Aug 26 18:38:29.966793: FIPS Product: YES Aug 26 18:38:29.966916: FIPS Kernel: NO Aug 26 18:38:29.966920: FIPS Mode: NO Aug 26 18:38:29.966922: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:38:29.967092: Initializing NSS Aug 26 18:38:29.967102: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:38:30.000553: NSS initialized Aug 26 18:38:30.000568: NSS crypto library initialized Aug 26 18:38:30.000571: FIPS HMAC integrity support [enabled] Aug 26 18:38:30.000572: FIPS mode disabled for pluto daemon Aug 26 18:38:30.034792: FIPS HMAC integrity verification self-test FAILED Aug 26 18:38:30.034890: libcap-ng support [enabled] Aug 26 18:38:30.034903: Linux audit support [enabled] Aug 26 18:38:30.035443: Linux audit activated Aug 26 18:38:30.035460: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:32524 Aug 26 18:38:30.035465: core dump dir: /tmp Aug 26 18:38:30.035468: secrets file: /etc/ipsec.secrets Aug 26 18:38:30.035470: leak-detective enabled Aug 26 18:38:30.035472: NSS crypto [enabled] Aug 26 18:38:30.035474: XAUTH PAM support [enabled] Aug 26 18:38:30.035547: | libevent is using pluto's memory allocator Aug 26 18:38:30.035560: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:38:30.035577: | libevent_malloc: new ptr-libevent@0x561d6878bec8 size 40 Aug 26 18:38:30.035583: | libevent_malloc: new ptr-libevent@0x561d68759cd8 size 40 Aug 26 18:38:30.035588: | libevent_malloc: new ptr-libevent@0x561d68759dd8 size 40 Aug 26 18:38:30.035591: | creating event base Aug 26 18:38:30.035596: | libevent_malloc: new ptr-libevent@0x561d687dc428 size 56 Aug 26 18:38:30.035603: | libevent_malloc: new ptr-libevent@0x561d68788f18 size 664 Aug 26 18:38:30.035619: | libevent_malloc: new ptr-libevent@0x561d687dc498 size 24 Aug 26 18:38:30.035623: | libevent_malloc: new ptr-libevent@0x561d687dc4e8 size 384 Aug 26 18:38:30.035635: | libevent_malloc: new ptr-libevent@0x561d687dc3e8 size 16 Aug 26 18:38:30.035639: | libevent_malloc: new ptr-libevent@0x561d68759908 size 40 Aug 26 18:38:30.035642: | libevent_malloc: new ptr-libevent@0x561d68759d38 size 48 Aug 26 18:38:30.035648: | libevent_realloc: new ptr-libevent@0x561d68788ba8 size 256 Aug 26 18:38:30.035655: | libevent_malloc: new ptr-libevent@0x561d687dc698 size 16 Aug 26 18:38:30.035662: | libevent_free: release ptr-libevent@0x561d687dc428 Aug 26 18:38:30.035666: | libevent initialized Aug 26 18:38:30.035671: | libevent_realloc: new ptr-libevent@0x561d687dc428 size 64 Aug 26 18:38:30.035675: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:38:30.035696: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:38:30.035700: NAT-Traversal support [enabled] Aug 26 18:38:30.035703: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:38:30.035710: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:38:30.035715: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:38:30.035753: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:38:30.035758: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:38:30.035762: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:38:30.035827: Encryption algorithms: Aug 26 18:38:30.035838: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:38:30.035844: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:38:30.035849: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:38:30.035853: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:38:30.035858: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:38:30.035870: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:38:30.035876: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:38:30.035881: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:38:30.035886: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:38:30.035890: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:38:30.035894: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:38:30.035900: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:38:30.035905: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:38:30.035910: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:38:30.035915: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:38:30.035919: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:38:30.035924: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:38:30.035933: Hash algorithms: Aug 26 18:38:30.035937: MD5 IKEv1: IKE IKEv2: Aug 26 18:38:30.035941: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:38:30.035946: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:38:30.035950: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:38:30.035954: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:38:30.035974: PRF algorithms: Aug 26 18:38:30.035979: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:38:30.035984: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:38:30.035989: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:38:30.035993: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:38:30.035997: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:38:30.036002: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:38:30.036045: Integrity algorithms: Aug 26 18:38:30.036051: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:38:30.036056: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:38:30.036062: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:38:30.036067: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:38:30.036073: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:38:30.036077: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:38:30.036082: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:38:30.036087: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:38:30.036091: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:38:30.036108: DH algorithms: Aug 26 18:38:30.036113: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:38:30.036117: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:38:30.036121: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:38:30.036128: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:38:30.036132: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:38:30.036136: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:38:30.036139: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:38:30.036143: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:38:30.036147: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:38:30.036151: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:38:30.036154: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:38:30.036158: testing CAMELLIA_CBC: Aug 26 18:38:30.036161: Camellia: 16 bytes with 128-bit key Aug 26 18:38:30.036410: Camellia: 16 bytes with 128-bit key Aug 26 18:38:30.036456: Camellia: 16 bytes with 256-bit key Aug 26 18:38:30.036493: Camellia: 16 bytes with 256-bit key Aug 26 18:38:30.036535: testing AES_GCM_16: Aug 26 18:38:30.036542: empty string Aug 26 18:38:30.036577: one block Aug 26 18:38:30.036611: two blocks Aug 26 18:38:30.036643: two blocks with associated data Aug 26 18:38:30.036675: testing AES_CTR: Aug 26 18:38:30.036680: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:38:30.036712: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:38:30.036748: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:38:30.036786: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:38:30.036819: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:38:30.036851: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:38:30.036883: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:38:30.036916: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:38:30.036952: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:38:30.036986: testing AES_CBC: Aug 26 18:38:30.036990: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:38:30.037026: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:38:30.037062: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:38:30.037098: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:38:30.037143: testing AES_XCBC: Aug 26 18:38:30.037148: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:38:30.037272: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:38:30.037393: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:38:30.037538: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:38:30.037686: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:38:30.037812: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:38:30.037955: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:38:30.038245: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:38:30.038397: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:38:30.038554: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:38:30.038787: testing HMAC_MD5: Aug 26 18:38:30.038794: RFC 2104: MD5_HMAC test 1 Aug 26 18:38:30.038983: RFC 2104: MD5_HMAC test 2 Aug 26 18:38:30.039132: RFC 2104: MD5_HMAC test 3 Aug 26 18:38:30.039349: 8 CPU cores online Aug 26 18:38:30.039359: starting up 7 crypto helpers Aug 26 18:38:30.039393: started thread for crypto helper 0 Aug 26 18:38:30.039399: | starting up helper thread 0 Aug 26 18:38:30.039413: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:38:30.039415: started thread for crypto helper 1 Aug 26 18:38:30.039418: | crypto helper 0 waiting (nothing to do) Aug 26 18:38:30.039441: started thread for crypto helper 2 Aug 26 18:38:30.039444: | starting up helper thread 2 Aug 26 18:38:30.039457: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:38:30.039460: | crypto helper 2 waiting (nothing to do) Aug 26 18:38:30.039470: started thread for crypto helper 3 Aug 26 18:38:30.039473: | starting up helper thread 3 Aug 26 18:38:30.039483: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:38:30.039486: | crypto helper 3 waiting (nothing to do) Aug 26 18:38:30.039496: started thread for crypto helper 4 Aug 26 18:38:30.039498: | starting up helper thread 4 Aug 26 18:38:30.039505: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:38:30.039508: | crypto helper 4 waiting (nothing to do) Aug 26 18:38:30.039515: started thread for crypto helper 5 Aug 26 18:38:30.039518: | starting up helper thread 5 Aug 26 18:38:30.039526: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:38:30.039529: | crypto helper 5 waiting (nothing to do) Aug 26 18:38:30.039545: started thread for crypto helper 6 Aug 26 18:38:30.039547: | starting up helper thread 6 Aug 26 18:38:30.039550: | checking IKEv1 state table Aug 26 18:38:30.039556: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:38:30.039566: | crypto helper 6 waiting (nothing to do) Aug 26 18:38:30.039568: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039572: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:38:30.039575: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039578: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:38:30.039581: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:38:30.039584: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:38:30.039586: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:30.039589: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:30.039592: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:38:30.039594: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:38:30.039597: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:30.039599: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:30.039602: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:38:30.039605: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:30.039607: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:30.039610: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:30.039613: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:38:30.039615: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:30.039618: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:30.039621: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:30.039624: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:38:30.039626: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039629: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:38:30.039632: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039635: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039637: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:38:30.039640: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039643: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:30.039645: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:30.039648: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:38:30.039650: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:30.039653: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:30.039656: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:38:30.039659: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039662: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:38:30.039664: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039667: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:38:30.039670: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:38:30.039673: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:38:30.039675: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:38:30.039678: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:38:30.039684: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:38:30.039687: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:38:30.039690: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039693: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:38:30.039695: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039698: | INFO: category: informational flags: 0: Aug 26 18:38:30.039700: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039702: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:38:30.039704: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039706: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:38:30.039708: | -> XAUTH_R1 EVENT_NULL Aug 26 18:38:30.039711: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:38:30.039713: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:30.039715: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:38:30.039717: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:38:30.039719: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:38:30.039722: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:38:30.039724: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:38:30.039726: | -> UNDEFINED EVENT_NULL Aug 26 18:38:30.039728: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:38:30.039730: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:30.039733: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:38:30.039735: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:38:30.039738: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:38:30.039740: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:38:30.039746: | checking IKEv2 state table Aug 26 18:38:30.039752: | PARENT_I0: category: ignore flags: 0: Aug 26 18:38:30.039755: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:38:30.039758: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039761: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:38:30.039764: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:38:30.039767: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:38:30.039770: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:38:30.039773: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:38:30.039776: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:38:30.039779: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:38:30.039782: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:38:30.039785: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:38:30.039787: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:38:30.039790: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:38:30.039793: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:38:30.039796: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:38:30.039799: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039801: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:38:30.039804: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:38:30.039807: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:38:30.039809: | starting up helper thread 1 Aug 26 18:38:30.039810: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:38:30.039821: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:38:30.039824: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:38:30.039843: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:38:30.039825: | crypto helper 1 waiting (nothing to do) Aug 26 18:38:30.039850: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:38:30.039860: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:38:30.039862: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:38:30.039865: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:38:30.039868: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:38:30.039871: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:38:30.039873: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:38:30.039876: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:38:30.039879: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:30.039881: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:38:30.039884: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:38:30.039887: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:38:30.039889: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:38:30.039892: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:38:30.039895: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:38:30.039897: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:38:30.039900: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:38:30.039903: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:30.039905: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:38:30.039908: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:38:30.039911: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:38:30.039914: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:38:30.039916: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:38:30.039919: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:38:30.039935: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:38:30.040854: | Hard-wiring algorithms Aug 26 18:38:30.040868: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:38:30.040875: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:38:30.040878: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:38:30.040881: | adding 3DES_CBC to kernel algorithm db Aug 26 18:38:30.040884: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:38:30.040887: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:38:30.040890: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:38:30.040893: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:38:30.040896: | adding AES_CTR to kernel algorithm db Aug 26 18:38:30.040899: | adding AES_CBC to kernel algorithm db Aug 26 18:38:30.040901: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:38:30.042168: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:38:30.042185: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:38:30.042189: | adding NULL to kernel algorithm db Aug 26 18:38:30.042193: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:38:30.042196: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:38:30.042199: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:38:30.042202: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:38:30.042205: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:38:30.042208: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:38:30.042211: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:38:30.042214: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:38:30.042217: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:38:30.042220: | adding NONE to kernel algorithm db Aug 26 18:38:30.042258: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:38:30.042268: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:38:30.042272: | setup kernel fd callback Aug 26 18:38:30.042276: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x561d687e1ca8 Aug 26 18:38:30.042283: | libevent_malloc: new ptr-libevent@0x561d687c54b8 size 128 Aug 26 18:38:30.042293: | libevent_malloc: new ptr-libevent@0x561d687e1208 size 16 Aug 26 18:38:30.042305: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x561d687e10f8 Aug 26 18:38:30.042309: | libevent_malloc: new ptr-libevent@0x561d6878be18 size 128 Aug 26 18:38:30.042313: | libevent_malloc: new ptr-libevent@0x561d687e1bf8 size 16 Aug 26 18:38:30.042636: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:38:30.042946: selinux support is enabled. Aug 26 18:38:30.043795: | unbound context created - setting debug level to 5 Aug 26 18:38:30.043936: | /etc/hosts lookups activated Aug 26 18:38:30.043955: | /etc/resolv.conf usage activated Aug 26 18:38:30.044211: | outgoing-port-avoid set 0-65535 Aug 26 18:38:30.044242: | outgoing-port-permit set 32768-60999 Aug 26 18:38:30.044246: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:38:30.044249: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:38:30.044252: | Setting up events, loop start Aug 26 18:38:30.044256: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x561d687e1c38 Aug 26 18:38:30.044260: | libevent_malloc: new ptr-libevent@0x561d687ede78 size 128 Aug 26 18:38:30.044265: | libevent_malloc: new ptr-libevent@0x561d687f9108 size 16 Aug 26 18:38:30.044273: | libevent_realloc: new ptr-libevent@0x561d687f9148 size 256 Aug 26 18:38:30.044276: | libevent_malloc: new ptr-libevent@0x561d687f9278 size 8 Aug 26 18:38:30.044279: | libevent_realloc: new ptr-libevent@0x561d6878b848 size 144 Aug 26 18:38:30.044282: | libevent_malloc: new ptr-libevent@0x561d6878d088 size 152 Aug 26 18:38:30.044285: | libevent_malloc: new ptr-libevent@0x561d687f92b8 size 16 Aug 26 18:38:30.044319: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:38:30.044327: | libevent_malloc: new ptr-libevent@0x561d687f92f8 size 8 Aug 26 18:38:30.044330: | libevent_malloc: new ptr-libevent@0x561d687f9338 size 152 Aug 26 18:38:30.044333: | signal event handler PLUTO_SIGTERM installed Aug 26 18:38:30.044336: | libevent_malloc: new ptr-libevent@0x561d687f9408 size 8 Aug 26 18:38:30.044339: | libevent_malloc: new ptr-libevent@0x561d687f9448 size 152 Aug 26 18:38:30.044342: | signal event handler PLUTO_SIGHUP installed Aug 26 18:38:30.044345: | libevent_malloc: new ptr-libevent@0x561d687f9518 size 8 Aug 26 18:38:30.044347: | libevent_realloc: release ptr-libevent@0x561d6878b848 Aug 26 18:38:30.044350: | libevent_realloc: new ptr-libevent@0x561d687f9558 size 256 Aug 26 18:38:30.044353: | libevent_malloc: new ptr-libevent@0x561d687f9688 size 152 Aug 26 18:38:30.044356: | signal event handler PLUTO_SIGSYS installed Aug 26 18:38:30.044732: | created addconn helper (pid:32702) using fork+execve Aug 26 18:38:30.044748: | forked child 32702 Aug 26 18:38:30.044802: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:30.045220: listening for IKE messages Aug 26 18:38:30.045788: | Inspecting interface lo Aug 26 18:38:30.045806: | found lo with address 127.0.0.1 Aug 26 18:38:30.045813: | Inspecting interface eth0 Aug 26 18:38:30.045818: | found eth0 with address 192.0.2.254 Aug 26 18:38:30.045822: | Inspecting interface eth1 Aug 26 18:38:30.045827: | found eth1 with address 192.1.2.23 Aug 26 18:38:30.045979: Kernel supports NIC esp-hw-offload Aug 26 18:38:30.046007: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:38:30.046070: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:30.046077: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:30.046081: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:30.046123: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:38:30.046152: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:30.046158: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:30.046162: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:30.046429: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:38:30.046462: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:30.046467: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:30.046472: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:38:30.046574: | no interfaces to sort Aug 26 18:38:30.046581: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:30.046591: | add_fd_read_event_handler: new ethX-pe@0x561d687f9be8 Aug 26 18:38:30.046597: | libevent_malloc: new ptr-libevent@0x561d687eddc8 size 128 Aug 26 18:38:30.046602: | libevent_malloc: new ptr-libevent@0x561d687f9c58 size 16 Aug 26 18:38:30.046611: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:30.046616: | add_fd_read_event_handler: new ethX-pe@0x561d687f9c98 Aug 26 18:38:30.046621: | libevent_malloc: new ptr-libevent@0x561d6878a468 size 128 Aug 26 18:38:30.046625: | libevent_malloc: new ptr-libevent@0x561d687f9d08 