Aug 26 18:33:59.254477: FIPS Product: YES Aug 26 18:33:59.254595: FIPS Kernel: NO Aug 26 18:33:59.254599: FIPS Mode: NO Aug 26 18:33:59.254602: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:33:59.254754: Initializing NSS Aug 26 18:33:59.254762: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:33:59.290037: NSS initialized Aug 26 18:33:59.290056: NSS crypto library initialized Aug 26 18:33:59.290058: FIPS HMAC integrity support [enabled] Aug 26 18:33:59.290060: FIPS mode disabled for pluto daemon Aug 26 18:33:59.315898: FIPS HMAC integrity verification self-test FAILED Aug 26 18:33:59.316235: libcap-ng support [enabled] Aug 26 18:33:59.316241: Linux audit support [enabled] Aug 26 18:33:59.316528: Linux audit activated Aug 26 18:33:59.316538: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:566 Aug 26 18:33:59.316539: core dump dir: /tmp Aug 26 18:33:59.316541: secrets file: /etc/ipsec.secrets Aug 26 18:33:59.316543: leak-detective enabled Aug 26 18:33:59.316544: NSS crypto [enabled] Aug 26 18:33:59.316546: XAUTH PAM support [enabled] Aug 26 18:33:59.316602: | libevent is using pluto's memory allocator Aug 26 18:33:59.316607: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:33:59.316619: | libevent_malloc: new ptr-libevent@0x55e6856cb868 size 40 Aug 26 18:33:59.316624: | libevent_malloc: new ptr-libevent@0x55e6856cacd8 size 40 Aug 26 18:33:59.316627: | libevent_malloc: new ptr-libevent@0x55e6856cadd8 size 40 Aug 26 18:33:59.316628: | creating event base Aug 26 18:33:59.316631: | libevent_malloc: new ptr-libevent@0x55e68574f6d8 size 56 Aug 26 18:33:59.316634: | libevent_malloc: new ptr-libevent@0x55e6856f36b8 size 664 Aug 26 18:33:59.316642: | libevent_malloc: new ptr-libevent@0x55e68574f748 size 24 Aug 26 18:33:59.316644: | libevent_malloc: new ptr-libevent@0x55e68574f798 size 384 Aug 26 18:33:59.316652: | libevent_malloc: new ptr-libevent@0x55e68574f698 size 16 Aug 26 18:33:59.316654: | libevent_malloc: new ptr-libevent@0x55e6856ca908 size 40 Aug 26 18:33:59.316655: | libevent_malloc: new ptr-libevent@0x55e6856cad38 size 48 Aug 26 18:33:59.316659: | libevent_realloc: new ptr-libevent@0x55e6856f3348 size 256 Aug 26 18:33:59.316661: | libevent_malloc: new ptr-libevent@0x55e68574f948 size 16 Aug 26 18:33:59.316665: | libevent_free: release ptr-libevent@0x55e68574f6d8 Aug 26 18:33:59.316668: | libevent initialized Aug 26 18:33:59.316670: | libevent_realloc: new ptr-libevent@0x55e68574f6d8 size 64 Aug 26 18:33:59.316674: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:33:59.316685: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:33:59.316687: NAT-Traversal support [enabled] Aug 26 18:33:59.316689: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:33:59.316694: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:33:59.316696: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:33:59.316721: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:33:59.316724: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:33:59.316726: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:33:59.316757: Encryption algorithms: Aug 26 18:33:59.316763: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:33:59.316766: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:33:59.316769: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:33:59.316771: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:33:59.316773: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:33:59.316780: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:33:59.316783: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:33:59.316785: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:33:59.316787: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:33:59.316790: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:33:59.316792: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:33:59.316794: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:33:59.316796: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:33:59.316799: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:33:59.316801: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:33:59.316803: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:33:59.316805: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:33:59.316810: Hash algorithms: Aug 26 18:33:59.316812: MD5 IKEv1: IKE IKEv2: Aug 26 18:33:59.316814: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:33:59.316816: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:33:59.316818: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:33:59.316820: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:33:59.316828: PRF algorithms: Aug 26 18:33:59.316830: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:33:59.316832: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:33:59.316834: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:33:59.316836: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:33:59.316838: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:33:59.316840: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:33:59.316856: Integrity algorithms: Aug 26 18:33:59.316859: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:33:59.316861: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:33:59.316864: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:33:59.316866: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:33:59.316869: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:33:59.316870: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:33:59.316873: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:33:59.316875: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:33:59.316877: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:33:59.316884: DH algorithms: Aug 26 18:33:59.316886: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:33:59.316888: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:33:59.316890: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:33:59.316895: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:33:59.316897: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:33:59.316899: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:33:59.316900: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:33:59.316902: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:33:59.316904: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:33:59.316906: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:33:59.316908: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:33:59.316910: testing CAMELLIA_CBC: Aug 26 18:33:59.316912: Camellia: 16 bytes with 128-bit key Aug 26 18:33:59.317003: Camellia: 16 bytes with 128-bit key Aug 26 18:33:59.317022: Camellia: 16 bytes with 256-bit key Aug 26 18:33:59.317040: Camellia: 16 bytes with 256-bit key Aug 26 18:33:59.317058: testing AES_GCM_16: Aug 26 18:33:59.317060: empty string Aug 26 18:33:59.317080: one block Aug 26 18:33:59.317096: two blocks Aug 26 18:33:59.317112: two blocks with associated data Aug 26 18:33:59.317129: testing AES_CTR: Aug 26 18:33:59.317131: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:33:59.317148: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:33:59.317164: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:33:59.317182: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:33:59.317198: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:33:59.317214: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:33:59.317231: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:33:59.317248: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:33:59.317265: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:33:59.317282: testing AES_CBC: Aug 26 18:33:59.317284: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:33:59.317305: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:33:59.317341: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:33:59.317373: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:33:59.317394: testing AES_XCBC: Aug 26 18:33:59.317396: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:33:59.317468: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:33:59.317547: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:33:59.317620: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:33:59.317694: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:33:59.317769: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:33:59.317845: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:33:59.318009: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:33:59.318084: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:33:59.318165: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:33:59.318327: testing HMAC_MD5: Aug 26 18:33:59.318332: RFC 2104: MD5_HMAC test 1 Aug 26 18:33:59.318447: RFC 2104: MD5_HMAC test 2 Aug 26 18:33:59.318540: RFC 2104: MD5_HMAC test 3 Aug 26 18:33:59.318657: 8 CPU cores online Aug 26 18:33:59.318661: starting up 7 crypto helpers Aug 26 18:33:59.318688: started thread for crypto helper 0 Aug 26 18:33:59.318704: started thread for crypto helper 1 Aug 26 18:33:59.318736: | starting up helper thread 0 Aug 26 18:33:59.318742: | starting up helper thread 1 Aug 26 18:33:59.318747: | starting up helper thread 2 Aug 26 18:33:59.318741: started thread for crypto helper 2 Aug 26 18:33:59.318756: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:33:59.318772: | crypto helper 1 waiting (nothing to do) Aug 26 18:33:59.318791: started thread for crypto helper 3 Aug 26 18:33:59.318794: | starting up helper thread 3 Aug 26 18:33:59.318753: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:33:59.318760: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:33:59.318847: started thread for crypto helper 4 Aug 26 18:33:59.318818: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:33:59.318890: started thread for crypto helper 5 Aug 26 18:33:59.318839: | crypto helper 0 waiting (nothing to do) Aug 26 18:33:59.318893: | starting up helper thread 5 Aug 26 18:33:59.318913: | starting up helper thread 4 Aug 26 18:33:59.318952: started thread for crypto helper 6 Aug 26 18:33:59.318954: | starting up helper thread 6 Aug 26 18:33:59.318930: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:33:59.318971: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:33:59.318975: | checking IKEv1 state table Aug 26 18:33:59.318976: | crypto helper 2 waiting (nothing to do) Aug 26 18:33:59.318983: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:33:59.318995: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:33:59.318999: | crypto helper 6 waiting (nothing to do) Aug 26 18:33:59.319015: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:33:59.319021: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319023: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:33:59.319025: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:33:59.319027: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:33:59.319028: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:33:59.319030: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:33:59.319031: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:33:59.319033: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:33:59.319033: | crypto helper 3 waiting (nothing to do) Aug 26 18:33:59.319035: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:33:59.319040: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:33:59.319042: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:33:59.319057: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:33:59.319059: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:33:59.319059: | crypto helper 5 waiting (nothing to do) Aug 26 18:33:59.319060: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:33:59.319082: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:33:59.319084: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:33:59.319085: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:33:59.319100: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:33:59.319102: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:33:59.319102: | crypto helper 4 waiting (nothing to do) Aug 26 18:33:59.319103: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319122: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:33:59.319124: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319126: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319127: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:33:59.319129: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319131: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:33:59.319132: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:33:59.319134: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:33:59.319135: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:33:59.319137: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:33:59.319139: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:33:59.319140: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319142: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:33:59.319144: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319145: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:33:59.319147: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:33:59.319151: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:33:59.319153: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:33:59.319155: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:33:59.319156: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:33:59.319158: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:33:59.319160: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319161: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:33:59.319163: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319165: | INFO: category: informational flags: 0: Aug 26 18:33:59.319166: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319168: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:33:59.319169: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319171: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:33:59.319173: | -> XAUTH_R1 EVENT_NULL Aug 26 18:33:59.319175: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:33:59.319176: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:33:59.319178: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:33:59.319179: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:33:59.319181: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:33:59.319183: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:33:59.319185: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:33:59.319186: | -> UNDEFINED EVENT_NULL Aug 26 18:33:59.319188: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:33:59.319190: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:33:59.319191: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:33:59.319193: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:33:59.319195: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:33:59.319196: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:33:59.319200: | checking IKEv2 state table Aug 26 18:33:59.319205: | PARENT_I0: category: ignore flags: 0: Aug 26 