69 Aug 26 18:24:56.871052: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 18:24:56.871055: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:56.871057: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 18:24:56.871060: | 37 21 cc c6 a6 b0 a4 ad 13 5c 81 3a 5f a1 55 ce Aug 26 18:24:56.871062: | 34 bc 09 81 78 c2 2b fe fb 66 8b 02 74 7a 1f 21 Aug 26 18:24:56.871065: | f0 61 e3 95 b8 Aug 26 18:24:56.871130: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:24:56.871134: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 18:24:56.871139: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:24:56.871143: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:56.871148: | libevent_free: release ptr-libevent@0x55d4a0bc2c38 Aug 26 18:24:56.871152: | free_event_entry: release EVENT_SA_REKEY-pe@0x55d4a0bccec8 Aug 26 18:24:56.871594: | running updown command "ipsec _updown" for verb down Aug 26 18:24:56.871604: | command executing down-client Aug 26 18:24:56.871632: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843890' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING= Aug 26 18:24:56.871638: | popen cmd is 1069 chars long Aug 26 18:24:56.871641: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO: Aug 26 18:24:56.871644: | cmd( 80):_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=: Aug 26 18:24:56.871647: | cmd( 160):'@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_: Aug 26 18:24:56.871650: | cmd( 240):CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQ: Aug 26 18:24:56.871653: | cmd( 320):ID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PL: Aug 26 18:24:56.871655: | cmd( 400):UTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_: Aug 26 18:24:56.871658: | cmd( 480):CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 18:24:56.871661: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843890' PLUTO_CONN_POLICY='RS: Aug 26 18:24:56.871664: | cmd( 640):ASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_A: Aug 26 18:24:56.871666: | cmd( 720):LLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_: Aug 26 18:24:56.871669: | cmd( 800):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=': Aug 26 18:24:56.871672: | cmd( 880):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG: Aug 26 18:24:56.871675: | cmd( 960):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x64ffb8b SPI_OUT=: Aug 26 18:24:56.871677: | cmd(1040):0x3222c8da ipsec _updown 2>&1: Aug 26 18:24:56.881253: | shunt_eroute() called for connection 'north-east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:24:56.881270: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:56.881273: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:56.881278: | IPsec Sa SPD priority set to 1042399 Aug 26 18:24:56.881422: | delete esp.64ffb8b@192.1.3.33 Aug 26 18:24:56.881453: | netlink response for Del SA esp.64ffb8b@192.1.3.33 included non-error error Aug 26 18:24:56.881488: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:56.881495: | delete inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:24:56.881636: | raw_eroute result=success Aug 26 18:24:56.881645: | delete esp.3222c8da@192.1.2.23 Aug 26 18:24:56.881660: | netlink response for Del SA esp.3222c8da@192.1.2.23 included non-error error Aug 26 18:24:56.881675: | stop processing: connection "north-east"[1] 192.1.3.33 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:24:56.881681: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:24:56.881685: | in connection_discard for connection north-east Aug 26 18:24:56.881689: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 18:24:56.881696: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:24:56.881706: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 18:24:56.881722: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:56.881729: | state #1 Aug 26 18:24:56.881732: | pass 1 Aug 26 18:24:56.881734: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:56.881736: | state #1 Aug 26 18:24:56.881742: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:24:56.881745: | pstats #1 ikev2.ike deleted completed Aug 26 18:24:56.881753: | #1 spent 12.2 milliseconds in total Aug 26 18:24:56.881757: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 18:24:56.881762: "north-east"[1] 192.1.3.33 #1: deleting state (STATE_PARENT_R2) aged 6.732s and sending notification Aug 26 18:24:56.881766: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 18:24:56.881816: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:24:56.881823: | Opening output PBS informational exchange delete request Aug 26 18:24:56.881827: | **emit ISAKMP Message: Aug 26 18:24:56.881830: | initiator cookie: Aug 26 18:24:56.881833: | 95 9c 0b 68 d1 11 81 2d Aug 26 18:24:56.881835: | responder cookie: Aug 26 18:24:56.881838: | 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:56.881841: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:24:56.881844: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:24:56.881847: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:24:56.881850: | flags: none (0x0) Aug 26 18:24:56.881853: | Message ID: 1 (0x1) Aug 26 18:24:56.881856: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:24:56.881859: | ***emit IKEv2 Encryption Payload: Aug 26 18:24:56.881862: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:56.881865: | flags: none (0x0) Aug 26 18:24:56.881868: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:24:56.881872: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:56.881875: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:24:56.881897: | ****emit IKEv2 Delete Payload: Aug 26 18:24:56.881900: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:24:56.881903: | flags: none (0x0) Aug 26 18:24:56.881905: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:24:56.881908: | SPI size: 0 (0x0) Aug 26 18:24:56.881910: | number of SPIs: 0 (0x0) Aug 26 