size 16 Aug 26 18:38:30.046634: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:30.046639: | add_fd_read_event_handler: new ethX-pe@0x561d687f9d48 Aug 26 18:38:30.046643: | libevent_malloc: new ptr-libevent@0x561d6878a368 size 128 Aug 26 18:38:30.046647: | libevent_malloc: new ptr-libevent@0x561d687f9db8 size 16 Aug 26 18:38:30.046652: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:30.046656: | add_fd_read_event_handler: new ethX-pe@0x561d687f9df8 Aug 26 18:38:30.046660: | libevent_malloc: new ptr-libevent@0x561d6878b748 size 128 Aug 26 18:38:30.046663: | libevent_malloc: new ptr-libevent@0x561d687f9e68 size 16 Aug 26 18:38:30.046668: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:30.046671: | add_fd_read_event_handler: new ethX-pe@0x561d687f9ea8 Aug 26 18:38:30.046675: | libevent_malloc: new ptr-libevent@0x561d6875fba8 size 128 Aug 26 18:38:30.046678: | libevent_malloc: new ptr-libevent@0x561d687f9f18 size 16 Aug 26 18:38:30.046684: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:30.046687: | add_fd_read_event_handler: new ethX-pe@0x561d687f9f58 Aug 26 18:38:30.046691: | libevent_malloc: new ptr-libevent@0x561d6875a1d8 size 128 Aug 26 18:38:30.046694: | libevent_malloc: new ptr-libevent@0x561d687f9fc8 size 16 Aug 26 18:38:30.046698: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:30.046703: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:30.046706: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:30.046730: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:30.046743: | Processing PSK at line 1: passed Aug 26 18:38:30.046747: | certs and keys locked by 'process_secret' Aug 26 18:38:30.046751: | certs and keys unlocked by 'process_secret' Aug 26 18:38:30.046761: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:30.046769: | spent 1.59 milliseconds in whack Aug 26 18:38:30.064847: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:30.064870: listening for IKE messages Aug 26 18:38:30.064905: | Inspecting interface lo Aug 26 18:38:30.064913: | found lo with address 127.0.0.1 Aug 26 18:38:30.064917: | Inspecting interface eth0 Aug 26 18:38:30.064921: | found eth0 with address 192.0.2.254 Aug 26 18:38:30.064923: | Inspecting interface eth1 Aug 26 18:38:30.064925: | found eth1 with address 192.1.2.23 Aug 26 18:38:30.064986: | no interfaces to sort Aug 26 18:38:30.064995: | libevent_free: release ptr-libevent@0x561d687eddc8 Aug 26 18:38:30.064997: | free_event_entry: release EVENT_NULL-pe@0x561d687f9be8 Aug 26 18:38:30.065004: | add_fd_read_event_handler: new ethX-pe@0x561d687f9be8 Aug 26 18:38:30.065006: | libevent_malloc: new ptr-libevent@0x561d687eddc8 size 128 Aug 26 18:38:30.065012: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:30.065015: | libevent_free: release ptr-libevent@0x561d6878a468 Aug 26 18:38:30.065017: | free_event_entry: release EVENT_NULL-pe@0x561d687f9c98 Aug 26 18:38:30.065019: | add_fd_read_event_handler: new ethX-pe@0x561d687f9c98 Aug 26 18:38:30.065021: | libevent_malloc: new ptr-libevent@0x561d6878a468 size 128 Aug 26 18:38:30.065024: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:30.065027: | libevent_free: release ptr-libevent@0x561d6878a368 Aug 26 18:38:30.065028: | free_event_entry: release EVENT_NULL-pe@0x561d687f9d48 Aug 26 18:38:30.065030: | add_fd_read_event_handler: new ethX-pe@0x561d687f9d48 Aug 26 18:38:30.065032: | libevent_malloc: new ptr-libevent@0x561d6878a368 size 128 Aug 26 18:38:30.065035: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:30.065038: | libevent_free: release ptr-libevent@0x561d6878b748 Aug 26 18:38:30.065040: | free_event_entry: release EVENT_NULL-pe@0x561d687f9df8 Aug 26 18:38:30.065041: | add_fd_read_event_handler: new ethX-pe@0x561d687f9df8 Aug 26 18:38:30.065043: | libevent_malloc: new ptr-libevent@0x561d6878b748 size 128 Aug 26 18:38:30.065046: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:30.065049: | libevent_free: release ptr-libevent@0x561d6875fba8 Aug 26 18:38:30.065051: | free_event_entry: release EVENT_NULL-pe@0x561d687f9ea8 Aug 26 18:38:30.065052: | add_fd_read_event_handler: new ethX-pe@0x561d687f9ea8 Aug 26 18:38:30.065054: | libevent_malloc: new ptr-libevent@0x561d6875fba8 size 128 Aug 26 18:38:30.065057: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:30.065060: | libevent_free: release ptr-libevent@0x561d6875a1d8 Aug 26 18:38:30.065061: | free_event_entry: release EVENT_NULL-pe@0x561d687f9f58 Aug 26 18:38:30.065063: | add_fd_read_event_handler: new ethX-pe@0x561d687f9f58 Aug 26 18:38:30.065065: | libevent_malloc: new ptr-libevent@0x561d6875a1d8 size 128 Aug 26 18:38:30.065068: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:30.065070: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:30.065072: forgetting secrets Aug 26 18:38:30.065076: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:30.065086: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:30.065092: | Processing PSK at line 1: passed Aug 26 18:38:30.065094: | certs and keys locked by 'process_secret' Aug 26 18:38:30.065095: | certs and keys unlocked by 'process_secret' Aug 26 18:38:30.065102: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:30.065107: | spent 0.268 milliseconds in whack Aug 26 18:38:30.065578: | processing signal PLUTO_SIGCHLD Aug 26 18:38:30.065595: | waitpid returned pid 32702 (exited with status 0) Aug 26 18:38:30.065601: | reaped addconn helper child (status 0) Aug 26 18:38:30.065606: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:30.065612: | spent 0.0196 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:30.138240: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:30.138268: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:30.138274: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:30.138276: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:30.138279: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:30.138284: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:30.138383: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:30.138446: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:38:30.138458: | from whack: got --esp=aes256-sha2 Aug 26 18:38:30.138475: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Aug 26 18:38:30.138479: | counting wild cards for (none) is 15 Aug 26 18:38:30.138485: | counting wild cards for 192.1.2.23 is 0 Aug 26 18:38:30.138491: | based upon policy, the connection is a template. Aug 26 18:38:30.138498: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 18:38:30.138501: | new hp@0x561d687fbe18 Aug 26 18:38:30.138506: added connection description "eastnet-northnet" Aug 26 18:38:30.138515: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:30.138524: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 18:38:30.138531: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:30.138538: | spent 0.265 milliseconds in whack Aug 26 18:38:32.368141: | spent 0.00338 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:32.368178: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:32.368185: | ad 6d 60 74 a3 e2 ed 1a 00 00 00 00 00 00 00 00 Aug 26 18:38:32.368188: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:38:32.368190: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:38:32.368193: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:38:32.368196: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:38:32.368198: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:38:32.368200: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:38:32.368203: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:38:32.368205: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:38:32.368207: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:38:32.368210: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:38:32.368212: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:38:32.368214: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:38:32.368217: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:38:32.368219: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:38:32.368222: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:38:32.368224: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:38:32.368227: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:38:32.368230: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:38:32.368232: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:38:32.368235: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:38:32.368238: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:38:32.368240: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:38:32.368243: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:38:32.368245: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:38:32.368247: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:38:32.368250: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:38:32.368252: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:38:32.368255: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:38:32.368258: | 28 00 01 08 00 0e 00 00 2c d4 4e 70 3d 53 45 cb Aug 26 18:38:32.368260: | 42 c2 51 bb ff 60 dd 5d 34 16 ef 36 17 ad 69 3b Aug 26 18:38:32.368263: | c0 d0 ab df 00 a9 12 42 35 dc c1 4f cb 73 95 a2 Aug 26 18:38:32.368265: | 74 52 f0 73 ed c4 fd 37 63 65 c3 d3 6b 60 ac 90 Aug 26 18:38:32.368268: | 8e ae 5a 41 b6 1c 22 ef 1b da 71 9b 10 bd 0b f1 Aug 26 18:38:32.368275: | 2a 70 49 ca e7 13 9f 31 ef 42 09 bb 0b 4b 45 1e Aug 26 18:38:32.368277: | e4 59 ad 68 c4 09 01 07 5e df ac e2 b7 bf b0 09 Aug 26 18:38:32.368280: | ee 7d bc e2 06 53 62 6b 86 41 00 04 d0 01 ce 65 Aug 26 18:38:32.368283: | 93 e8 5c 81 fd fa a2 ce 85 e7 32 d0 de 8f 02 40 Aug 26 18:38:32.368285: | 97 b4 02 32 ba 41 ec ab 15 3b 12 42 f2 d1 1c f1 Aug 26 18:38:32.368315: | 07 91 59 c1 35 59 9d db 68 fb 0e 85 45 84 8e 5b Aug 26 18:38:32.368322: | fa f5 67 3f 22 45 6d f3 6e fc 7b 5b 4c fc 4c cc Aug 26 18:38:32.368325: | 20 25 f0 fb 73 16 58 df e4 34 f1 00 80 07 40 bb Aug 26 18:38:32.368327: | 60 03 64 1e 39 8c bf 4c 37 d2 29 df 87 3a c2 80 Aug 26 18:38:32.368330: | 1f b5 fc 73 c1 17 47 be 85 59 0a e2 e7 d7 29 42 Aug 26 18:38:32.368332: | 02 f3 ff 95 c4 e4 2d 1b 71 44 e2 b0 80 56 a7 53 Aug 26 18:38:32.368335: | 30 8e bd c2 17 de f7 a7 29 00 00 24 a8 79 5c f1 Aug 26 18:38:32.368338: | 63 b5 21 0a df df 81 c7 78 d9 b8 9e a9 6e 68 01 Aug 26 18:38:32.368340: | 79 aa ce a8 14 d1 e5 27 1f 9f d3 d3 29 00 00 08 Aug 26 18:38:32.368342: | 00 00 40 2e 29 00 00 1c 00 00 40 04 cf ae 46 76 Aug 26 18:38:32.368345: | 2a 3b 54 01 dc 9b a4 d7 46 6b d8 83 01 e0 5b b7 Aug 26 18:38:32.368348: | 00 00 00 1c 00 00 40 05 c6 e9 df de 20 1d e9 a9 Aug 26 18:38:32.368350: | ef b1 d7 d1 a0 21 ce 65 73 0d 39 59 Aug 26 18:38:32.368358: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:32.368364: | **parse ISAKMP Message: Aug 26 18:38:32.368367: | initiator cookie: Aug 26 18:38:32.368369: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.368372: | responder cookie: Aug 26 18:38:32.368374: | 00 00 00 00 00 00 00 00 Aug 26 18:38:32.368377: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:32.368380: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:32.368383: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:32.368386: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:32.368389: | Message ID: 0 (0x0) Aug 26 18:38:32.368392: | length: 828 (0x33c) Aug 26 18:38:32.368395: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:38:32.368399: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:38:32.368403: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:38:32.368407: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:32.368410: | ***parse IKEv2 Security Association Payload: Aug 26 18:38:32.368414: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:38:32.368416: | flags: none (0x0) Aug 26 18:38:32.368419: | length: 436 (0x1b4) Aug 26 18:38:32.368422: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:38:32.368426: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:38:32.368429: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:38:32.368432: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:38:32.368434: | flags: none (0x0) Aug 26 18:38:32.368437: | length: 264 (0x108) Aug 26 18:38:32.368440: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.368443: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:38:32.368446: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:38:32.368449: | ***parse IKEv2 Nonce Payload: Aug 26 