18:33:59.319207: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:33:59.319209: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319211: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:33:59.319213: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:33:59.319215: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:33:59.319217: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:33:59.319219: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:33:59.319220: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:33:59.319222: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:33:59.319224: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:33:59.319226: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:33:59.319228: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:33:59.319229: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:33:59.319231: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:33:59.319233: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:33:59.319234: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319236: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:33:59.319238: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:33:59.319240: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:33:59.319242: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:33:59.319243: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:33:59.319245: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:33:59.319248: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:33:59.319250: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:33:59.319252: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:33:59.319253: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:33:59.319255: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:33:59.319257: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:33:59.319259: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:33:59.319261: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:33:59.319263: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:33:59.319264: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:33:59.319266: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:33:59.319268: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:33:59.319270: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:33:59.319272: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:33:59.319274: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:33:59.319276: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:33:59.319277: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:33:59.319279: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:33:59.319281: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:33:59.319283: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:33:59.319285: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:33:59.319287: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:33:59.319309: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:33:59.319311: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:33:59.319319: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:33:59.319576: | Hard-wiring algorithms Aug 26 18:33:59.319579: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:33:59.319582: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:33:59.319584: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:33:59.319585: | adding 3DES_CBC to kernel algorithm db Aug 26 18:33:59.319587: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:33:59.319589: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:33:59.319590: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:33:59.319592: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:33:59.319594: | adding AES_CTR to kernel algorithm db Aug 26 18:33:59.319595: | adding AES_CBC to kernel algorithm db Aug 26 18:33:59.319597: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:33:59.319599: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:33:59.319601: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:33:59.319602: | adding NULL to kernel algorithm db Aug 26 18:33:59.319604: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:33:59.319606: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:33:59.319607: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:33:59.319609: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:33:59.319611: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:33:59.319612: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:33:59.319614: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:33:59.319616: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:33:59.319617: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:33:59.319619: | adding NONE to kernel algorithm db Aug 26 18:33:59.319636: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:33:59.319639: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:33:59.319641: | setup kernel fd callback Aug 26 18:33:59.319643: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55e6857543a8 Aug 26 18:33:59.319647: | libevent_malloc: new ptr-libevent@0x55e685738808 size 128 Aug 26 18:33:59.319649: | libevent_malloc: new ptr-libevent@0x55e6857544b8 size 16 Aug 26 18:33:59.319653: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55e685754ee8 Aug 26 18:33:59.319655: | libevent_malloc: new ptr-libevent@0x55e6856f6868 size 128 Aug 26 18:33:59.319656: | libevent_malloc: new ptr-libevent@0x55e685754ea8 size 16 Aug 26 18:33:59.319803: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:33:59.319809: selinux support is enabled. Aug 26 18:33:59.320028: | unbound context created - setting debug level to 5 Aug 26 18:33:59.320047: | /etc/hosts lookups activated Aug 26 18:33:59.320058: | /etc/resolv.conf usage activated Aug 26 18:33:59.320094: | outgoing-port-avoid set 0-65535 Aug 26 18:33:59.320111: | outgoing-port-permit set 32768-60999 Aug 26 18:33:59.320113: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:33:59.320115: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:33:59.320117: | Setting up events, loop start Aug 26 18:33:59.320119: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55e685754f58 Aug 26 18:33:59.320121: | libevent_malloc: new ptr-libevent@0x55e685761168 size 128 Aug 26 18:33:59.320124: | libevent_malloc: new ptr-libevent@0x55e68576c438 size 16 Aug 26 18:33:59.320128: | libevent_realloc: new ptr-libevent@0x55e68576c478 size 256 Aug 26 18:33:59.320130: | libevent_malloc: new ptr-libevent@0x55e68576c5a8 size 8 Aug 26 18:33:59.320132: | libevent_realloc: new ptr-libevent@0x55e6856c6918 size 144 Aug 26 18:33:59.320134: | libevent_malloc: new ptr-libevent@0x55e6856f7e98 size 152 Aug 26 18:33:59.320136: | libevent_malloc: new ptr-libevent@0x55e68576c5e8 size 16 Aug 26 18:33:59.320139: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:33:59.320141: | libevent_malloc: new ptr-libevent@0x55e68576c628 size 8 Aug 26 18:33:59.320143: | libevent_malloc: new ptr-libevent@0x55e68576c668 size 152 Aug 26 18:33:59.320145: | signal event handler PLUTO_SIGTERM installed Aug 26 18:33:59.320147: | libevent_malloc: new ptr-libevent@0x55e68576c738 size 8 Aug 26 18:33:59.320148: | libevent_malloc: new ptr-libevent@0x55e68576c778 size 152 Aug 26 18:33:59.320150: | signal event handler PLUTO_SIGHUP installed Aug 26 18:33:59.320152: | libevent_malloc: new ptr-libevent@0x55e68576c848 size 8 Aug 26 18:33:59.320154: | libevent_realloc: release ptr-libevent@0x55e6856c6918 Aug 26 18:33:59.320156: | libevent_realloc: new ptr-libevent@0x55e68576c888 size 256 Aug 26 18:33:59.320158: | libevent_malloc: new ptr-libevent@0x55e68576c9b8 size 152 Aug 26 18:33:59.320160: | signal event handler PLUTO_SIGSYS installed Aug 26 18:33:59.320449: | created addconn helper (pid:644) using fork+execve Aug 26 18:33:59.320467: | forked child 644 Aug 26 18:33:59.320695: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:33:59.320706: listening for IKE messages Aug 26 18:33:59.320769: | Inspecting interface lo Aug 26 18:33:59.320775: | found lo with address 127.0.0.1 Aug 26 18:33:59.320778: | Inspecting interface eth0 Aug 26 18:33:59.320781: | found eth0 with address 192.0.2.254 Aug 26 18:33:59.320783: | Inspecting interface eth1 Aug 26 18:33:59.320786: | found eth1 with address 192.1.2.23 Aug 26 18:33:59.320846: Kernel supports NIC esp-hw-offload Aug 26 18:33:59.320855: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:33:59.320888: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:33:59.320892: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:33:59.320894: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:33:59.320916: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:33:59.320930: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:33:59.320933: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:33:59.320935: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:33:59.320951: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:33:59.320967: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:33:59.320970: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:33:59.320972: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:33:59.321028: | no interfaces to sort Aug 26 18:33:59.321032: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:33:59.321037: | add_fd_read_event_handler: new ethX-pe@0x55e68576cf08 Aug 26 18:33:59.321039: | libevent_malloc: new ptr-libevent@0x55e6857610b8 size 128 Aug 26 18:33:59.321041: | libevent_malloc: new ptr-libevent@0x55e68576cf78 size 16 Aug 26 18:33:59.321045: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:33:59.321047: | add_fd_read_event_handler: new ethX-pe@0x55e68576cfb8 Aug 26 18:33:59.321049: | libevent_malloc: new ptr-libevent@0x55e6856f3aa8 size 128 Aug 26 18:33:59.321051: | libevent_malloc: new ptr-libevent@0x55e68576d028 size 16 Aug 26 18:33:59.321054: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:33:59.321056: | add_fd_read_event_handler: new ethX-pe@0x55e68576d068 Aug 26 18:33:59.321058: | libevent_malloc: new ptr-libevent@0x55e6856f6f38 size 128 Aug 26 18:33:59.321060: | libevent_malloc: new ptr-libevent@0x55e68576d0d8 size 16 Aug 26 18:33:59.321063: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:33:59.321065: | add_fd_read_event_handler: new ethX-pe@0x55e68576d118 Aug 26 18:33:59.321067: | libevent_malloc: new ptr-libevent@0x55e6856f7a08 size 128 Aug 26 18:33:59.321069: | libevent_malloc: new ptr-libevent@0x55e68576d188 size 16 Aug 26 18:33:59.321072: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:33:59.321074: | add_fd_read_event_handler: new ethX-pe@0x55e68576d1c8 Aug 26 18:33:59.321077: | libevent_malloc: new ptr-libevent@0x55e6856cb4e8 size 128 Aug 26 18:33:59.321079: | libevent_malloc: new ptr-libevent@0x55e68576d238 size 16 Aug 26 18:33:59.321082: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:33:59.321084: | add_fd_read_event_handler: new ethX-pe@0x55e68576d278 Aug 26 18:33:59.321085: | libevent_malloc: new ptr-libevent@0x55e6856cb1d8 size 128 Aug 26 18:33:59.321087: | libevent_malloc: new ptr-libevent@0x55e68576d2e8 size 16 Aug 26 18:33:59.321090: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:33:59.321093: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:33:59.321095: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:33:59.321109: loading secrets from "/etc/ipsec.secrets" Aug 26 18:33:59.321116: | id type added to secret(0x55e6856c6b58) PKK_PSK: @west Aug 26 18:33:59.321119: | id type added to secret(0x55e6856c6b58) PKK_PSK: @east Aug 26 18:33:59.321122: | Processing PSK at line 1: passed Aug 26 18:33:59.321124: | certs and keys locked by 'process_secret' Aug 26 18:33:59.321126: | certs and keys unlocked by 'process_secret' Aug 26 18:33:59.321132: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:33:59.321137: | spent 0.633 milliseconds in whack Aug 26 18:33:59.349414: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:33:59.349437: listening for IKE messages Aug 26 18:33:59.349465: | Inspecting interface lo Aug 26 18:33:59.349470: | found lo with address 127.0.0.1 Aug 26 18:33:59.349472: | Inspecting interface eth0 Aug 26 18:33:59.349475: | found eth0 with address 192.0.2.254 Aug 26 18:33:59.349477: | Inspecting interface eth1 Aug 26 18:33:59.349479: | found eth1 with address 192.1.2.23 Aug 26 18:33:59.349531: | no interfaces to sort Aug 26 18:33:59.349543: | libevent_free: release ptr-libevent@0x55e6857610b8 Aug 26 18:33:59.349546: | free_event_entry: release EVENT_NULL-pe@0x55e68576cf08 Aug 26 18:33:59.349548: | add_fd_read_event_handler: new ethX-pe@0x55e68576cf08 Aug 26 18:33:59.349550: | libevent_malloc: new ptr-libevent@0x55e6857610b8 size 128 Aug 26 18:33:59.349556: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:33:59.349559: | libevent_free: release ptr-libevent@0x55e6856f3aa8 Aug 26 18:33:59.349561: | free_event_entry: release EVENT_NULL-pe@0x55e68576cfb8 Aug 26 18:33:59.349562: | add_fd_read_event_handler: new ethX-pe@0x55e68576cfb8 Aug 26 18:33:59.349564: | libevent_malloc: new ptr-libevent@0x55e6856f3aa8 size 128 Aug 26 18:33:59.349567: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:33:59.349569: | libevent_free: release ptr-libevent@0x55e6856f6f38 Aug 26 18:33:59.349571: | free_event_entry: release EVENT_NULL-pe@0x55e68576d068 Aug 26 18:33:59.349573: | add_fd_read_event_handler: new ethX-pe@0x55e68576d068 Aug 26 18:33:59.349575: | libevent_malloc: new ptr-libevent@0x55e6856f6f38 size 128 Aug 26 18:33:59.349578: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:33:59.349580: | libevent_free: release ptr-libevent@0x55e6856f7a08 Aug 26 18:33:59.349582: | free_event_entry: release EVENT_NULL-pe@0x55e68576d118 Aug 26 18:33:59.349584: | add_fd_read_event_handler: new ethX-pe@0x55e68576d118 Aug 26 18:33:59.349586: | libevent_malloc: new ptr-libevent@0x55e6856f7a08 size 128 Aug 26 18:33:59.349589: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:33:59.349591: | libevent_free: release ptr-libevent@0x55e6856cb4e8 Aug 26 18:33:59.349593: | free_event_entry: release EVENT_NULL-pe@0x55e68576d1c8 Aug 26 18:33:59.349595: | add_fd_read_event_handler: new ethX-pe@0x55e68576d1c8 Aug 26 18:33:59.349596: | libevent_malloc: new ptr-libevent@0x55e6856cb4e8 size 128 Aug 26 18:33:59.349600: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:33:59.349602: | libevent_free: release ptr-libevent@0x55e6856cb1d8 Aug 26 18:33:59.349604: | free_event_entry: release EVENT_NULL-pe@0x55e68576d278 Aug 26 18:33:59.349606: | add_fd_read_event_handler: new ethX-pe@0x55e68576d278 Aug 26 18:33:59.349607: | libevent_malloc: new ptr-libevent@0x55e6856cb1d8 size 128 Aug 26 18:33:59.349610: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:33:59.349612: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:33:59.349614: forgetting secrets Aug 26 18:33:59.349619: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:33:59.349629: loading secrets from "/etc/ipsec.secrets" Aug 26 18:33:59.349635: | id type added to secret(0x55e6856c6b58) PKK_PSK: @west Aug 26 18:33:59.349637: | id type added to secret(0x55e6856c6b58) PKK_PSK: @east Aug 26 18:33:59.349640: | Processing PSK at line 1: passed Aug 26 18:33:59.349642: | certs and keys locked by 'process_secret' Aug 26 18:33:59.349643: | certs and keys unlocked by 'process_secret' Aug 26 18:33:59.349649: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:33:59.349654: | spent 0.248 milliseconds in whack Aug 26 18:33:59.350051: | processing signal PLUTO_SIGCHLD Aug 26 18:33:59.350064: | waitpid returned pid 644 (exited with status 0) Aug 26 18:33:59.350067: | reaped addconn helper child (status 0) Aug 26 18:33:59.350071: | waitpid returned ECHILD (no child processes left) Aug 26 18:33:59.350074: | spent 0.0147 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:33:59.406809: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:33:59.406828: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:33:59.406831: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:33:59.406832: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:33:59.406834: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:33:59.406837: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:33:59.406843: | Added new connection east with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:33:59.406884: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:33:59.406887: | from whack: got --esp= Aug 26 18:33:59.406912: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 18:33:59.406916: | counting wild cards for @west is 0 Aug 26 18:33:59.406918: | counting wild cards for @east is 0 Aug 26 18:33:59.406924: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 18:33:59.406926: | new hp@0x55e68576f5c8 Aug 26 18:33:59.406929: added connection description "east" Aug 26 18:33:59.406936: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 5s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 18:33:59.406943: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Aug 26 18:33:59.406949: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:33:59.406954: | spent 0.153 milliseconds in whack Aug 26 18:33:59.407028: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:33:59.407036: add