18:24:56.881914: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:24:56.881917: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:24:56.881920: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:24:56.881922: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:24:56.881925: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:24:56.881928: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:24:56.881931: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 18:24:56.881933: | emitting length of ISAKMP Message: 65 Aug 26 18:24:56.881960: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:24:56.881964: | 95 9c 0b 68 d1 11 81 2d 30 de 6d 29 9b 36 ee 89 Aug 26 18:24:56.881966: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 18:24:56.881969: | d9 33 08 21 d0 a2 bc 36 66 61 46 bc 6c 77 dc 2e Aug 26 18:24:56.881971: | 03 5b ed 5d 88 8d bc a1 0c 76 04 b1 bf 2e 11 23 Aug 26 18:24:56.881973: | 08 Aug 26 18:24:56.882008: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:24:56.882011: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 18:24:56.882017: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Aug 26 18:24:56.882020: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Aug 26 18:24:56.882022: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 18:24:56.882031: | libevent_free: release ptr-libevent@0x55d4a0bc2868 Aug 26 18:24:56.882034: | free_event_entry: release EVENT_SA_REKEY-pe@0x55d4a0bc1668 Aug 26 18:24:56.882038: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:24:56.882040: | in connection_discard for connection north-east Aug 26 18:24:56.882042: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 18:24:56.882044: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:24:56.882047: | unreference key: 0x55d4a0b18c48 @north cnt 1-- Aug 26 18:24:56.882075: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 18:24:56.882099: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:24:56.882102: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:24:56.882104: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:56.882106: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:56.882144: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:56.882152: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:56.882154: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:56.882156: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:56.882158: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:56.882160: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:56.882163: | route owner of "north-east" unrouted: "north-east" prospective erouted Aug 26 18:24:56.882165: | flush revival: connection 'north-east' wasn't on the list Aug 26 18:24:56.882168: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:24:56.882173: | start processing: connection "north-east" (in delete_connection() at connections.c:189) Aug 26 18:24:56.882175: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:24:56.882177: | pass 0 Aug 26 18:24:56.882178: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:56.882180: | pass 1 Aug 26 18:24:56.882181: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:24:56.882183: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:24:56.882185: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:24:56.882187: | priority calculation of connection "north-east" is 0xfe7df Aug 26 18:24:56.882193: "north-east": ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory Aug 26 18:24:56.882195: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:24:56.882197: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 18:24:56.882199: | conn north-east mark 0/00000000, 0/00000000 Aug 26 18:24:56.882201: | route owner of "north-east" unrouted: NULL Aug 26 18:24:56.882203: | running updown command "ipsec _updown" for verb unroute Aug 26 18:24:56.882205: | command executing unroute-client Aug 26 18:24:56.882222: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' Aug 26 18:24:56.882228: | popen cmd is 1049 chars long Aug 26 18:24:56.882230: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Aug 26 18:24:56.882232: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_: Aug 26 18:24:56.882234: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Aug 26 18:24:56.882236: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Aug 26 18:24:56.882237: | cmd( 320):REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north: Aug 26 18:24:56.882239: | cmd( 400):' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_P: Aug 26 18:24:56.882241: | cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 18:24:56.882242: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Aug 26 18:24:56.882244: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+: Aug 26 18:24:56.882246: | cmd( 720):ESN_NO' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=: Aug 26 18:24:56.882247: | cmd( 800):0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO: Aug 26 18:24:56.882249: | cmd( 880):_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0: Aug 26 18:24:56.882251: | cmd( 960):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _up: Aug 26 18:24:56.882252: | cmd(1040):down 2>&1: Aug 26 18:24:56.896875: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896900: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896906: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896911: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896916: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896929: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896943: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896956: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896968: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896980: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.896991: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897006: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897018: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897030: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897042: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897054: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897068: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897081: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897093: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897420: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.897431: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:24:56.907231: | free hp@0x55d4a0bc1588 Aug 26 18:24:56.907252: | flush revival: connection 'north-east' wasn't on the list Aug 26 18:24:56.907259: | stop processing: connection "north-east" (in discard_connection() at connections.c:249) Aug 26 18:24:56.907274: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:24:56.907277: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:24:56.907344: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:24:56.907352: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:24:56.907355: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:24:56.907359: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:24:56.907362: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:24:56.907365: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:24:56.907369: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:24:56.907382: | libevent_free: release ptr-libevent@0x55d4a0bb2f58 Aug 26 18:24:56.907386: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbec58 Aug 26 18:24:56.907398: | libevent_free: release ptr-libevent@0x55d4a0b461c8 Aug 26 18:24:56.907402: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbed08 Aug 26 18:24:56.907411: | libevent_free: release ptr-libevent@0x55d4a0b46118 Aug 26 18:24:56.907415: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbedb8 Aug 26 18:24:56.907424: | libevent_free: release ptr-libevent@0x55d4a0b496e8 Aug 26 18:24:56.907428: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbee68 Aug 26 18:24:56.907436: | libevent_free: release ptr-libevent@0x55d4a0b1d4e8 Aug 26 18:24:56.907439: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbef18 Aug 26 18:24:56.907446: | libevent_free: release ptr-libevent@0x55d4a0b1d1d8 Aug 26 18:24:56.907449: | free_event_entry: release EVENT_NULL-pe@0x55d4a0bbefc8 Aug 26 18:24:56.907454: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:24:56.907878: | libevent_free: release ptr-libevent@0x55d4a0bb3008 Aug 26 18:24:56.907887: | free_event_entry: release EVENT_NULL-pe@0x55d4a0ba6df8 Aug 26 18:24:56.907893: | libevent_free: release ptr-libevent@0x55d4a0b48f28 Aug 26 18:24:56.907897: | free_event_entry: release EVENT_NULL-pe@0x55d4a0ba6d88 Aug 26 18:24:56.907901: | libevent_free: release ptr-libevent@0x55d4a0b8a5f8 Aug 26 18:24:56.907904: | free_event_entry: release EVENT_NULL-pe@0x55d4a0ba6248 Aug 26 18:24:56.907909: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:24:56.907912: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:24:56.907914: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:24:56.907917: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:24:56.907919: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:24:56.907921: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:24:56.907924: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:24:56.907926: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:24:56.907929: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:24:56.907934: | libevent_free: release ptr-libevent@0x55d4a0b51988 Aug 26 18:24:56.907937: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:24:56.907940: | libevent_free: release ptr-libevent@0x55d4a0b497b8 Aug 26 18:24:56.907942: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:24:56.907946: | libevent_free: release ptr-libevent@0x55d4a0bbe548 Aug 26 18:24:56.907948: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:24:56.907951: | libevent_free: release ptr-libevent@0x55d4a0bbe788 Aug 26 18:24:56.907954: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:24:56.907956: | releasing event base Aug 26 18:24:56.907968: | libevent_free: release ptr-libevent@0x55d4a0bbe658 Aug 26 18:24:56.907974: | libevent_free: release ptr-libevent@0x55d4a0ba1638 Aug 26 18:24:56.907978: | libevent_free: release ptr-libevent@0x55d4a0ba15e8 Aug 26 18:24:56.907980: | libevent_free: release ptr-libevent@0x55d4a0ba1578 Aug 26 18:24:56.907983: | libevent_free: release ptr-libevent@0x55d4a0ba1538 Aug 26 18:24:56.907986: | libevent_free: release ptr-libevent@0x55d4a0bbe2d8 Aug 26 18:24:56.907988: | libevent_free: release ptr-libevent@0x55d4a0bbe488 Aug 26 18:24:56.907991: | libevent_free: release ptr-libevent@0x55d4a0ba17e8 Aug 26 18:24:56.907993: | libevent_free: release ptr-libevent@0x55d4a0ba6358 Aug 26 18:24:56.907996: | libevent_free: release ptr-libevent@0x55d4a0ba6d48 Aug 26 18:24:56.907998: | libevent_free: release ptr-libevent@0x55d4a0bbf038 Aug 26 18:24:56.908000: | libevent_free: release ptr-libevent@0x55d4a0bbef88 Aug 26 18:24:56.908003: | libevent_free: release ptr-libevent@0x55d4a0bbeed8 Aug 26 18:24:56.908005: | libevent_free: release ptr-libevent@0x55d4a0bbee28 Aug 26 18:24:56.908007: | libevent_free: release ptr-libevent@0x55d4a0bbed78 Aug 26 18:24:56.908010: | libevent_free: release ptr-libevent@0x55d4a0bbecc8 Aug 26 18:24:56.908012: | libevent_free: release ptr-libevent@0x55d4a0b459b8 Aug 26 18:24:56.908014: | libevent_free: release ptr-libevent@0x55d4a0bbe508 Aug 26 18:24:56.908016: | libevent_free: release ptr-libevent@0x55d4a0bbe4c8 Aug 26 18:24:56.908018: | libevent_free: release ptr-libevent@0x55d4a0bbe448 Aug 26 18:24:56.908021: | libevent_free: release ptr-libevent@0x55d4a0bbe618 Aug 26 18:24:56.908023: | libevent_free: release ptr-libevent@0x55d4a0bbe318 Aug 26 18:24:56.908026: | libevent_free: release ptr-libevent@0x55d4a0b1c908 Aug 26 18:24:56.908028: | libevent_free: release ptr-libevent@0x55d4a0b1cd38 Aug 26 18:24:56.908031: | libevent_free: release ptr-libevent@0x55d4a0b45d28 Aug 26 18:24:56.908033: | releasing global libevent data Aug 26 18:24:56.908037: | libevent_free: release ptr-libevent@0x55d4a0b1d868 Aug 26 18:24:56.908040: | libevent_free: release ptr-libevent@0x55d4a0b1ccd8 Aug 26 18:24:56.908043: | libevent_free: release ptr-libevent@0x55d4a0b1cdd8 Aug 26 18:24:56.908081: leak detective found no leaks