18:38:32.368452: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:32.368455: | flags: none (0x0) Aug 26 18:38:32.368457: | length: 36 (0x24) Aug 26 18:38:32.368460: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:38:32.368462: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:32.368466: | ***parse IKEv2 Notify Payload: Aug 26 18:38:32.368468: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:32.368471: | flags: none (0x0) Aug 26 18:38:32.368474: | length: 8 (0x8) Aug 26 18:38:32.368477: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.368479: | SPI size: 0 (0x0) Aug 26 18:38:32.368485: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:32.368489: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:32.368491: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:32.368494: | ***parse IKEv2 Notify Payload: Aug 26 18:38:32.368496: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:32.368499: | flags: none (0x0) Aug 26 18:38:32.368501: | length: 28 (0x1c) Aug 26 18:38:32.368504: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.368507: | SPI size: 0 (0x0) Aug 26 18:38:32.368509: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:32.368512: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:32.368514: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:32.368517: | ***parse IKEv2 Notify Payload: Aug 26 18:38:32.368520: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.368522: | flags: none (0x0) Aug 26 18:38:32.368525: | length: 28 (0x1c) Aug 26 18:38:32.368527: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.368530: | SPI size: 0 (0x0) Aug 26 18:38:32.368533: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:32.368536: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:32.368539: | DDOS disabled and no cookie sent, continuing Aug 26 18:38:32.368545: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368549: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:32.368551: | find_next_host_connection returns empty Aug 26 18:38:32.368556: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368561: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:32.368565: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:32.368569: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:32.368571: | find_next_host_connection returns empty Aug 26 18:38:32.368575: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:38:32.368581: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368584: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:32.368587: | find_next_host_connection returns empty Aug 26 18:38:32.368591: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368596: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:32.368599: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:32.368602: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:32.368605: | find_next_host_connection returns empty Aug 26 18:38:32.368609: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 18:38:32.368614: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368617: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:32.368620: | find_next_host_connection returns empty Aug 26 18:38:32.368624: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:32.368629: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:32.368632: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:32.368635: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:32.368638: | find_next_host_connection returns eastnet-northnet Aug 26 18:38:32.368640: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:32.368645: | find_next_host_connection returns empty Aug 26 18:38:32.368648: | rw_instantiate Aug 26 18:38:32.368656: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 18:38:32.368660: | new hp@0x561d687fdd78 Aug 26 18:38:32.368667: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 18:38:32.368672: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 18:38:32.368677: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:32.368706: | creating state object #1 at 0x561d687fe2c8 Aug 26 18:38:32.368710: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:38:32.368718: | pstats #1 ikev2.ike started Aug 26 18:38:32.368722: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:38:32.368726: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:38:32.368732: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:32.368743: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:32.368747: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:32.368753: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:32.368757: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:38:32.368761: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:38:32.368766: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:38:32.368770: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:38:32.368773: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:38:32.368776: | Now let's proceed with state specific processing Aug 26 18:38:32.368778: | calling processor Respond to IKE_SA_INIT Aug 26 18:38:32.368789: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:32.368793: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 18:38:32.368802: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:32.368812: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:32.368816: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:32.368822: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:32.368828: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:32.368834: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:32.368838: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:32.368845: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:32.368859: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:32.368867: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:38:32.368874: | local proposal 1 type ENCR has 1 transforms Aug 26 18:38:32.368878: | local proposal 1 type PRF has 2 transforms Aug 26 18:38:32.368881: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:32.368883: | local proposal 1 type DH has 8 transforms Aug 26 18:38:32.368886: | local proposal 1 type ESN has 0 transforms Aug 26 18:38:32.368890: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:32.368893: | local proposal 2 type ENCR has 1 transforms Aug 26 18:38:32.368896: | local proposal 2 type PRF has 2 transforms Aug 26 18:38:32.368899: | local proposal 2 type INTEG has 1 transforms Aug 26 18:38:32.368902: | local proposal 2 type DH has 8 transforms Aug 26 18:38:32.368905: | local proposal 2 type ESN has 0 transforms Aug 26 18:38:32.368908: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:32.368911: | local proposal 3 type ENCR has 1 transforms Aug 26 18:38:32.368914: | local proposal 3 type PRF has 2 transforms Aug 26 18:38:32.368917: | local proposal 3 type INTEG has 2 transforms Aug 26 18:38:32.368920: | local proposal 3 type DH has 8 transforms Aug 26 18:38:32.368922: | local proposal 3 type ESN has 0 transforms Aug 26 18:38:32.368926: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:32.368929: | local proposal 4 type ENCR has 1 transforms Aug 26 18:38:32.368931: | local proposal 4 type PRF has 2 transforms Aug 26 18:38:32.368934: | local proposal 4 type INTEG has 2 transforms Aug 26 18:38:32.368937: | local proposal 4 type DH has 8 transforms Aug 26 18:38:32.368940: | local proposal 4 type ESN has 0 transforms Aug 26 18:38:32.368943: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:32.368947: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.368950: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:32.368953: | length: 100 (0x64) Aug 26 18:38:32.368956: | prop #: 1 (0x1) Aug 26 18:38:32.368959: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:32.368962: | spi size: 0 (0x0) Aug 26 18:38:32.368965: | # transforms: 11 (0xb) Aug 26 18:38:32.368968: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:38:32.368972: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.368975: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.368977: | length: 12 (0xc) Aug 26 18:38:32.368980: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.368983: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:32.368986: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.368989: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.368991: | length/value: 256 (0x100) Aug 26 18:38:32.368996: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:32.368999: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369001: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369004: | length: 8 (0x8) Aug 26 18:38:32.369006: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369008: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:32.369013: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:38:32.369020: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:38:32.369023: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:38:32.369027: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:38:32.369030: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369033: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369035: | length: 8 (0x8) Aug 26 18:38:32.369038: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369040: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:32.369044: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369046: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369049: | length: 8 (0x8) Aug 26 18:38:32.369051: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369053: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.369057: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:38:32.369061: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:38:32.369065: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:38:32.369068: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:38:32.369071: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369074: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369076: | length: 8 (0x8) Aug 26 18:38:32.369079: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369081: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:32.369085: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369087: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369090: | length: 8 (0x8) Aug 26 18:38:32.369093: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369095: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:32.369098: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369101: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369103: | length: 8 (0x8) Aug 26 18:38:32.369105: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369108: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:32.369111: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369113: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369116: | length: 8 (0x8) Aug 26 18:38:32.369119: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369122: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:32.369125: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369127: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369130: | length: 8 (0x8) Aug 26 18:38:32.369133: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369135: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:32.369138: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369141: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369143: | length: 8 (0x8) Aug 26 18:38:32.369146: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369148: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:32.369151: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369154: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.369156: | length: 8 (0x8) Aug 26 18:38:32.369159: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369162: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:32.369166: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:38:32.369173: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:38:32.369176: | remote proposal 1 matches local proposal 1 Aug 26 18:38:32.369179: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.369182: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:32.369185: | length: 100 (0x64) Aug 26 18:38:32.369187: | prop #: 2 (0x2) Aug 26 18:38:32.369190: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:32.369193: | spi size: 0 (0x0) Aug 26 18:38:32.369195: | # transforms: 11 (0xb) Aug 26 