keyid @west Aug 26 18:33:59.407039: | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 Aug 26 18:33:59.407041: | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e Aug 26 18:33:59.407056: | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 Aug 26 18:33:59.407057: | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 Aug 26 18:33:59.407059: | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 Aug 26 18:33:59.407061: | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c Aug 26 18:33:59.407062: | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a Aug 26 18:33:59.407077: | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 Aug 26 18:33:59.407078: | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 Aug 26 18:33:59.407080: | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a Aug 26 18:33:59.407082: | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 Aug 26 18:33:59.407083: | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc Aug 26 18:33:59.407085: | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e Aug 26 18:33:59.407087: | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 Aug 26 18:33:59.407088: | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d Aug 26 18:33:59.407090: | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f Aug 26 18:33:59.407091: | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 Aug 26 18:33:59.407093: | add pubkey 15 04 37 f9 Aug 26 18:33:59.407123: | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 Aug 26 18:33:59.407125: | computed rsa CKAID 7f 0f 03 50 Aug 26 18:33:59.407134: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:33:59.407137: | spent 0.113 milliseconds in whack Aug 26 18:33:59.407168: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:33:59.407174: add keyid @east Aug 26 18:33:59.407176: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 18:33:59.407178: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 18:33:59.407180: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 18:33:59.407181: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 18:33:59.407185: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 18:33:59.407187: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 18:33:59.407188: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 18:33:59.407190: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 18:33:59.407192: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 18:33:59.407193: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 18:33:59.407195: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 18:33:59.407197: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 18:33:59.407198: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 18:33:59.407200: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 18:33:59.407202: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 18:33:59.407203: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 18:33:59.407205: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 18:33:59.407207: | add pubkey 51 51 48 ef Aug 26 18:33:59.407213: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 18:33:59.407215: | computed rsa CKAID 8a 82 25 f1 Aug 26 18:33:59.407221: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:33:59.407224: | spent 0.0583 milliseconds in whack Aug 26 18:34:00.632352: | spent 0.0028 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:34:00.632379: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 18:34:00.632383: | d3 c7 17 ff 29 c7 6c 97 00 00 00 00 00 00 00 00 Aug 26 18:34:00.632385: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:34:00.632387: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:34:00.632388: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:34:00.632390: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:34:00.632391: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:34:00.632393: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:34:00.632395: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:34:00.632396: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:34:00.632398: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:34:00.632399: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:34:00.632401: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:34:00.632403: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:34:00.632404: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:34:00.632409: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:34:00.632411: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:34:00.632413: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:34:00.632414: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:34:00.632416: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:34:00.632418: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:34:00.632419: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:34:00.632421: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:34:00.632423: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:34:00.632424: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:34:00.632426: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:34:00.632427: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:34:00.632429: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:34:00.632431: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:34:00.632432: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:34:00.632434: | 28 00 01 08 00 0e 00 00 93 0f b3 30 bc b2 96 7d Aug 26 18:34:00.632438: | f4 51 8e e0 4d 03 a5 a6 d5 cb 23 53 f4 5f e2 0a Aug 26 18:34:00.632440: | 37 50 dd d8 77 9f eb c7 27 b0 28 22 a8 88 b5 9d Aug 26 18:34:00.632442: | eb 72 dc 6d e2 48 b7 ad 0d a7 ae 4c ad a9 a7 e2 Aug 26 18:34:00.632443: | 11 2d 30 78 27 7c b1 68 75 6d 9e 8a 34 09 f5 98 Aug 26 18:34:00.632445: | a0 2e 5b 87 7e a1 9a 71 60 0d db f1 7d 51 5d 5e Aug 26 18:34:00.632447: | 4d a2 b2 45 2a 67 45 84 af 7b e4 8f f3 87 a7 f3 Aug 26 18:34:00.632448: | cd 9f 9c 58 5c 45 ed 2a dc d0 08 79 9a 79 ff ab Aug 26 18:34:00.632450: | 4e 0d 5a 8d df 88 77 9b 03 c0 7d db e2 57 50 4f Aug 26 18:34:00.632452: | dc 5f 36 d7 1b f5 af fb 82 93 aa 0a e8 f0 74 0c Aug 26 18:34:00.632453: | 77 5b 8d be af f8 9f 36 ba c8 66 1a 8f cd be 86 Aug 26 18:34:00.632455: | 84 57 39 6f b7 60 38 69 0c 28 f1 da 50 a0 0b d2 Aug 26 18:34:00.632457: | d9 0e 3f b2 41 87 37 a6 4f b0 fc 56 1b 29 22 85 Aug 26 18:34:00.632458: | d9 df 57 b9 1f 98 8d 54 eb a6 7e 29 61 08 e6 56 Aug 26 18:34:00.632460: | e4 62 1b 4d 22 1a d6 22 eb 37 1a 43 2c 8e 9f cb Aug 26 18:34:00.632462: | 4b 63 1c aa ba f3 29 f3 f5 38 a3 a4 10 74 dc a0 Aug 26 18:34:00.632463: | 9d bd c7 73 7e ec 18 47 29 00 00 24 b9 0d 99 1e Aug 26 18:34:00.632465: | 4e 82 1c 4c 32 36 aa d3 94 8f 30 62 a5 e6 b6 ef Aug 26 18:34:00.632467: | 53 ee 6a 35 07 4e 59 34 5d b2 6c 67 29 00 00 08 Aug 26 18:34:00.632468: | 00 00 40 2e 29 00 00 1c 00 00 40 04 7a c3 9a bb Aug 26 18:34:00.632470: | 00 05 5d 9a 25 96 c4 4f 47 c5 95 0e c7 54 0e 30 Aug 26 18:34:00.632472: | 00 00 00 1c 00 00 40 05 ca aa e8 cd 5f 10 99 5e Aug 26 18:34:00.632473: | ca f7 e7 18 70 c7 0b b3 b4 b3 42 18 Aug 26 18:34:00.632479: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 18:34:00.632483: | **parse ISAKMP Message: Aug 26 18:34:00.632485: | initiator cookie: Aug 26 18:34:00.632486: | d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.632488: | responder cookie: Aug 26 18:34:00.632490: | 00 00 00 00 00 00 00 00 Aug 26 18:34:00.632492: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:34:00.632494: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:34:00.632495: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:34:00.632497: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:34:00.632499: | Message ID: 0 (0x0) Aug 26 18:34:00.632501: | length: 828 (0x33c) Aug 26 18:34:00.632503: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:34:00.632506: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:34:00.632508: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:34:00.632510: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:34:00.632513: | ***parse IKEv2 Security Association Payload: Aug 26 18:34:00.632515: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:34:00.632516: | flags: none (0x0) Aug 26 18:34:00.632518: | length: 436 (0x1b4) Aug 26 18:34:00.632520: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:34:00.632522: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:34:00.632524: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:34:00.632526: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:34:00.632527: | flags: none (0x0) Aug 26 18:34:00.632529: | length: 264 (0x108) Aug 26 18:34:00.632531: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.632532: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:34:00.632534: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:34:00.632536: | ***parse IKEv2 Nonce Payload: Aug 26 18:34:00.632538: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:34:00.632539: | flags: none (0x0) Aug 26 18:34:00.632541: | length: 36 (0x24) Aug 26 18:34:00.632543: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:34:00.632544: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:34:00.632546: | ***parse IKEv2 Notify Payload: Aug 26 18:34:00.632555: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:34:00.632556: | flags: none (0x0) Aug 26 18:34:00.632558: | length: 8 (0x8) Aug 26 18:34:00.632560: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.632562: | SPI size: 0 (0x0) Aug 26 18:34:00.632564: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:34:00.632565: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:34:00.632567: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:34:00.632569: | ***parse IKEv2 Notify Payload: Aug 26 18:34:00.632570: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:34:00.632572: | flags: none (0x0) Aug 26 18:34:00.632574: | length: 28 (0x1c) Aug 26 18:34:00.632575: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.632577: | SPI size: 0 (0x0) Aug 26 18:34:00.632579: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:34:00.632580: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:34:00.632582: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:34:00.632584: | ***parse IKEv2 Notify Payload: Aug 26 18:34:00.632585: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.632587: | flags: none (0x0) Aug 26 18:34:00.632589: | length: 28 (0x1c) Aug 26 18:34:00.632590: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.632592: | SPI size: 0 (0x0) Aug 26 18:34:00.632594: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:34:00.632595: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:34:00.632598: | DDOS disabled and no cookie sent, continuing Aug 26 18:34:00.632601: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:34:00.632605: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 18:34:00.632607: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:34:00.632610: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 18:34:00.632612: | find_next_host_connection returns empty Aug 26 18:34:00.632614: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:34:00.632617: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:34:00.632618: | find_next_host_connection returns empty Aug 26 18:34:00.632621: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:34:00.632624: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:34:00.632627: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 18:34:00.632628: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:34:00.632630: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 18:34:00.632632: | find_next_host_connection returns empty Aug 26 18:34:00.632635: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:34:00.632636: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:34:00.632638: | find_next_host_connection returns empty Aug 26 18:34:00.632640: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 18:34:00.632643: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:34:00.632646: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 18:34:00.632648: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:34:00.632650: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 18:34:00.632652: | find_next_host_connection returns east Aug 26 18:34:00.632654: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:34:00.632655: | find_next_host_connection returns empty Aug 26 18:34:00.632658: | found connection: east with policy PSK+IKEV2_ALLOW Aug 26 18:34:00.632675: | creating state object #1 at 0x55e685771828 Aug 26 18:34:00.632678: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:34:00.632684: | pstats #1 ikev2.ike started Aug 26 18:34:00.632686: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:34:00.632689: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:34:00.632692: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:34:00.632698: | start processing: state #1 connection "east" from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:34:00.632700: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:34:00.632703: | [RE]START processing: state #1 connection "east" from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:34:00.632705: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:34:00.632708: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:34:00.632711: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:34:00.632713: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:34:00.632715: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:34:00.632717: | Now let's proceed with state specific processing Aug 26 18:34:00.632719: | calling processor Respond to IKE_SA_INIT Aug 26 18:34:00.632726: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:34:00.632729: | constructing local IKE proposals for east (IKE SA responder matching remote proposals) Aug 26 18:34:00.632734: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:34:00.632740: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:34:00.632743: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:34:00.632747: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:34:00.632749: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:34:00.632753: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:34:00.632755: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:34:00.632759: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:34:00.632765: "east": constructed local IKE proposals for east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:34:00.632769: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:34:00.632772: | local proposal 1 type ENCR has 1 transforms Aug 26 18:34:00.632774: | local proposal 1 type PRF has 2 transforms Aug 26 18:34:00.632775: | local proposal 1 type INTEG has 1 transforms Aug 26 18:34:00.632777: | local proposal 1 type DH has 8 transforms Aug 26 18:34:00.632779: | local proposal 1 type ESN has 0 transforms Aug 26 18:34:00.632781: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:34:00.632783: | local proposal 2 type ENCR has 1 transforms Aug 26 18:34:00.632785: | local proposal 2 type PRF has 2 transforms Aug 26 18:34:00.632786: | local proposal 2 type INTEG has 1 transforms Aug 26 18:34:00.632788: | local proposal 2 type DH has 8 transforms Aug 26 18:34:00.632790: | local proposal 2 type ESN has 0 transforms Aug 26 18:34:00.632792: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:34:00.632794: | local proposal 3 type ENCR has 1 transforms Aug 26 18:34:00.632795: | local proposal 3 type PRF has 2 transforms Aug 26 18:34:00.632797: | local proposal 3 type INTEG has 2 transforms Aug 26 18:34:00.632799: | local proposal 3 type DH has 8 transforms Aug 26 18:34:00.632800: | local proposal 3 type ESN has 0 transforms Aug 26 18:34:00.632802: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:34:00.632804: | local proposal 4 type ENCR has 1 transforms Aug 26 18:34:00.632806: | local proposal 4 type PRF has 2 transforms Aug 26 18:34:00.632808: | local proposal 4 type INTEG has 2 transforms Aug 26 18:34:00.632809: | local proposal 4 type DH has 8 transforms Aug 26 18:34:00.632811: | local proposal 4 type ESN has 0 transforms Aug 26 