18:38:32.369199: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:32.369202: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369205: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369207: | length: 12 (0xc) Aug 26 18:38:32.369210: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.369213: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:32.369215: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.369218: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.369221: | length/value: 128 (0x80) Aug 26 18:38:32.369224: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369227: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369229: | length: 8 (0x8) Aug 26 18:38:32.369232: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369235: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:32.369237: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369240: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369242: | length: 8 (0x8) Aug 26 18:38:32.369245: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369248: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:32.369250: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369253: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369255: | length: 8 (0x8) Aug 26 18:38:32.369258: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369260: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.369263: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369266: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369268: | length: 8 (0x8) Aug 26 18:38:32.369270: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369273: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:32.369276: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369278: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369280: | length: 8 (0x8) Aug 26 18:38:32.369281: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369283: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:32.369285: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369287: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369292: | length: 8 (0x8) Aug 26 18:38:32.369296: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369298: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:32.369300: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369302: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369303: | length: 8 (0x8) Aug 26 18:38:32.369305: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369306: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:32.369308: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369310: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369311: | length: 8 (0x8) Aug 26 18:38:32.369313: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369315: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:32.369317: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369323: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369325: | length: 8 (0x8) Aug 26 18:38:32.369326: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369328: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:32.369330: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369332: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.369333: | length: 8 (0x8) Aug 26 18:38:32.369335: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369336: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:32.369339: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:38:32.369341: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:38:32.369343: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.369345: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:32.369346: | length: 116 (0x74) Aug 26 18:38:32.369348: | prop #: 3 (0x3) Aug 26 18:38:32.369350: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:32.369353: | spi size: 0 (0x0) Aug 26 18:38:32.369355: | # transforms: 13 (0xd) Aug 26 18:38:32.369359: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:32.369362: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369364: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369367: | length: 12 (0xc) Aug 26 18:38:32.369370: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.369372: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:32.369375: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.369378: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.369381: | length/value: 256 (0x100) Aug 26 18:38:32.369384: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369387: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369389: | length: 8 (0x8) Aug 26 18:38:32.369392: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369394: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:32.369397: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369400: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369402: | length: 8 (0x8) Aug 26 18:38:32.369405: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369407: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:32.369410: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369413: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369415: | length: 8 (0x8) Aug 26 18:38:32.369418: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.369421: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:32.369425: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369428: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369430: | length: 8 (0x8) Aug 26 18:38:32.369433: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.369435: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:32.369438: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369441: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369443: | length: 8 (0x8) Aug 26 18:38:32.369446: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369448: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.369451: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369454: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369456: | length: 8 (0x8) Aug 26 18:38:32.369458: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369461: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:32.369464: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369466: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369470: | length: 8 (0x8) Aug 26 18:38:32.369473: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369476: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:32.369478: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369481: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369483: | length: 8 (0x8) Aug 26 18:38:32.369486: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369489: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:32.369492: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369495: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369497: | length: 8 (0x8) Aug 26 18:38:32.369500: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369502: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:32.369506: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369508: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369511: | length: 8 (0x8) Aug 26 18:38:32.369514: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369516: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:32.369519: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369522: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369525: | length: 8 (0x8) Aug 26 18:38:32.369528: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369531: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:32.369534: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369536: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.369539: | length: 8 (0x8) Aug 26 18:38:32.369541: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369543: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:32.369548: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:32.369551: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:32.369554: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.369556: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:32.369559: | length: 116 (0x74) Aug 26 18:38:32.369561: | prop #: 4 (0x4) Aug 26 18:38:32.369564: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:32.369566: | spi size: 0 (0x0) Aug 26 18:38:32.369568: | # transforms: 13 (0xd) Aug 26 18:38:32.369572: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:32.369575: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369577: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369580: | length: 12 (0xc) Aug 26 18:38:32.369582: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.369584: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:32.369587: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.369590: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.369592: | length/value: 128 (0x80) Aug 26 18:38:32.369595: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369600: | length: 8 (0x8) Aug 26 18:38:32.369603: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369606: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:32.369609: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369611: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369614: | length: 8 (0x8) Aug 26 18:38:32.369616: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.369619: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:32.369622: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369624: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369627: | length: 8 (0x8) Aug 26 18:38:32.369629: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.369633: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:32.369637: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369639: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369642: | length: 8 (0x8) Aug 26 18:38:32.369645: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.369647: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:32.369650: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369653: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369655: | length: 8 (0x8) Aug 26 18:38:32.369658: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369660: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.369663: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369666: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369668: | length: 8 (0x8) Aug 26 18:38:32.369671: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369674: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:32.369677: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369680: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369682: | length: 8 (0x8) Aug 26 18:38:32.369684: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369687: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:32.369690: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369693: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369695: | length: 8 (0x8) Aug 26 18:38:32.369698: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369700: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:32.369704: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369706: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369709: | length: 8 (0x8) Aug 26 18:38:32.369712: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369715: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:32.369718: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369721: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369723: | length: 8 (0x8) Aug 26 18:38:32.369726: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369729: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:32.369732: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369735: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.369737: | length: 8 (0x8) Aug 26 18:38:32.369740: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369743: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:32.369746: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.369749: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.369752: | length: 8 (0x8) Aug 26 18:38:32.369754: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.369757: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:32.369761: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:32.369765: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:32.369772: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:38:32.369781: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:38:32.369784: | converting proposal to internal trans attrs Aug 26 18:38:32.369789: | natd_hash: rcookie is zero Aug 26 18:38:32.369809: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:32.369813: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.369816: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:32.369818: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:32.369821: | natd_hash: port=500 Aug 26 18:38:32.369824: | natd_hash: hash= c6 e9 df de 20 1d e9 a9 ef b1 d7 d1 a0 21 ce 65 Aug 26 18:38:32.369827: | natd_hash: hash= 73 0d 39 59 Aug 26 18:38:32.369829: | natd_hash: rcookie is zero Aug 26 18:38:32.369837: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:32.369840: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.369843: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:32.369845: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:32.369848: | natd_hash: port=500 Aug 26 18:38:32.369851: | natd_hash: hash= cf ae 46 76 2a 3b 54 01 dc 9b a4 d7 46 6b d8 83 Aug 26 18:38:32.369853: | natd_hash: hash= 01 e0 5b b7 Aug 26 18:38:32.369856: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:38:32.369858: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:38:32.369861: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:38:32.369865: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 18:38:32.369872: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:38:32.369875: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x561d687fdea8 Aug 26 18:38:32.369880: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:32.369884: | libevent_malloc: new ptr-libevent@0x561d68800628 size 128 Aug 26 18:38:32.369900: | #1 spent 1.11 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:38:32.369904: | crypto helper 0 resuming Aug 26 18:38:32.369922: | crypto helper 0 starting work-order 1 for state #1 Aug 26 18:38:32.369929: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:38:32.370929: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001 seconds Aug 26 18:38:32.370946: | (#1) spent 1.01 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:38:32.370951: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 18:38:32.370955: | scheduling resume sending helper answer for #1 Aug 26 18:38:32.370959: | libevent_malloc: new ptr-libevent@0x7fb898002888 size 128 Aug 26 18:38:32.370965: | crypto helper 0 waiting (nothing to do) Aug 26 18:38:32.369910: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:32.370976: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:32.370980: | suspending state #1 and saving MD Aug 26 18:38:32.370982: | #1 is busy; has a suspended MD Aug 26 18:38:32.370990: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:32.370995: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:32.371002: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:32.371007: | #1 spent 1.76 milliseconds in ikev2_process_packet() Aug 26 18:38:32.371012: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:32.371015: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:32.371021: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:32.371026: | spent 1.78 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:32.371037: | processing resume sending helper answer for #1 Aug 26 18:38:32.371044: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:32.371048: | crypto helper 0 replies to request ID 1 Aug 26 18:38:32.371051: | calling continuation function 0x561d67456b50 Aug 26 18:38:32.371054: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:38:32.371084: | **emit ISAKMP Message: Aug 26 18:38:32.371088: | initiator cookie: Aug 26 18:38:32.371090: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.371093: | responder cookie: Aug 26 18:38:32.371095: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.371098: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:32.371101: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:32.371104: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:32.371107: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:32.371110: | Message ID: 0 (0x0) Aug 26 18:38:32.371114: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:32.371117: | Emitting ikev2_proposal ... Aug 26 18:38:32.371121: | ***emit IKEv2 Security Association Payload: Aug 26 18:38:32.371124: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.371126: | flags: none (0x0) Aug 26 18:38:32.371130: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:32.371133: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371137: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.371139: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:32.371142: | prop #: 1 (0x1) Aug 26 18:38:32.371144: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:32.371147: | spi size: 0 (0x0) Aug 26 18:38:32.371149: | # transforms: 3 (0x3) Aug 26 18:38:32.371153: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:32.371156: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.371159: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.371162: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.371165: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:32.371168: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.371172: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.371175: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.371177: | length/value: 256 (0x100) Aug 26 18:38:32.371180: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:32.371183: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.371186: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.371189: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:32.371191: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:32.371194: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.371197: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.371200: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:32.371203: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.371206: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.371208: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:32.371211: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.371217: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.371220: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.371223: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:32.371226: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:38:32.371229: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:32.371231: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:38:32.371234: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:32.371238: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:38:32.371241: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.371243: | flags: none (0x0) Aug 26 18:38:32.371246: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:32.371249: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:38:32.371253: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371256: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:38:32.371259: | ikev2 g^x 22 fb fe 03 45 3c 7e 53 f6 01 ae ca 5e 77 81 06 Aug 26 18:38:32.371262: | ikev2 g^x 29 12 cd 31 a2 33 81 21 ed c7 03 07 99 3a 83 3a Aug 26 18:38:32.371265: | ikev2 g^x 86 a2 f7 95 67 02 75 a0 2f 8b 0e 10 ee c0 2c 76 Aug 26 18:38:32.371267: | ikev2 g^x 97 5e e4 bc e2 d5 50 b7 2d 5c 4d 00 97 db 69 b1 Aug 26 18:38:32.371270: | ikev2 g^x e3 cf f6 52 68 c3 42 bd 5d 18 df da 37 f9 49 c1 Aug 26 18:38:32.371273: | ikev2 g^x a4 f4 a0 cd 16 74 6f 58 d8 d4 de 4f d9 a0 ef 6b Aug 26 18:38:32.371275: | ikev2 g^x 39 3e 1c 64 a9 18 ff 72 9a dc 87 ee 22 c0 9b eb Aug 26 18:38:32.371278: | ikev2 g^x c7 f4 23 ff 99 08 a5 dd 73 8d 50 f0 07 9d 74 95 Aug 26 18:38:32.371280: | ikev2 g^x d5 dd 29 a5 e3 ac 2c 27 e0 ad c4 80 08 02 7b be Aug 26 18:38:32.371283: | ikev2 g^x de b7 87 8c ea 59 6a 5e 5b 82 24 27 8c c3 32 59 Aug 26 18:38:32.371285: | ikev2 g^x f6 95 f5 b6 49 72 7a 60 53 3f 7f f1 c6 26 85 aa Aug 26 18:38:32.371295: | ikev2 g^x 8e 43 65 0b e6 0b e4 8b 83 57 9c 3c e9 66 07 d6 Aug 26 18:38:32.371301: | ikev2 g^x 90 f5 ae 35 d5 ea bf 87 43 c3 60 c2 ad 1f 3f 7e Aug 26 18:38:32.371303: | ikev2 g^x 75 ee 9a 77 15 f3 f2 4e ce 14 f6 e1 3d 49 f4 51 Aug 26 18:38:32.371306: | ikev2 g^x b5 e9 33 c7 e4 e7 d5 c7 86 25 d3 6e 2c f0 18 85 Aug 26 18:38:32.371308: | ikev2 g^x d6 23 1f 98 52 72 40 09 2b 05 7f 8b 86 8d 8c 04 Aug 26 18:38:32.371311: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:38:32.371313: | ***emit IKEv2 Nonce Payload: Aug 26 18:38:32.371316: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:32.371318: | flags: none (0x0) Aug 26 18:38:32.371322: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:38:32.371325: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:38:32.371328: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371331: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:38:32.371334: | IKEv2 nonce 58 a2 34 54 8b 09 26 e7 d3 03 4a 8b 31 0a 64 b1 Aug 26 18:38:32.371337: | IKEv2 nonce 91 f2 eb 08 5d 16 d7 ec d8 39 c5 62 72 3e ea ec Aug 26 18:38:32.371340: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:38:32.371343: | Adding a v2N Payload Aug 26 18:38:32.371346: | ***emit IKEv2 Notify Payload: Aug 26 18:38:32.371351: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.371353: | flags: none (0x0) Aug 26 18:38:32.371356: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.371359: | SPI size: 0 (0x0) Aug 26 18:38:32.371362: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:32.371366: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:32.371368: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371371: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:32.371375: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:32.371385: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:32.371389: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.371391: | natd_hash: rcookie= 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.371394: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:32.371397: | natd_hash: port=500 Aug 26 18:38:32.371399: | natd_hash: hash= 97 f6 0e 0b fe 2e 88 10 c2 f8 17 1e 13 48 c2 cd Aug 26 18:38:32.371402: | natd_hash: hash= 64 66 d9 a3 Aug 26 18:38:32.371405: | Adding a v2N Payload Aug 26 18:38:32.371407: | ***emit IKEv2 Notify Payload: Aug 26 18:38:32.371410: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.371413: | flags: none (0x0) Aug 26 18:38:32.371415: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.371418: | SPI size: 0 (0x0) Aug 26 18:38:32.371420: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:32.371424: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:32.371427: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371429: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:32.371432: | Notify data 97 f6 0e 0b fe 2e 88 10 c2 f8 17 1e 13 48 c2 cd Aug 26 18:38:32.371435: | Notify data 64 66 d9 a3 Aug 26 18:38:32.371437: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:32.371444: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:32.371447: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.371450: | natd_hash: rcookie= 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.371452: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:32.371455: | natd_hash: port=500 Aug 26 18:38:32.371458: | natd_hash: hash= 2a fc 6d be 8b e1 35 68 c3 f8 dd c8 9e 4e f7 26 Aug 26 18:38:32.371460: | natd_hash: hash= 09 f0 37 de Aug 26 18:38:32.371463: | Adding a v2N Payload Aug 26 18:38:32.371465: | ***emit IKEv2 Notify Payload: Aug 26 18:38:32.371467: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.371470: | flags: none (0x0) Aug 26 18:38:32.371472: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.371475: | SPI size: 0 (0x0) Aug 26 18:38:32.371477: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:32.371480: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:32.371483: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.371486: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:32.371489: | Notify data 2a fc 6d be 8b e1 35 68 c3 f8 dd c8 9e 4e f7 26 Aug 26 18:38:32.371492: | Notify data 09 f0 37 de Aug 26 18:38:32.371494: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:32.371497: | emitting length of ISAKMP Message: 432 Aug 26 