18:34:00.632813: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:34:00.632815: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.632817: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.632819: | length: 100 (0x64) Aug 26 18:34:00.632820: | prop #: 1 (0x1) Aug 26 18:34:00.632822: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:34:00.632824: | spi size: 0 (0x0) Aug 26 18:34:00.632826: | # transforms: 11 (0xb) Aug 26 18:34:00.632828: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:34:00.632830: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632834: | length: 12 (0xc) Aug 26 18:34:00.632835: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.632837: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.632839: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.632841: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.632843: | length/value: 256 (0x100) Aug 26 18:34:00.632846: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:34:00.632848: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632850: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632851: | length: 8 (0x8) Aug 26 18:34:00.632853: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.632855: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:34:00.632857: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:34:00.632859: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:34:00.632861: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:34:00.632863: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:34:00.632865: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632868: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632870: | length: 8 (0x8) Aug 26 18:34:00.632871: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.632873: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:34:00.632875: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632877: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632878: | length: 8 (0x8) Aug 26 18:34:00.632880: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632882: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.632884: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:34:00.632886: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:34:00.632888: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:34:00.632890: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:34:00.632892: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632894: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632896: | length: 8 (0x8) Aug 26 18:34:00.632897: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632899: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:34:00.632901: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632904: | length: 8 (0x8) Aug 26 18:34:00.632906: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632907: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:34:00.632909: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632911: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632913: | length: 8 (0x8) Aug 26 18:34:00.632914: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632916: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:34:00.632918: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632919: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632921: | length: 8 (0x8) Aug 26 18:34:00.632923: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632924: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:34:00.632926: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632928: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632930: | length: 8 (0x8) Aug 26 18:34:00.632931: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632933: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:34:00.632935: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632938: | length: 8 (0x8) Aug 26 18:34:00.632940: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632942: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:34:00.632943: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632945: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.632947: | length: 8 (0x8) Aug 26 18:34:00.632948: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.632950: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:34:00.632953: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:34:00.632956: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:34:00.632957: | remote proposal 1 matches local proposal 1 Aug 26 18:34:00.632959: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.632961: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.632963: | length: 100 (0x64) Aug 26 18:34:00.632965: | prop #: 2 (0x2) Aug 26 18:34:00.632966: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:34:00.632971: | spi size: 0 (0x0) Aug 26 18:34:00.632973: | # transforms: 11 (0xb) Aug 26 18:34:00.632976: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.632977: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632979: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632981: | length: 12 (0xc) Aug 26 18:34:00.632982: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.632984: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.632986: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.632988: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.632989: | length/value: 128 (0x80) Aug 26 18:34:00.632991: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.632993: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.632995: | length: 8 (0x8) Aug 26 18:34:00.632996: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.632998: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:34:00.633000: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633001: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633003: | length: 8 (0x8) Aug 26 18:34:00.633005: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.633006: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:34:00.633008: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633010: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633012: | length: 8 (0x8) Aug 26 18:34:00.633013: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633015: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.633017: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633018: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633020: | length: 8 (0x8) Aug 26 18:34:00.633022: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633023: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:34:00.633025: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633027: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633029: | length: 8 (0x8) Aug 26 18:34:00.633030: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633032: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:34:00.633034: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633035: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633037: | length: 8 (0x8) Aug 26 18:34:00.633039: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633040: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:34:00.633042: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633044: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633046: | length: 8 (0x8) Aug 26 18:34:00.633047: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633049: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:34:00.633051: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633052: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633054: | length: 8 (0x8) Aug 26 18:34:00.633056: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633057: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:34:00.633059: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633061: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633062: | length: 8 (0x8) Aug 26 18:34:00.633064: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633066: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:34:00.633068: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633069: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.633071: | length: 8 (0x8) Aug 26 18:34:00.633073: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633075: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:34:00.633078: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:34:00.633080: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:34:00.633082: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.633083: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.633085: | length: 116 (0x74) Aug 26 18:34:00.633087: | prop #: 3 (0x3) Aug 26 18:34:00.633088: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:34:00.633090: | spi size: 0 (0x0) Aug 26 18:34:00.633091: | # transforms: 13 (0xd) Aug 26 18:34:00.633094: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.633095: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633097: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633099: | length: 12 (0xc) Aug 26 18:34:00.633100: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.633102: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:34:00.633104: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.633105: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.633107: | length/value: 256 (0x100) Aug 26 18:34:00.633109: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633111: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633112: | length: 8 (0x8) Aug 26 18:34:00.633114: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.633116: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:34:00.633118: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633119: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633121: | length: 8 (0x8) Aug 26 18:34:00.633123: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.633124: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:34:00.633126: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633128: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633129: | length: 8 (0x8) Aug 26 18:34:00.633131: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.633133: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:34:00.633135: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633136: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633138: | length: 8 (0x8) Aug 26 18:34:00.633140: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.633141: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:34:00.633143: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633145: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633146: | length: 8 (0x8) Aug 26 18:34:00.633148: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633150: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.633152: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633153: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633155: | length: 8 (0x8) Aug 26 18:34:00.633157: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633158: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:34:00.633160: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633162: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633163: | length: 8 (0x8) Aug 26 18:34:00.633165: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633167: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:34:00.633169: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633170: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633172: | length: 8 (0x8) Aug 26 18:34:00.633174: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633175: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:34:00.633178: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633180: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633181: | length: 8 (0x8) Aug 26 18:34:00.633183: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633185: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:34:00.633186: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633188: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633190: | length: 8 (0x8) Aug 26 18:34:00.633191: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633193: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:34:00.633195: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633197: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633198: | length: 8 (0x8) Aug 26 18:34:00.633200: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633202: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:34:00.633203: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633205: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.633207: | length: 8 (0x8) Aug 26 18:34:00.633208: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633210: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:34:00.633213: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:34:00.633215: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:34:00.633216: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.633218: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:34:00.633220: | length: 116 (0x74) Aug 26 18:34:00.633221: | prop #: 4 (0x4) Aug 26 18:34:00.633223: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:34:00.633225: | spi size: 0 (0x0) Aug 26 18:34:00.633226: | # transforms: 13 (0xd) Aug 26 18:34:00.633228: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.633230: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633232: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633233: | length: 12 (0xc) Aug 26 18:34:00.633235: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.633237: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:34:00.633238: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.633240: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.633242: | length/value: 128 (0x80) Aug 26 18:34:00.633244: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633245: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633247: | length: 8 (0x8) Aug 26 18:34:00.633249: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.633250: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:34:00.633252: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633254: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633255: | length: 8 (0x8) Aug 26 18:34:00.633257: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.633259: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:34:00.633261: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633262: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633264: | length: 8 (0x8) Aug 26 18:34:00.633266: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.633267: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:34:00.633269: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633271: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633272: | length: 8 (0x8) Aug 26 18:34:00.633274: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.633276: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:34:00.633278: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633280: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633282: | length: 8 (0x8) Aug 26 18:34:00.633284: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633285: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.633287: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633296: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633299: | length: 8 (0x8) Aug 26 18:34:00.633301: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633304: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:34:00.633307: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633309: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633311: | length: 8 (0x8) Aug 26 18:34:00.633314: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633316: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:34:00.633319: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633322: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633324: | length: 8 (0x8) Aug 26 18:34:00.633326: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633329: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:34:00.633332: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633335: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633337: | length: 8 (0x8) Aug 26 18:34:00.633339: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633342: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:34:00.633344: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633347: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633349: | length: 8 (0x8) Aug 26 18:34:00.633351: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633354: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:34:00.633356: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633359: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.633360: | length: 8 (0x8) Aug 26 18:34:00.633362: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633364: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:34:00.633365: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.633367: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.633369: | length: 8 (0x8) Aug 26 18:34:00.633370: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.633372: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:34:00.633375: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:34:00.633377: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:34:00.633380: "east" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:34:00.633383: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:34:00.633385: | converting proposal to internal trans attrs Aug 26 18:34:00.633388: | natd_hash: rcookie is zero Aug 26 18:34:00.633395: | natd_hash: hasher=0x55e684488800(20) Aug 26 18:34:00.633397: | natd_hash: icookie= d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.633400: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:34:00.633402: | natd_hash: ip= c0 01 02 17 Aug 26 18:34:00.633404: | natd_hash: port=500 Aug 26 18:34:00.633406: | natd_hash: hash= ca aa e8 cd 5f 10 99 5e ca f7 e7 18 70 c7 0b b3 Aug 26 18:34:00.633407: | natd_hash: hash= b4 b3 42 18 Aug 26 18:34:00.633409: | natd_hash: rcookie is zero Aug 26 18:34:00.633413: | natd_hash: hasher=0x55e684488800(20) Aug 26 18:34:00.633414: | natd_hash: icookie= d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.633416: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:34:00.633418: | natd_hash: ip= c0 01 02 2d Aug 26 18:34:00.633419: | natd_hash: port=500 Aug 26 18:34:00.633421: | natd_hash: hash= 7a c3 9a bb 00 05 5d 9a 25 96 c4 4f 47 c5 95 0e Aug 26 18:34:00.633423: | natd_hash: hash= c7 54 0e 30 Aug 26 18:34:00.633424: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:34:00.633426: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:34:00.633428: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:34:00.633430: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 18:34:00.633434: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:34:00.633437: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e68576f6a8 Aug 26 18:34:00.633440: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:34:00.633442: | libevent_malloc: new ptr-libevent@0x55e685773928 size 128 Aug 26 18:34:00.633451: | #1 spent 0.725 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:34:00.633455: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:34:00.633457: | crypto helper 1 resuming Aug 26 18:34:00.633458: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:34:00.633474: | crypto helper 1 starting work-order 1 for state #1 Aug 26 18:34:00.633474: | suspending state #1 and saving MD Aug 26 18:34:00.633483: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:34:00.633483: | #1 is busy; has a suspended MD Aug 26 18:34:00.633491: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:34:00.633493: | "east" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:34:00.633496: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:34:00.633500: | #1 spent 1.12 milliseconds in ikev2_process_packet() Aug 26 18:34:00.633502: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 18:34:00.633504: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:34:00.633506: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:34:00.633509: | spent 1.13 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:34:00.634529: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001047 seconds Aug 26 18:34:00.634541: | (#1) spent 1.04 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:34:00.634545: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 18:34:00.634548: | scheduling resume sending helper answer for #1 Aug 26 18:34:00.634552: | libevent_malloc: new ptr-libevent@0x7f825c002888 size 128 Aug 26 18:34:00.634559: | crypto helper 1 waiting (nothing to do) Aug 26 18:34:00.634564: | processing resume sending helper answer for #1 Aug 26 18:34:00.634569: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 18:34:00.634572: | crypto helper 1 replies to request ID 1 Aug 26 18:34:00.634574: | calling continuation function 0x55e6843b3b50 Aug 26 18:34:00.634576: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:34:00.634601: | **emit ISAKMP Message: Aug 26 18:34:00.634604: | initiator cookie: Aug 26 18:34:00.634605: | d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.634607: | responder cookie: Aug 26 18:34:00.634609: | d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.634610: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:34:00.634612: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:34:00.634614: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:34:00.634616: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:34:00.634618: | Message ID: 0 (0x0) Aug 26 18:34:00.634620: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:34:00.634622: | Emitting ikev2_proposal ... Aug 26 18:34:00.634624: | ***emit IKEv2 Security Association Payload: Aug 26 18:34:00.634625: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.634627: | flags: none (0x0) Aug 26 18:34:00.634629: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:34:00.634631: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634634: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.634635: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:34:00.634637: | prop #: 1 (0x1) Aug 26 18:34:00.634639: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:34:00.634641: | spi size: 0 (0x0) Aug 26 18:34:00.634642: | # transforms: 3 (0x3) Aug 26 18:34:00.634644: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:34:00.634646: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:34:00.634648: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.634650: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.634652: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.634654: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:34:00.634656: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.634658: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.634659: | length/value: 256 (0x100) Aug 26 18:34:00.634661: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:34:00.634663: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:34:00.634665: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.634667: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:34:00.634669: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:34:00.634671: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.634673: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:34:00.634675: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:34:00.634676: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:34:00.634678: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.634680: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:34:00.634682: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.634684: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.634686: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:34:00.634688: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:34:00.634689: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:34:00.634691: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:34:00.634694: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:34:00.634696: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:34:00.634698: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:34:00.634700: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.634702: | flags: none (0x0) Aug 26 18:34:00.634704: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:34:00.634706: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:34:00.634708: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634710: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:34:00.634712: | ikev2 g^x 4e d2 81 66 56 d6 3d d3 09 a9 5d a8 98 18 5f 2b Aug 26 18:34:00.634714: | ikev2 g^x e5 7c d6 84 88 a4 d4 5d 9b 1c 74 bf be f5 28 db Aug 26 18:34:00.634716: | ikev2 g^x f7 74 c2 8e d9 b2 53 c5 b0 2d b6 aa 78 57 3f 56 Aug 26 18:34:00.634717: | ikev2 g^x 65 43 1a b2 ef 16 42 1b 3b 3f e0 3c 1f 8f 4b 1c Aug 26 18:34:00.634719: | ikev2 g^x 28 0d 0f 0a 5d b9 c7 82 b9 26 8c 11 b6 0b 19 e6 Aug 26 18:34:00.634721: | ikev2 g^x a6 3d 6c c9 88 a2 a6 bd ee f8 51 8b ea ff f4 ca Aug 26 18:34:00.634722: | ikev2 g^x d5 a6 f7 52 b2 a2 81 1d 8f b5 9d 9d 2e 6d ee 90 Aug 26 18:34:00.634724: | ikev2 g^x 90 cc 85 2d 06 23 66 48 1c 7c d7 2b 7e cf d4 c4 Aug 26 18:34:00.634726: | ikev2 g^x 99 ee 99 58 b3 18 3a c4 7e eb 63 54 93 6f a7 f9 Aug 26 18:34:00.634727: | ikev2 g^x 81 f7 49 8f a6 8c f8 3e 73 9f 5c 89 3e 85 f6 e7 Aug 26 18:34:00.634729: | ikev2 g^x a5 ae d9 99 c8 27 0a bc 46 aa 26 d4 85 b1 d5 60 Aug 26 18:34:00.634730: | ikev2 g^x c5 02 fc 95 b0 92 79 32 74 63 84 85 4f 61 6c 3c Aug 26 18:34:00.634732: | ikev2 g^x be 9d ea 92 13 5a ed da 1f 4a bf 8d ca 90 8e 00 Aug 26 18:34:00.634734: | ikev2 g^x 26 00 bb ae f4 7d 95 84 2d 7d 33 a4 5d a3 2b 6f Aug 26 18:34:00.634735: | ikev2 g^x 25 d2 9a 2a 25 3e 57 2a 82 c3 b8 f4 d9 da fa e9 Aug 26 18:34:00.634737: | ikev2 g^x ca 99 f9 48 eb 64 52 c3 5d 9c 2c aa b8 66 f0 3f Aug 26 18:34:00.634739: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:34:00.634741: | ***emit IKEv2 Nonce Payload: Aug 26 18:34:00.634742: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:34:00.634744: | flags: none (0x0) Aug 26 18:34:00.634746: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:34:00.634748: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:34:00.634750: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634752: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:34:00.634754: | IKEv2 nonce 19 6b 8c cf 40 45 a4 00 89 e9 55 f6 e9 b0 2f e4 Aug 26 18:34:00.634756: | IKEv2 nonce f5 db dd ee 25 5b 8a 0c d4 3f 01 7a 37 2f 48 cf Aug 26 18:34:00.634758: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:34:00.634759: | Adding a v2N Payload Aug 26 18:34:00.634761: | ***emit IKEv2 Notify Payload: Aug 26 18:34:00.634763: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.634765: | flags: none (0x0) Aug 26 18:34:00.634766: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.634768: | SPI size: 0 (0x0) Aug 26 18:34:00.634770: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:34:00.634772: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:34:00.634774: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634776: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:34:00.634779: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:34:00.634785: | natd_hash: hasher=0x55e684488800(20) Aug 26 18:34:00.634787: | natd_hash: icookie= d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.634788: | natd_hash: rcookie= d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.634790: | natd_hash: ip= c0 01 02 17 Aug 26 18:34:00.634792: | natd_hash: port=500 Aug 26 18:34:00.634794: | natd_hash: hash= 34 91 8e 50 7f e1 7a ec ea ef fa a0 ef 57 ce b2 Aug 26 18:34:00.634795: | natd_hash: hash= fa 4a dc 52 Aug 26 18:34:00.634797: | Adding a v2N Payload Aug 26 18:34:00.634798: | ***emit IKEv2 Notify Payload: Aug 26 18:34:00.634800: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.634802: | flags: none (0x0) Aug 26 18:34:00.634804: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.634805: | SPI size: 0 (0x0) Aug 26 18:34:00.634807: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:34:00.634809: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:34:00.634811: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634813: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:34:00.634815: | Notify data 34 91 8e 50 7f e1 7a ec ea ef fa a0 ef 57 ce b2 Aug 26 18:34:00.634816: | Notify data fa 4a dc 52 Aug 26 18:34:00.634818: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:34:00.634822: | natd_hash: hasher=0x55e684488800(20) Aug 26 18:34:00.634824: | natd_hash: icookie= d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.634825: | natd_hash: rcookie= d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.634827: | natd_hash: ip= c0 01 02 2d Aug 26 18:34:00.634828: | natd_hash: port=500 Aug 26 18:34:00.634830: | natd_hash: hash= 5a a4 df f1 a1 7c b9 86 cf c4 2f da 3a e2 3e ec Aug 26 18:34:00.634832: | natd_hash: hash= 4f 88 c4 ad Aug 26 18:34:00.634833: | Adding a v2N Payload Aug 26 18:34:00.634835: | ***emit IKEv2 Notify Payload: Aug 26 18:34:00.634837: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.634838: | flags: none (0x0) Aug 26 18:34:00.634840: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:34:00.634842: | SPI size: 0 (0x0) Aug 26 18:34:00.634843: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:34:00.634845: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:34:00.634847: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.634849: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:34:00.634851: | Notify data 5a a4 df f1 a1 7c b9 86 cf c4 2f da 3a e2 3e ec Aug 26 18:34:00.634853: | Notify data 4f 88 c4 ad Aug 26 18:34:00.634854: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:34:00.634856: | emitting length of ISAKMP Message: 432 Aug 26 18:34:00.634860: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:34:00.634863: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:34:00.634865: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:34:00.634867: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:34:00.634869: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:34:00.634872: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:34:00.634875: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:34:00.634878: "east" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:34:00.634883: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 18:34:00.634886: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 18:34:00.634888: | d3 c7 17 ff 29 c7 6c 97 d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.634892: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 18:34:00.634894: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:34:00.634895: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:34:00.634897: | 04 00 00 0e 28 00 01 08 00 0e 00 00 4e d2 81 66 Aug 26 18:34:00.634899: | 56 d6 3d d3 09 a9 5d a8 98 18 5f 2b e5 7c d6 84 Aug 26 18:34:00.634900: | 88 a4 d4 5d 9b 1c 74 bf be f5 28 db f7 74 c2 8e Aug 26 18:34:00.634902: | d9 b2 53 c5 b0 2d b6 aa 78 57 3f 56 65 43 1a b2 Aug 26 18:34:00.634903: | ef 16 42 1b 3b 3f e0 3c 1f 8f 4b 1c 28 0d 0f 0a Aug 26 18:34:00.634905: | 5d b9 c7 82 b9 26 8c 11 b6 0b 19 e6 a6 3d 6c c9 Aug 26 18:34:00.634907: | 88 a2 a6 bd ee f8 51 8b ea ff f4 ca d5 a6 f7 52 Aug 26 18:34:00.634908: | b2 a2 81 1d 8f b5 9d 9d 2e 6d ee 90 90 cc 85 2d Aug 26 18:34:00.634910: | 06 23 66 48 1c 7c d7 2b 7e cf d4 c4 99 ee 99 58 Aug 26 18:34:00.634911: | b3 18 3a c4 7e eb 63 54 93 6f a7 f9 81 f7 49 8f Aug 26 18:34:00.634913: | a6 8c f8 3e 73 9f 5c 89 3e 85 f6 e7 a5 ae d9 99 Aug 26 18:34:00.634914: | c8 27 0a bc 46 aa 26 d4 85 b1 d5 60 c5 02 fc 95 Aug 26 18:34:00.634916: | b0 92 79 32 74 63 84 85 4f 61 6c 3c be 9d ea 92 Aug 26 18:34:00.634918: | 13 5a ed da 1f 4a bf 8d ca 90 8e 00 26 00 bb ae Aug 26 18:34:00.634919: | f4 7d 95 84 2d 7d 33 a4 5d a3 2b 6f 25 d2 9a 2a Aug 26 18:34:00.634921: | 25 3e 57 2a 82 c3 b8 f4 d9 da fa e9 ca 99 f9 48 Aug 26 18:34:00.634922: | eb 64 52 c3 5d 9c 2c aa b8 66 f0 3f 29 00 00 24 Aug 26 18:34:00.634924: | 19 6b 8c cf 40 45 