18:38:32.371506: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:32.371510: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:38:32.371513: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:38:32.371519: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:38:32.371522: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:38:32.371528: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:38:32.371533: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:32.371540: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:38:32.371545: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:32.371552: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:32.371556: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.371558: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 18:38:32.371561: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:38:32.371563: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:38:32.371566: | 04 00 00 0e 28 00 01 08 00 0e 00 00 22 fb fe 03 Aug 26 18:38:32.371568: | 45 3c 7e 53 f6 01 ae ca 5e 77 81 06 29 12 cd 31 Aug 26 18:38:32.371571: | a2 33 81 21 ed c7 03 07 99 3a 83 3a 86 a2 f7 95 Aug 26 18:38:32.371574: | 67 02 75 a0 2f 8b 0e 10 ee c0 2c 76 97 5e e4 bc Aug 26 18:38:32.371576: | e2 d5 50 b7 2d 5c 4d 00 97 db 69 b1 e3 cf f6 52 Aug 26 18:38:32.371579: | 68 c3 42 bd 5d 18 df da 37 f9 49 c1 a4 f4 a0 cd Aug 26 18:38:32.371582: | 16 74 6f 58 d8 d4 de 4f d9 a0 ef 6b 39 3e 1c 64 Aug 26 18:38:32.371584: | a9 18 ff 72 9a dc 87 ee 22 c0 9b eb c7 f4 23 ff Aug 26 18:38:32.371587: | 99 08 a5 dd 73 8d 50 f0 07 9d 74 95 d5 dd 29 a5 Aug 26 18:38:32.371589: | e3 ac 2c 27 e0 ad c4 80 08 02 7b be de b7 87 8c Aug 26 18:38:32.371592: | ea 59 6a 5e 5b 82 24 27 8c c3 32 59 f6 95 f5 b6 Aug 26 18:38:32.371594: | 49 72 7a 60 53 3f 7f f1 c6 26 85 aa 8e 43 65 0b Aug 26 18:38:32.371597: | e6 0b e4 8b 83 57 9c 3c e9 66 07 d6 90 f5 ae 35 Aug 26 18:38:32.371600: | d5 ea bf 87 43 c3 60 c2 ad 1f 3f 7e 75 ee 9a 77 Aug 26 18:38:32.371602: | 15 f3 f2 4e ce 14 f6 e1 3d 49 f4 51 b5 e9 33 c7 Aug 26 18:38:32.371605: | e4 e7 d5 c7 86 25 d3 6e 2c f0 18 85 d6 23 1f 98 Aug 26 18:38:32.371607: | 52 72 40 09 2b 05 7f 8b 86 8d 8c 04 29 00 00 24 Aug 26 18:38:32.371610: | 58 a2 34 54 8b 09 26 e7 d3 03 4a 8b 31 0a 64 b1 Aug 26 18:38:32.371612: | 91 f2 eb 08 5d 16 d7 ec d8 39 c5 62 72 3e ea ec Aug 26 18:38:32.371615: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:38:32.371617: | 97 f6 0e 0b fe 2e 88 10 c2 f8 17 1e 13 48 c2 cd Aug 26 18:38:32.371619: | 64 66 d9 a3 00 00 00 1c 00 00 40 05 2a fc 6d be Aug 26 18:38:32.371621: | 8b e1 35 68 c3 f8 dd c8 9e 4e f7 26 09 f0 37 de Aug 26 18:38:32.371684: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:32.371692: | libevent_free: release ptr-libevent@0x561d68800628 Aug 26 18:38:32.371695: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x561d687fdea8 Aug 26 18:38:32.371698: | event_schedule: new EVENT_SO_DISCARD-pe@0x561d687fdea8 Aug 26 18:38:32.371702: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:38:32.371706: | libevent_malloc: new ptr-libevent@0x561d68801778 size 128 Aug 26 18:38:32.371710: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:32.371717: | #1 spent 0.627 milliseconds in resume sending helper answer Aug 26 18:38:32.371723: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:32.371727: | libevent_free: release ptr-libevent@0x7fb898002888 Aug 26 18:38:32.375845: | spent 0.00336 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:32.375874: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:32.375879: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.375882: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Aug 26 18:38:32.375884: | 83 30 b2 6d 6a 62 ed 59 1e c2 e2 17 bb 4c 23 e4 Aug 26 18:38:32.375887: | 25 04 bb 0e d3 4e 9b 46 d1 b2 69 16 bb eb 0d c1 Aug 26 18:38:32.375889: | 07 e2 ef 75 76 03 7d ca c0 4e 03 3c 01 b2 12 69 Aug 26 18:38:32.375892: | 24 63 3b 37 f0 5c b2 10 38 86 e6 b3 d9 9d 9f 88 Aug 26 18:38:32.375894: | 4a e3 7b b2 d0 f2 15 23 66 23 00 aa a8 50 05 4c Aug 26 18:38:32.375897: | aa a8 1e 45 13 3e 8f 63 ee 47 2b c2 ca 9e ca 49 Aug 26 18:38:32.375899: | f3 56 ff 82 19 d9 79 0f 7d 02 97 1e 22 16 0e e0 Aug 26 18:38:32.375902: | d0 b3 40 a9 fa bc 6d 40 c0 60 27 64 5c 61 3d 47 Aug 26 18:38:32.375904: | 1d f1 77 7d f7 6d f6 d3 ff 91 ba 71 1f a0 51 07 Aug 26 18:38:32.375907: | ae 1a 98 00 f7 6a 2e 14 a6 ab 1c 7b 62 39 14 c3 Aug 26 18:38:32.375909: | 7d 3b 5f ef b4 c6 2b 6c 8e aa fc 11 bf 26 08 33 Aug 26 18:38:32.375912: | ed 0c 87 e8 bc 09 29 90 ee 60 70 46 42 3a 73 67 Aug 26 18:38:32.375914: | e1 b5 93 9f 10 49 57 7f 89 f9 e3 94 be 6b cf e8 Aug 26 18:38:32.375917: | 93 Aug 26 18:38:32.375922: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:32.375926: | **parse ISAKMP Message: Aug 26 18:38:32.375929: | initiator cookie: Aug 26 18:38:32.375932: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.375934: | responder cookie: Aug 26 18:38:32.375937: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.375940: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:32.375943: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:32.375946: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:32.375949: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:32.375951: | Message ID: 1 (0x1) Aug 26 18:38:32.375954: | length: 241 (0xf1) Aug 26 18:38:32.375957: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:38:32.375961: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:38:32.375965: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:38:32.375973: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:32.375977: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:32.375983: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:32.375987: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:38:32.375991: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:38:32.375994: | unpacking clear payload Aug 26 18:38:32.375997: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:32.376000: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:32.376003: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:38:32.376005: | flags: none (0x0) Aug 26 18:38:32.376008: | length: 213 (0xd5) Aug 26 18:38:32.376010: | processing payload: ISAKMP_NEXT_v2SK (len=209) Aug 26 18:38:32.376015: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:32.376018: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:32.376021: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:32.376024: | Now let's proceed with state specific processing Aug 26 18:38:32.376027: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:32.376030: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:38:32.376037: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:38:32.376043: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:38:32.376047: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:38:32.376051: | libevent_free: release ptr-libevent@0x561d68801778 Aug 26 18:38:32.376055: | free_event_entry: release EVENT_SO_DISCARD-pe@0x561d687fdea8 Aug 26 18:38:32.376058: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x561d687fdea8 Aug 26 18:38:32.376063: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:32.376067: | libevent_malloc: new ptr-libevent@0x7fb898002888 size 128 Aug 26 18:38:32.376079: | #1 spent 0.0462 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:38:32.376085: | crypto helper 2 resuming Aug 26 18:38:32.376087: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:32.376103: | crypto helper 2 starting work-order 2 for state #1 Aug 26 18:38:32.376107: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:32.376111: | crypto helper 2 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:38:32.376111: | suspending state #1 and saving MD Aug 26 18:38:32.376120: | #1 is busy; has a suspended MD Aug 26 18:38:32.376127: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:32.376133: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:32.376139: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:32.376145: | #1 spent 0.274 milliseconds in ikev2_process_packet() Aug 26 18:38:32.376150: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:32.376153: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:32.376156: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:32.376160: | spent 0.29 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:32.377057: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:38:32.377546: | crypto helper 2 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001435 seconds Aug 26 18:38:32.377563: | (#1) spent 1.42 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:38:32.377567: | crypto helper 2 sending results from work-order 2 for state #1 to event queue Aug 26 18:38:32.377571: | scheduling resume sending helper answer for #1 Aug 26 18:38:32.377576: | libevent_malloc: new ptr-libevent@0x7fb890000f48 size 128 Aug 26 18:38:32.377586: | crypto helper 2 waiting (nothing to do) Aug 26 18:38:32.377598: | processing resume sending helper answer for #1 Aug 26 18:38:32.377614: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:32.377620: | crypto helper 2 replies to request ID 2 Aug 26 18:38:32.377624: | calling continuation function 0x561d67456b50 Aug 26 18:38:32.377628: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:38:32.377632: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:32.377648: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:38:32.377652: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:38:32.377657: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:38:32.377661: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:38:32.377664: | flags: none (0x0) Aug 26 18:38:32.377668: | length: 12 (0xc) Aug 26 18:38:32.377671: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:32.377675: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 18:38:32.377681: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:38:32.377685: | **parse IKEv2 Authentication Payload: Aug 26 18:38:32.377688: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:32.377691: | flags: none (0x0) Aug 26 18:38:32.377694: | length: 72 (0x48) Aug 26 18:38:32.377697: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:32.377701: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 18:38:32.377704: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:32.377707: | **parse IKEv2 Security Association Payload: Aug 26 18:38:32.377711: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:38:32.377714: | flags: none (0x0) Aug 26 18:38:32.377717: | length: 44 (0x2c) Aug 26 18:38:32.377720: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 18:38:32.377723: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:38:32.377727: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:32.377730: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:38:32.377733: | flags: none (0x0) Aug 26 18:38:32.377735: | length: 24 (0x18) Aug 26 18:38:32.377738: | number of TS: 1 (0x1) Aug 26 18:38:32.377741: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:38:32.377745: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:38:32.377748: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:32.377751: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:32.377754: | flags: none (0x0) Aug 26 18:38:32.377757: | length: 24 (0x18) Aug 26 18:38:32.377759: | number of TS: 1 (0x1) Aug 26 18:38:32.377763: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:38:32.377766: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:32.377769: | **parse IKEv2 Notify Payload: Aug 26 18:38:32.377772: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.377775: | flags: none (0x0) Aug 26 18:38:32.377778: | length: 8 (0x8) Aug 26 18:38:32.377781: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.377784: | SPI size: 0 (0x0) Aug 26 18:38:32.377788: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:32.377792: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:32.377795: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:38:32.377799: | Now let's proceed with state specific processing Aug 26 18:38:32.377802: | calling processor Responder: process IKE_AUTH request Aug 26 18:38:32.377810: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 18:38:32.377818: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:32.377824: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 18:38:32.377828: | peer ID c0 01 03 21 Aug 26 18:38:32.377834: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:32.377841: | match_id a=192.1.3.33 Aug 26 18:38:32.377845: | b=192.1.3.33 Aug 26 18:38:32.377848: | results