a4 00 89 e9 55 f6 e9 b0 2f e4 Aug 26 18:34:00.634926: | f5 db dd ee 25 5b 8a 0c d4 3f 01 7a 37 2f 48 cf Aug 26 18:34:00.634927: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:34:00.634929: | 34 91 8e 50 7f e1 7a ec ea ef fa a0 ef 57 ce b2 Aug 26 18:34:00.634930: | fa 4a dc 52 00 00 00 1c 00 00 40 05 5a a4 df f1 Aug 26 18:34:00.634932: | a1 7c b9 86 cf c4 2f da 3a e2 3e ec 4f 88 c4 ad Aug 26 18:34:00.634955: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:34:00.634959: | libevent_free: release ptr-libevent@0x55e685773928 Aug 26 18:34:00.634961: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e68576f6a8 Aug 26 18:34:00.634964: | event_schedule: new EVENT_SO_DISCARD-pe@0x55e68576f6a8 Aug 26 18:34:00.634966: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:34:00.634968: | libevent_malloc: new ptr-libevent@0x55e685774a18 size 128 Aug 26 18:34:00.634971: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:34:00.634975: | #1 spent 0.391 milliseconds in resume sending helper answer Aug 26 18:34:00.634978: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 18:34:00.634980: | libevent_free: release ptr-libevent@0x7f825c002888 Aug 26 18:34:00.637726: | spent 0.0021 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:34:00.637742: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 18:34:00.637745: | d3 c7 17 ff 29 c7 6c 97 d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.637746: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 18:34:00.637748: | 42 94 5b 94 ad 92 58 86 b3 55 aa ba 38 04 9b df Aug 26 18:34:00.637750: | dd fa b1 34 1d ed 0f 56 0d 30 22 69 32 e0 47 27 Aug 26 18:34:00.637751: | a2 94 4f fd 36 56 00 22 9e ca 82 fd 74 d4 29 9b Aug 26 18:34:00.637753: | f0 26 1c 08 0b 84 12 22 88 e8 bc ee f7 e6 a6 4b Aug 26 18:34:00.637755: | e7 2b c6 94 76 d4 5b 45 d6 87 01 1c b3 04 ca 26 Aug 26 18:34:00.637756: | 74 e0 16 b4 22 df da 43 59 d7 9f c4 3a 21 1e f7 Aug 26 18:34:00.637760: | 44 5c 86 46 96 f9 32 8a 5a 62 b1 3c c6 0c b4 bb Aug 26 18:34:00.637762: | a3 f1 e6 0c 0e ff 29 86 d5 8b f1 83 8e 31 c8 2d Aug 26 18:34:00.637763: | 25 1f 77 3e 98 33 ea c2 69 78 a3 ba 53 07 31 d0 Aug 26 18:34:00.637765: | de ff 1b fa 1e a5 6d cd fe 95 c8 51 c1 a9 38 2f Aug 26 18:34:00.637766: | 57 3e 50 ef b5 9d 29 07 8e 52 69 22 8f fa 08 ad Aug 26 18:34:00.637768: | 31 51 38 99 df 74 43 29 f3 c7 d0 04 1a fb f4 ae Aug 26 18:34:00.637770: | 5c c9 f0 34 7f 74 fe 28 45 24 31 c2 ec 54 ac 95 Aug 26 18:34:00.637771: | 42 eb 30 75 60 09 7e 9f 2b e0 51 b5 6c ab 93 98 Aug 26 18:34:00.637773: | d4 f3 cc b2 65 05 59 02 2e 77 ae 02 4c 23 04 59 Aug 26 18:34:00.637775: | 38 38 b3 d3 5f eb aa c8 02 f0 69 81 2f c5 77 7e Aug 26 18:34:00.637776: | 49 e0 a7 2e d2 61 0e c3 dd 9a ba 4b f1 a5 2f 81 Aug 26 18:34:00.637778: | 82 e7 99 64 76 a7 22 37 3a b3 02 4b 27 cb c2 f2 Aug 26 18:34:00.637779: | 46 3d 29 e8 25 db 78 0a d7 03 2f f5 33 26 df ca Aug 26 18:34:00.637781: | 5a a0 a0 97 62 47 28 bc 36 72 49 d0 1b 96 be 32 Aug 26 18:34:00.637783: | 8d 6e 19 86 f6 5a d9 6c 67 02 d5 f4 24 Aug 26 18:34:00.637786: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 18:34:00.637788: | **parse ISAKMP Message: Aug 26 18:34:00.637790: | initiator cookie: Aug 26 18:34:00.637792: | d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.637793: | responder cookie: Aug 26 18:34:00.637795: | d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.637797: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:34:00.637799: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:34:00.637800: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:34:00.637802: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:34:00.637804: | Message ID: 1 (0x1) Aug 26 18:34:00.637806: | length: 365 (0x16d) Aug 26 18:34:00.637808: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:34:00.637810: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:34:00.637813: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:34:00.637816: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:34:00.637819: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:34:00.637821: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:34:00.637823: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:34:00.637826: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:34:00.637828: | unpacking clear payload Aug 26 18:34:00.637830: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:34:00.637832: | ***parse IKEv2 Encryption Payload: Aug 26 18:34:00.637834: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:34:00.637835: | flags: none (0x0) Aug 26 18:34:00.637837: | length: 337 (0x151) Aug 26 18:34:00.637839: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 18:34:00.637842: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:34:00.637844: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:34:00.637846: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:34:00.637848: | Now let's proceed with state specific processing Aug 26 18:34:00.637849: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:34:00.637852: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:34:00.637854: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:34:00.637857: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:34:00.637859: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:34:00.637862: | libevent_free: release ptr-libevent@0x55e685774a18 Aug 26 18:34:00.637865: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55e68576f6a8 Aug 26 18:34:00.637867: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e68576f6a8 Aug 26 18:34:00.637869: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:34:00.637871: | libevent_malloc: new ptr-libevent@0x7f825c002888 size 128 Aug 26 18:34:00.637879: | #1 spent 0.026 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:34:00.637883: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:34:00.637885: | crypto helper 0 resuming Aug 26 18:34:00.637885: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:34:00.637897: | crypto helper 0 starting work-order 2 for state #1 Aug 26 18:34:00.637900: | suspending state #1 and saving MD Aug 26 18:34:00.637905: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:34:00.637907: | #1 is busy; has a suspended MD Aug 26 18:34:00.637911: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:34:00.637914: | "east" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:34:00.637917: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:34:00.637920: | #1 spent 0.18 milliseconds in ikev2_process_packet() Aug 26 18:34:00.637923: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 18:34:00.637925: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:34:00.637927: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:34:00.637929: | spent 0.189 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:34:00.638875: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:34:00.639286: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.00138 seconds Aug 26 18:34:00.639313: | (#1) spent 1.39 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:34:00.639317: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Aug 26 18:34:00.639320: | scheduling resume sending helper answer for #1 Aug 26 18:34:00.639324: | libevent_malloc: new ptr-libevent@0x7f8254000f48 size 128 Aug 26 18:34:00.639343: | crypto helper 0 waiting (nothing to do) Aug 26 18:34:00.639376: | processing resume sending helper answer for #1 Aug 26 18:34:00.639385: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 18:34:00.639389: | crypto helper 0 replies to request ID 2 Aug 26 18:34:00.639391: | calling continuation function 0x55e6843b3b50 Aug 26 18:34:00.639393: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:34:00.639395: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:34:00.639408: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:34:00.639411: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:34:00.639413: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:34:00.639415: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 18:34:00.639417: | flags: none (0x0) Aug 26 18:34:00.639419: | length: 12 (0xc) Aug 26 18:34:00.639420: | ID type: ID_FQDN (0x2) Aug 26 18:34:00.639422: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 18:34:00.639424: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 18:34:00.639426: | **parse IKEv2 Identification - Responder - Payload: Aug 26 18:34:00.639427: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:34:00.639429: | flags: none (0x0) Aug 26 18:34:00.639431: | length: 12 (0xc) Aug 26 18:34:00.639434: | ID type: ID_FQDN (0x2) Aug 26 18:34:00.639436: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 18:34:00.639438: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:34:00.639440: | **parse IKEv2 Authentication Payload: Aug 26 18:34:00.639442: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:34:00.639443: | flags: none (0x0) Aug 26 18:34:00.639445: | length: 72 (0x48) Aug 26 18:34:00.639447: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:34:00.639448: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 18:34:00.639450: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:34:00.639452: | **parse IKEv2 Security Association Payload: Aug 26 18:34:00.639453: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:34:00.639455: | flags: none (0x0) Aug 26 18:34:00.639457: | length: 164 (0xa4) Aug 26 18:34:00.639458: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 18:34:00.639460: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:34:00.639462: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:34:00.639464: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:34:00.639466: | flags: none (0x0) Aug 26 18:34:00.639467: | length: 24 (0x18) Aug 26 18:34:00.639469: | number of TS: 1 (0x1) Aug 26 18:34:00.639471: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:34:00.639472: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:34:00.639474: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:34:00.639476: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.639477: | flags: none (0x0) Aug 26 18:34:00.639479: | length: 24 (0x18) Aug 26 18:34:00.639480: | number of TS: 1 (0x1) Aug 26 18:34:00.639482: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:34:00.639484: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:34:00.639486: | Now let's proceed with state specific processing Aug 26 18:34:00.639487: | calling processor Responder: process IKE_AUTH request Aug 26 18:34:00.639491: "east" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 18:34:00.639495: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:34:00.639498: | received IDr payload - extracting our alleged ID Aug 26 18:34:00.639500: | refine_host_connection for IKEv2: starting with "east" Aug 26 18:34:00.639503: | match_id a=@west Aug 26 18:34:00.639505: | b=@west Aug 26 18:34:00.639507: | results matched Aug 26 18:34:00.639510: | refine_host_connection: checking "east" against "east", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:34:00.639511: | Warning: not switching back to template of current instance Aug 26 18:34:00.639513: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 18:34:00.639515: | This connection's local id is @east (ID_FQDN) Aug 26 18:34:00.639518: | refine_host_connection: checked east against east, now for see if best Aug 26 18:34:00.639520: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.639522: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.639525: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:34:00.639527: | 1: compared key @east to @east / @west -> 010 Aug 26 18:34:00.639529: | 2: compared key @west to @east / @west -> 014 Aug 26 18:34:00.639531: | line 1: match=014 Aug 26 18:34:00.639533: | match 014 beats previous best_match 000 match=0x55e6856c6b58 (line=1) Aug 26 18:34:00.639535: | concluding with best_match=014 best=0x55e6856c6b58 (lineno=1) Aug 26 18:34:00.639537: | returning because exact peer id match Aug 26 18:34:00.639539: | offered CA: '%none' Aug 26 18:34:00.639541: "east" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Aug 26 18:34:00.639554: | verifying AUTH payload Aug 26 18:34:00.639558: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 18:34:00.639563: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.639565: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.639567: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:34:00.639569: | 1: compared key @east to @east / @west -> 010 Aug 26 18:34:00.639571: | 2: compared key @west to @east / @west -> 014 Aug 26 18:34:00.639573: | line 1: match=014 Aug 26 18:34:00.639575: | match 014 beats previous best_match 000 match=0x55e6856c6b58 (line=1) Aug 26 18:34:00.639577: | concluding with best_match=014 best=0x55e6856c6b58 (lineno=1) Aug 26 18:34:00.639614: "east" #1: Authenticated using authby=secret Aug 26 18:34:00.639618: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:34:00.639621: | #1 will start re-keying in 3598 seconds with margin of 2 seconds (attempting re-key) Aug 26 18:34:00.639623: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:34:00.639625: | libevent_free: release ptr-libevent@0x7f825c002888 Aug 26 18:34:00.639628: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e68576f6a8 Aug 26 18:34:00.639630: | event_schedule: new EVENT_SA_REKEY-pe@0x55e68576f6a8 Aug 26 18:34:00.639632: | inserting event EVENT_SA_REKEY, timeout in 3598 seconds for #1 Aug 26 18:34:00.639634: | libevent_malloc: new ptr-libevent@0x55e685774a18 size 128 Aug 26 18:34:00.639963: | pstats #1 ikev2.ike established Aug 26 18:34:00.639973: | **emit ISAKMP Message: Aug 26 18:34:00.639976: | initiator cookie: Aug 26 18:34:00.639979: | d3 c7 17 ff 29 c7 6c 97 Aug 26 18:34:00.639982: | responder cookie: Aug 26 18:34:00.639984: | d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.639987: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:34:00.639991: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:34:00.639993: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:34:00.639996: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:34:00.639999: | Message ID: 1 (0x1) Aug 26 18:34:00.640002: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:34:00.640005: | IKEv2 CERT: send a certificate? Aug 26 18:34:00.640009: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 18:34:00.640011: | ***emit IKEv2 Encryption Payload: Aug 26 18:34:00.640014: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.640017: | flags: none (0x0) Aug 26 18:34:00.640020: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:34:00.640024: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.640027: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:34:00.640034: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:34:00.640049: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:34:00.640052: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.640055: | flags: none (0x0) Aug 26 18:34:00.640058: | ID type: ID_FQDN (0x2) Aug 26 18:34:00.640062: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:34:00.640065: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.640068: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:34:00.640071: | my identity 65 61 73 74 Aug 26 18:34:00.640074: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:34:00.640082: | assembled IDr payload Aug 26 18:34:00.640085: | CHILD SA proposals received Aug 26 18:34:00.640088: | going to assemble AUTH payload Aug 26 18:34:00.640090: | ****emit IKEv2 Authentication Payload: Aug 26 18:34:00.640093: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:34:00.640096: | flags: none (0x0) Aug 26 18:34:00.640102: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:34:00.640105: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:34:00.640108: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:34:00.640112: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.640115: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 18:34:00.640119: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.640122: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 18:34:00.640125: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 18:34:00.640129: | 1: compared key @east to @east / @west -> 010 Aug 26 18:34:00.640132: | 2: compared key @west to @east / @west -> 014 Aug 26 18:34:00.640135: | line 1: match=014 Aug 26 18:34:00.640138: | match 014 beats previous best_match 000 match=0x55e6856c6b58 (line=1) Aug 26 18:34:00.640141: | concluding with best_match=014 best=0x55e6856c6b58 (lineno=1) Aug 26 18:34:00.640198: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 18:34:00.640202: | PSK auth 96 d4 60 5a 02 39 6c b7 79 70 18 f7 14 3d fa 4f Aug 26 18:34:00.640204: | PSK auth c8 89 a3 ea c2 19 76 49 f9 d3 04 b5 17 87 8d a2 Aug 26 18:34:00.640207: | PSK auth 81 21 45 45 c3 a9 36 ea d4 bc ba d8 e0 8e 65 cd Aug 26 18:34:00.640210: | PSK auth cf 47 e7 84 98 64 c3 55 6d f1 1c d0 64 0f d7 36 Aug 26 18:34:00.640213: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 18:34:00.640219: | creating state object #2 at 0x55e685775738 Aug 26 18:34:00.640223: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:34:00.640226: | pstats #2 ikev2.child started Aug 26 18:34:00.640230: | duplicating state object #1 "east" as #2 for IPSEC SA Aug 26 18:34:00.640235: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:34:00.640241: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:34:00.640246: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:34:00.640251: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:34:00.640254: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:34:00.640257: | TSi: parsing 1 traffic selectors Aug 26 18:34:00.640260: | ***parse IKEv2 Traffic Selector: Aug 26 18:34:00.640263: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:34:00.640266: | IP Protocol ID: 0 (0x0) Aug 26 18:34:00.640268: | length: 16 (0x10) Aug 26 18:34:00.640271: | start port: 0 (0x0) Aug 26 18:34:00.640274: | end port: 65535 (0xffff) Aug 26 18:34:00.640277: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:34:00.640280: | TS low c0 00 01 00 Aug 26 18:34:00.640282: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:34:00.640285: | TS high c0 00 01 ff Aug 26 18:34:00.640291: | TSi: parsed 1 traffic selectors Aug 26 18:34:00.640297: | TSr: parsing 1 traffic selectors Aug 26 18:34:00.640300: | ***parse IKEv2 Traffic Selector: Aug 26 18:34:00.640303: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:34:00.640305: | IP Protocol ID: 0 (0x0) Aug 26 18:34:00.640321: | length: 16 (0x10) Aug 26 18:34:00.640323: | start port: 0 (0x0) Aug 26 18:34:00.640326: | end port: 65535 (0xffff) Aug 26 18:34:00.640328: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:34:00.640331: | TS low c0 00 02 00 Aug 26 18:34:00.640335: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:34:00.640338: | TS high c0 00 02 ff Aug 26 18:34:00.640340: | TSr: parsed 1 traffic selectors Aug 26 18:34:00.640343: | looking for best SPD in current connection Aug 26 18:34:00.640349: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:34:00.640354: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:34:00.640361: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 18:34:00.640364: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:34:00.640367: | TSi[0] port match: YES fitness 65536 Aug 26 18:34:00.640370: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:34:00.640373: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:34:00.640378: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:34:00.640384: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:34:00.640387: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:34:00.640390: | TSr[0] port match: YES fitness 65536 Aug 26 18:34:00.640392: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:34:00.640396: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:34:00.640398: | best fit so far: TSi[0] TSr[0] Aug 26 18:34:00.640401: | found better spd route for TSi[0],TSr[0] Aug 26 18:34:00.640404: | looking for better host pair Aug 26 18:34:00.640409: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 18:34:00.640414: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 18:34:00.640416: | investigating connection "east" as a better match Aug 26 18:34:00.640419: | match_id a=@west Aug 26 18:34:00.640422: | b=@west Aug 26 18:34:00.640424: | results matched Aug 26 18:34:00.640429: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:34:00.640434: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:34:00.640440: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 18:34:00.640443: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:34:00.640445: | TSi[0] port match: YES fitness 65536 Aug 26 18:34:00.640448: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:34:00.640451: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:34:00.640456: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:34:00.640461: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:34:00.640464: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:34:00.640467: | TSr[0] port match: YES fitness 65536 Aug 26 18:34:00.640470: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:34:00.640473: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:34:00.640476: | best fit so far: TSi[0] TSr[0] Aug 26 18:34:00.640478: | did not find a better connection using host pair Aug 26 18:34:00.640481: | printing contents struct traffic_selector Aug 26 18:34:00.640483: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:34:00.640486: | ipprotoid: 0 Aug 26 18:34:00.640488: | port range: 0-65535 Aug 26 18:34:00.640493: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:34:00.640495: | printing contents struct traffic_selector Aug 26 18:34:00.640498: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:34:00.640500: | ipprotoid: 0 Aug 26 18:34:00.640503: | port range: 0-65535 Aug 26 18:34:00.640507: | ip range: 192.0.1.0-192.0.1.255 Aug 26 18:34:00.640511: | constructing ESP/AH proposals with all DH removed for east (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:34:00.640516: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 18:34:00.640524: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:34:00.640527: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 18:34:00.640532: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:34:00.640535: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:34:00.640539: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:34:00.640543: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:34:00.640547: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:34:00.640570: "east": constructed local ESP/AH proposals for east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:34:00.640574: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 18:34:00.640578: | local proposal 1 type ENCR has 1 transforms Aug 26 18:34:00.640581: | local proposal 1 type PRF has 0 transforms Aug 26 18:34:00.640596: | local proposal 1 type INTEG has 1 transforms Aug 26 18:34:00.640599: | local proposal 1 type DH has 1 transforms Aug 26 18:34:00.640602: | local proposal 1 type ESN has 1 transforms Aug 26 18:34:00.640605: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:34:00.640608: | local proposal 2 type ENCR has 1 transforms Aug 26 18:34:00.640611: | local proposal 2 type PRF has 0 transforms Aug 26 18:34:00.640613: | local proposal 2 type INTEG has 1 transforms Aug 26 18:34:00.640616: | local proposal 2 type DH has 1 transforms Aug 26 18:34:00.640619: | local proposal 2 type ESN has 1 transforms Aug 26 18:34:00.640622: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:34:00.640624: | local proposal 3 type ENCR has 1 transforms Aug 26 18:34:00.640627: | local proposal 3 type PRF has 0 transforms Aug 26 18:34:00.640630: | local proposal 3 type INTEG has 2 transforms Aug 26 18:34:00.640632: | local proposal 3 type DH has 1 transforms Aug 26 18:34:00.640635: | local proposal 3 type ESN has 1 transforms Aug 26 18:34:00.640638: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:34:00.640641: | local proposal 4 type ENCR has 1 transforms Aug 26 18:34:00.640644: | local proposal 4 type PRF has 0 transforms Aug 26 18:34:00.640647: | local proposal 4 type INTEG has 2 transforms Aug 26 18:34:00.640649: | local proposal 4 type DH has 1 transforms Aug 26 18:34:00.640652: | local proposal 4 type ESN has 1 transforms Aug 26 18:34:00.640655: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:34:00.640658: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.640661: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.640664: | length: 32 (0x20) Aug 26 18:34:00.640666: | prop #: 1 (0x1) Aug 26 18:34:00.640669: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:34:00.640672: | spi size: 4 (0x4) Aug 26 18:34:00.640674: | # transforms: 2 (0x2) Aug 26 18:34:00.640678: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:34:00.640680: | remote SPI 8f 95 7a 8d Aug 26 18:34:00.640684: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:34:00.640687: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640690: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640692: | length: 12 (0xc) Aug 26 18:34:00.640695: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.640699: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.640702: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.640705: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.640708: | length/value: 256 (0x100) Aug 26 18:34:00.640712: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:34:00.640715: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640718: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.640720: | length: 8 (0x8) Aug 26 18:34:00.640723: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:34:00.640725: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:34:00.640729: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:34:00.640733: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 18:34:00.640736: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 18:34:00.640739: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 18:34:00.640743: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 18:34:00.640747: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 18:34:00.640750: | remote proposal 1 matches local proposal 1 Aug 26 18:34:00.640753: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.640756: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.640758: | length: 32 (0x20) Aug 26 18:34:00.640761: | prop #: 2 (0x2) Aug 26 18:34:00.640764: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:34:00.640766: | spi size: 4 (0x4) Aug 26 18:34:00.640769: | # transforms: 2 (0x2) Aug 26 18:34:00.640772: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:34:00.640775: | remote SPI 8f 95 7a 8d Aug 26 18:34:00.640778: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.640781: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640783: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640786: | length: 12 (0xc) Aug 26 18:34:00.640789: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.640791: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.640794: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.640797: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.640799: | length/value: 128 (0x80) Aug 26 18:34:00.640803: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640805: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.640808: | length: 8 (0x8) Aug 26 18:34:00.640810: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:34:00.640813: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:34:00.640831: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 18:34:00.640834: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 18:34:00.640837: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.640840: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:34:00.640842: | length: 48 (0x30) Aug 26 18:34:00.640845: | prop #: 3 (0x3) Aug 26 18:34:00.640848: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:34:00.640850: | spi size: 4 (0x4) Aug 26 18:34:00.640853: | # transforms: 4 (0x4) Aug 26 18:34:00.640869: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:34:00.640871: | remote SPI 8f 95 7a 8d Aug 26 18:34:00.640874: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.640877: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640880: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640884: | length: 12 (0xc) Aug 26 18:34:00.640887: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.640890: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:34:00.640892: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.640895: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.640898: | length/value: 256 (0x100) Aug 26 18:34:00.640901: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640903: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640906: | length: 8 (0x8) Aug 26 18:34:00.640909: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.640911: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:34:00.640914: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640920: | length: 8 (0x8) Aug 26 18:34:00.640922: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.640925: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:34:00.640928: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640931: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.640933: | length: 8 (0x8) Aug 26 18:34:00.640936: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:34:00.640938: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:34:00.640942: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:34:00.640945: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:34:00.640948: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.640951: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:34:00.640953: | length: 48 (0x30) Aug 26 18:34:00.640956: | prop #: 4 (0x4) Aug 26 18:34:00.640958: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:34:00.640961: | spi size: 4 (0x4) Aug 26 18:34:00.640963: | # transforms: 4 (0x4) Aug 26 18:34:00.640967: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:34:00.640969: | remote SPI 8f 95 7a 8d Aug 26 18:34:00.640972: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:34:00.640975: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640978: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.640980: | length: 12 (0xc) Aug 26 18:34:00.640983: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.640986: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:34:00.640988: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.640991: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.640993: | length/value: 128 (0x80) Aug 26 18:34:00.640996: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.640999: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.641002: | length: 8 (0x8) Aug 26 18:34:00.641004: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.641007: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:34:00.641010: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.641012: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.641015: | length: 8 (0x8) Aug 26 18:34:00.641018: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:34:00.641020: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:34:00.641023: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:34:00.641026: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.641028: | length: 8 (0x8) Aug 26 18:34:00.641031: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:34:00.641033: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:34:00.641037: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 18:34:00.641040: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 18:34:00.641045: "east" #1: proposal 1:ESP:SPI=8f957a8d;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 18:34:00.641053: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=8f957a8d;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 18:34:00.641056: | converting proposal to internal trans attrs Aug 26 18:34:00.641074: | netlink_get_spi: allocated 0x8e88b43a for esp.0@192.1.2.23 Aug 26 18:34:00.641077: | Emitting ikev2_proposal ... Aug 26 18:34:00.641080: | ****emit IKEv2 Security Association Payload: Aug 26 18:34:00.641083: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.641085: | flags: none (0x0) Aug 26 18:34:00.641089: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:34:00.641092: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.641095: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:34:00.641098: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:34:00.641100: | prop #: 1 (0x1) Aug 26 18:34:00.641103: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:34:00.641106: | spi size: 4 (0x4) Aug 26 18:34:00.641108: | # transforms: 2 (0x2) Aug 26 18:34:00.641111: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:34:00.641115: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:34:00.641117: | our spi 8e 88 b4 3a Aug 26 18:34:00.641120: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:34:00.641123: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.641126: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:34:00.641128: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:34:00.641131: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:34:00.641134: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:34:00.641137: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:34:00.641140: | length/value: 256 (0x100) Aug 26 18:34:00.641143: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:34:00.641145: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:34:00.641148: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:34:00.641151: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:34:00.641153: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:34:00.641157: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:34:00.641160: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:34:00.641163: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:34:00.641166: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 18:34:00.641169: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:34:00.641171: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 18:34:00.641174: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:34:00.641177: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:34:00.641180: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.641183: | flags: none (0x0) Aug 26 18:34:00.641185: | number of TS: 1 (0x1) Aug 26 18:34:00.641189: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:34:00.641193: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.641196: | *****emit IKEv2 Traffic Selector: Aug 26 18:34:00.641199: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:34:00.641201: | IP Protocol ID: 0 (0x0) Aug 26 18:34:00.641204: | start port: 0 (0x0) Aug 26 18:34:00.641207: | end port: 65535 (0xffff) Aug 26 18:34:00.641210: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:34:00.641227: | ipv4 start c0 00 01 00 Aug 26 18:34:00.641230: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:34:00.641232: | ipv4 end c0 00 01 ff Aug 26 18:34:00.641235: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:34:00.641238: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:34:00.641241: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:34:00.641244: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:34:00.641246: | flags: none (0x0) Aug 26 18:34:00.641249: | number of TS: 1 (0x1) Aug 26 18:34:00.641253: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:34:00.641256: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:34:00.641258: | *****emit IKEv2 Traffic Selector: Aug 26 18:34:00.641261: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:34:00.641264: | IP Protocol ID: 0 (0x0) Aug 26 18:34:00.641266: | start port: 0 (0x0) Aug 26 18:34:00.641269: | end port: 65535 (0xffff) Aug 26 18:34:00.641272: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:34:00.641275: | ipv4 start c0 00 02 00 Aug 26 18:34:00.641277: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:34:00.641280: | ipv4 end c0 00 02 ff Aug 26 18:34:00.641283: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:34:00.641285: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:34:00.641292: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:34:00.641297: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 18:34:00.641488: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:34:00.641496: | #1 spent 1.99 milliseconds Aug 26 18:34:00.641499: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:34:00.641502: | could_route called for east (kind=CK_PERMANENT) Aug 26 18:34:00.641505: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:34:00.641508: | conn east mark 0/00000000, 0/00000000 vs Aug 26 18:34:00.641511: | conn east mark 0/00000000, 0/00000000 Aug 26 18:34:00.641515: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 18:34:00.641519: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:34:00.641522: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:34:00.641525: | AES_GCM_16 requires 4 salt bytes Aug 26 18:34:00.641528: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:34:00.641533: | setting IPsec SA replay-window to 32 Aug 26 18:34:00.641536: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 18:34:00.641539: | netlink: enabling tunnel mode Aug 26 18:34:00.641542: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:34:00.641545: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:34:00.641629: | netlink response for Add SA esp.8f957a8d@192.1.2.45 included non-error error Aug 26 18:34:00.641634: | set up outgoing SA, ref=0/0 Aug 26 18:34:00.641637: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 18:34:00.641640: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 18:34:00.641645: | AES_GCM_16 requires 4 salt bytes Aug 26 18:34:00.641648: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 18:34:00.641664: | setting IPsec SA replay-window to 32 Aug 26 18:34:00.641667: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 18:34:00.641670: | netlink: enabling tunnel mode Aug 26 18:34:00.641672: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:34:00.641675: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:34:00.641720: | netlink response for Add SA esp.8e88b43a@192.1.2.23 included non-error error Aug 26 18:34:00.641724: | priority calculation of connection "east" is 0xfe7e7 Aug 26 18:34:00.641731: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:34:00.641734: | IPsec Sa SPD priority set to 1042407 Aug 26 18:34:00.641781: | raw_eroute result=success Aug 26 18:34:00.641785: | set up incoming SA, ref=0/0 Aug 26 18:34:00.641787: | sr for #2: unrouted Aug 26 18:34:00.641790: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:34:00.641793: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:34:00.641796: | conn east mark 0/00000000, 0/00000000 vs Aug 26 18:34:00.641799: | conn east mark 0/00000000, 0/00000000 Aug 26 18:34:00.641803: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 18:34:00.641806: | route_and_eroute with c: east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 18:34:00.641822: | priority calculation of connection "east" is 0xfe7e7 Aug 26 18:34:00.641829: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 18:34:00.641832: | IPsec Sa SPD priority set to 1042407 Aug 26 18:34:00.641843: | raw_eroute result=success Aug 26 18:34:00.641860: | running updown command "ipsec _updown" for verb up Aug 26 18:34:00.641863: | command executing up-client Aug 26 18:34:00.641902: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8f957a8d SPI_OUT=0x8e8 Aug 26 18:34:00.641905: | popen cmd is 1020 chars long Aug 26 18:34:00.641908: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFA: Aug 26 18:34:00.641911: | cmd( 80):CE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' : Aug 26 18:34:00.641914: | cmd( 160):PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_M: Aug 26 18:34:00.641917: | cmd( 240):ASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1638: Aug 26 18:34:00.641920: | cmd( 320):8' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_: Aug 26 18:34:00.641923: | cmd( 400):CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK=': Aug 26 18:34:00.641926: | cmd( 480):255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUT: Aug 26 18:34:00.641928: | cmd( 560):O_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKE: Aug 26 18:34:00.641933: | cmd( 640):V2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: Aug 26 18:34:00.641936: | cmd( 720):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_IN: Aug 26 18:34:00.641939: | cmd( 800):FO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_: Aug 26 18:34:00.641941: | cmd( 880):CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=: Aug 26 18:34:00.641944: | cmd( 960):'no' SPI_IN=0x8f957a8d SPI_OUT=0x8e88b43a ipsec _updown 2>&1: Aug 26 18:34:00.650679: | route_and_eroute: firewall_notified: true Aug 26 18:34:00.650692: | running updown command "ipsec _updown" for verb prepare Aug 26 18:34:00.650695: | command executing prepare-client Aug 26 18:34:00.650718: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8f957a8d SPI Aug 26 18:34:00.650720: | popen cmd is 1025 chars long Aug 26 18:34:00.650723: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 18:34:00.650724: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 18:34:00.650726: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 18:34:00.650728: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 18:34:00.650730: | cmd( 320):'16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_: Aug 26 18:34:00.650731: | cmd( 400):PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_M: Aug 26 18:34:00.650733: | cmd( 480):ASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='': Aug 26 18:34:00.650735: | cmd( 560): PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PF: Aug 26 18:34:00.650737: | cmd( 640):S+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' : Aug 26 18:34:00.650738: | cmd( 720):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Aug 26 18:34:00.650740: | cmd( 800):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Aug 26 18:34:00.650742: | cmd( 880):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH: Aug 26 18:34:00.650743: | cmd( 960):ARED='no' SPI_IN=0x8f957a8d SPI_OUT=0x8e88b43a ipsec _updown 2>&1: Aug 26 18:34:00.657801: | running updown command "ipsec _updown" for verb route Aug 26 18:34:00.657818: | command executing route-client Aug 26 18:34:00.657842: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8f957a8d SPI_OUT Aug 26 18:34:00.657848: | popen cmd is 1023 chars long Aug 26 18:34:00.657850: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTE: Aug 26 18:34:00.657852: | cmd( 80):RFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@eas: Aug 26 18:34:00.657854: | cmd( 160):t' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIEN: Aug 26 18:34:00.657856: | cmd( 240):T_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1: Aug 26 18:34:00.657857: | cmd( 320):6388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PE: Aug 26 18:34:00.657859: | cmd( 400):ER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MAS: Aug 26 18:34:00.657861: | cmd( 480):K='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' P: Aug 26 18:34:00.657863: | cmd( 560):LUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+: Aug 26 18:34:00.657865: | cmd( 640):IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PL: Aug 26 18:34:00.657866: | cmd( 720):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: Aug 26 18:34:00.657868: | cmd( 800):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: Aug 26 18:34:00.657870: | cmd( 880):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: Aug 26 18:34:00.657872: | cmd( 960):ED='no' SPI_IN=0x8f957a8d SPI_OUT=0x8e88b43a ipsec _updown 2>&1: Aug 26 18:34:00.672794: | route_and_eroute: instance "east", setting eroute_owner {spd=0x55e68576d9a8,sr=0x55e68576d9a8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:34:00.672918: | #1 spent 1.84 milliseconds in install_ipsec_sa() Aug 26 18:34:00.672930: | ISAKMP_v2_IKE_AUTH: instance east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:34:00.672935: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:34:00.672940: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:34:00.672946: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:34:00.672950: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 18:34:00.672953: | emitting length of ISAKMP Message: 225 Aug 26 18:34:00.672997: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:34:00.673005: | #1 spent 3.92 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:34:00.673016: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:34:00.673024: | start processing: state #2 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:34:00.673029: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:34:00.673034: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:34:00.673039: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:34:00.673044: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:34:00.673051: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:34:00.673058: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:34:00.673066: | pstats #2 ikev2.child established Aug 26 18:34:00.673075: "east" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 18:34:00.673080: | NAT-T: encaps is 'auto' Aug 26 18:34:00.673085: "east" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x8f957a8d <0x8e88b43a xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 18:34:00.673091: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 18:34:00.673098: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 18:34:00.673102: | d3 c7 17 ff 29 c7 6c 97 d6 87 4f e0 26 26 18 04 Aug 26 18:34:00.673105: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 18:34:00.673107: | 77 db 2c b0 1f 1b 17 1d 65 85 fa 26 e4 22 cf f1 Aug 26 18:34:00.673109: | 18 4a fb a6 6d b5 12 45 73 90 e1 8c 69 6c 19 45 Aug 26 18:34:00.673112: | 2b 3e 59 c2 88 5a ba ed 54 f4 28 c8 7f 2d a3 fd Aug 26 18:34:00.673114: | 20 f7 50 95 4c 28 27 5e c8 4c 7d 31 38 2e f4 4f Aug 26 18:34:00.673116: | e2 0f dc 41 a4 04 36 ef 39 82 d4 8b b9 7e f0 e2 Aug 26 18:34:00.673118: | 1a 87 0e d2 fd 05 c1 a1 7b ce b0 c0 6c 81 a2 b8 Aug 26 18:34:00.673121: | 43 16 ee 82 b4 65 93 88 6f 54 69 c4 66 61 23 19 Aug 26 18:34:00.673123: | 52 f2 e7 52 18 2c 7e 49 97 50 a7 98 45 99 72 c0 Aug 26 18:34:00.673125: | d5 47 5e f9 72 0b 02 29 c6 2d 91 5e cb b9 cb b9 Aug 26 18:34:00.673127: | a7 3a a0 f8 b6 9c 02 4d 8e 5e a9 d6 c7 d9 0c 00 Aug 26 18:34:00.673130: | c5 28 49 59 31 31 c0 79 a0 4c 7e 4b 28 da 4e 4b Aug 26 18:34:00.673132: | 16 87 2a cc c4 34 05 cf 67 ff 74 c1 1b 15 c7 9c Aug 26 18:34:00.673134: | 83 Aug 26 18:34:00.673177: | releasing whack for #2 (sock=fd@-1) Aug 26 18:34:00.673182: | releasing whack and unpending for parent #1 Aug 26 18:34:00.673185: | unpending state #1 connection "east" Aug 26 18:34:00.673190: | #2 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 18:34:00.673193: | event_schedule: new EVENT_SA_REKEY-pe@0x7f825c002b78 Aug 26 18:34:00.673197: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #2 Aug 26 18:34:00.673201: | libevent_malloc: new ptr-libevent@0x55e685775688 size 128 Aug 26 18:34:00.673215: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:34:00.673222: | #1 spent 4.22 milliseconds in resume sending helper answer Aug 26 18:34:00.673227: | stop processing: state #2 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 18:34:00.673232: | libevent_free: release ptr-libevent@0x7f8254000f48 Aug 26 18:34:00.673248: | processing signal PLUTO_SIGCHLD Aug 26 18:34:00.673254: | waitpid returned ECHILD (no child processes left) Aug 26 18:34:00.673258: | spent 0.00526 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:34:00.673261: | processing signal PLUTO_SIGCHLD Aug 26 18:34:00.673264: | waitpid returned ECHILD (no child processes left) Aug 26 18:34:00.673268: | spent 0.00361 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:34:00.673271: | processing signal PLUTO_SIGCHLD Aug 26 18:34:00.673274: | waitpid returned ECHILD (no child processes left) Aug 26 18:34:00.673278: | spent 0.00368 milliseconds in signal handler PLUTO_SIGCHLD