matched Aug 26 18:38:32.377856: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:38:32.377859: | Warning: not switching back to template of current instance Aug 26 18:38:32.377862: | No IDr payload received from peer Aug 26 18:38:32.377869: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 18:38:32.377876: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.377881: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.377887: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:32.377891: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.377897: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.377901: | line 1: match=002 Aug 26 18:38:32.377905: | match 002 beats previous best_match 000 match=0x561d68755c48 (line=1) Aug 26 18:38:32.377908: | concluding with best_match=002 best=0x561d68755c48 (lineno=1) Aug 26 18:38:32.377911: | returning because exact peer id match Aug 26 18:38:32.377914: | offered CA: '%none' Aug 26 18:38:32.377920: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 18:38:32.377924: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 18:38:32.377947: | verifying AUTH payload Aug 26 18:38:32.377952: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 18:38:32.377959: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.377963: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.377968: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:32.377972: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.377975: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.377978: | line 1: match=002 Aug 26 18:38:32.377981: | match 002 beats previous best_match 000 match=0x561d68755c48 (line=1) Aug 26 18:38:32.377984: | concluding with best_match=002 best=0x561d68755c48 (lineno=1) Aug 26 18:38:32.378056: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 18:38:32.378066: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:38:32.378076: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:32.378081: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:32.378086: | libevent_free: release ptr-libevent@0x7fb898002888 Aug 26 18:38:32.378090: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x561d687fdea8 Aug 26 18:38:32.378094: | event_schedule: new EVENT_SA_REKEY-pe@0x561d687fdea8 Aug 26 18:38:32.378099: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 18:38:32.378103: | libevent_malloc: new ptr-libevent@0x561d68800838 size 128 Aug 26 18:38:32.378181: | pstats #1 ikev2.ike established Aug 26 18:38:32.378189: | **emit ISAKMP Message: Aug 26 18:38:32.378192: | initiator cookie: Aug 26 18:38:32.378196: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:32.378199: | responder cookie: Aug 26 18:38:32.378201: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.378205: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:32.378208: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:32.378212: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:32.378215: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:32.378218: | Message ID: 1 (0x1) Aug 26 18:38:32.378222: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:32.378225: | IKEv2 CERT: send a certificate? Aug 26 18:38:32.378229: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 18:38:32.378232: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:32.378236: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.378239: | flags: none (0x0) Aug 26 18:38:32.378243: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:32.378247: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.378251: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:32.378261: | Adding a v2N Payload Aug 26 18:38:32.378265: | ****emit IKEv2 Notify Payload: Aug 26 18:38:32.378268: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.378271: | flags: none (0x0) Aug 26 18:38:32.378273: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:32.378276: | SPI size: 0 (0x0) Aug 26 18:38:32.378280: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:32.378286: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:32.378311: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.378316: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:32.378319: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:32.378335: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:38:32.378339: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.378342: | flags: none (0x0) Aug 26 18:38:32.378345: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:32.378350: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:38:32.378354: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.378359: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:38:32.378362: | my identity c0 01 02 17 Aug 26 18:38:32.378365: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:38:32.378377: | assembled IDr payload Aug 26 18:38:32.378383: | CHILD SA proposals received Aug 26 18:38:32.378387: | going to assemble AUTH payload Aug 26 18:38:32.378391: | ****emit IKEv2 Authentication Payload: Aug 26 18:38:32.378394: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:32.378398: | flags: none (0x0) Aug 26 18:38:32.378401: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:32.378406: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:38:32.378411: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:38:32.378415: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.378419: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 18:38:32.378425: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.378431: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:32.378437: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:32.378441: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.378445: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:32.378449: | line 1: match=002 Aug 26 18:38:32.378454: | match 002 beats previous best_match 000 match=0x561d68755c48 (line=1) Aug 26 18:38:32.378459: | concluding with best_match=002 best=0x561d68755c48 (lineno=1) Aug 26 18:38:32.378518: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 18:38:32.378523: | PSK auth fb 86 b1 7e 54 00 9f df 51 fb b0 b9 f2 af 53 d7 Aug 26 18:38:32.378526: | PSK auth 87 d2 28 2a 8e 60 b1 36 0b 0d cd 46 4a c9 e8 37 Aug 26 18:38:32.378527: | PSK auth 54 1d 21 0e 4a ee ad c7 0c 9e 50 5e f7 d8 e2 9d Aug 26 18:38:32.378529: | PSK auth 27 0f 5d 20 fc ec 69 77 8e 2e 27 3a e3 41 93 a3 Aug 26 18:38:32.378531: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 18:38:32.378538: | creating state object #2 at 0x561d68802808 Aug 26 18:38:32.378540: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:38:32.378543: | pstats #2 ikev2.child started Aug 26 18:38:32.378546: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 18:38:32.378550: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:38:32.378556: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:32.378564: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:32.378569: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:32.378572: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:38:32.378576: | TSi: parsing 1 traffic selectors Aug 26 18:38:32.378579: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:32.378582: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:32.378585: | IP Protocol ID: 0 (0x0) Aug 26 18:38:32.378588: | length: 16 (0x10) Aug 26 18:38:32.378590: | start port: 0 (0x0) Aug 26 18:38:32.378593: | end port: 65535 (0xffff) Aug 26 18:38:32.378596: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:32.378598: | TS low c0 00 03 00 Aug 26 18:38:32.378601: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:32.378605: | TS high c0 00 03 ff Aug 26 18:38:32.378607: | TSi: parsed 1 traffic selectors Aug 26 18:38:32.378611: | TSr: parsing 1 traffic selectors Aug 26 18:38:32.378614: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:32.378616: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:32.378619: | IP Protocol ID: 0 (0x0) Aug 26 18:38:32.378621: | length: 16 (0x10) Aug 26 18:38:32.378624: | start port: 0 (0x0) Aug 26 18:38:32.378626: | end port: 65535 (0xffff) Aug 26 18:38:32.378629: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:32.378631: | TS low c0 00 02 00 Aug 26 18:38:32.378634: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:32.378636: | TS high c0 00 02 ff Aug 26 18:38:32.378638: | TSr: parsed 1 traffic selectors Aug 26 18:38:32.378641: | looking for best SPD in current connection Aug 26 18:38:32.378648: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:32.378653: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:32.378659: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:32.378663: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:32.378665: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:32.378668: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:32.378672: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:32.378676: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:32.378683: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:32.378686: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:32.378689: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:32.378692: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:32.378695: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:32.378698: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:32.378701: | found better spd route for TSi[0],TSr[0] Aug 26 18:38:32.378703: | looking for better host pair Aug 26 18:38:32.378709: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:38:32.378714: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 18:38:32.378717: | investigating connection "eastnet-northnet" as a better match Aug 26 18:38:32.378721: | match_id a=192.1.3.33 Aug 26 18:38:32.378723: | b=192.1.3.33 Aug 26 18:38:32.378725: | results matched Aug 26 18:38:32.378729: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:32.378731: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:32.378735: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:32.378738: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:32.378740: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:32.378742: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:32.378744: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:32.378746: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:32.378750: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:32.378751: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:32.378753: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:32.378755: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:32.378757: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:32.378758: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:32.378760: | did not find a better connection using host pair Aug 26 18:38:32.378762: | printing contents struct traffic_selector Aug 26 18:38:32.378763: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:32.378765: | ipprotoid: 0 Aug 26 18:38:32.378767: | port range: 0-65535 Aug 26 18:38:32.378769: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:38:32.378771: | printing contents struct traffic_selector Aug 26 18:38:32.378772: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:32.378774: | ipprotoid: 0 Aug 26 18:38:32.378775: | port range: 0-65535 Aug 26 18:38:32.378777: | ip range: 192.0.3.0-192.0.3.255 Aug 26 18:38:32.378780: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:38:32.378784: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:38:32.378788: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:38:32.378792: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:38:32.378794: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 18:38:32.378797: | local proposal 1 type ENCR has 1 transforms Aug 26 18:38:32.378799: | local proposal 1 type PRF has 0 transforms Aug 26 18:38:32.378800: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:32.378802: | local proposal 1 type DH has 1 transforms Aug 26 18:38:32.378804: | local proposal 1 type ESN has 1 transforms Aug 26 18:38:32.378806: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:38:32.378808: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.378810: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:32.378812: | length: 40 (0x28) Aug 26 18:38:32.378814: | prop #: 1 (0x1) Aug 26 18:38:32.378815: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:32.378817: | spi size: 4 (0x4) Aug 26 18:38:32.378819: | # transforms: 3 (0x3) Aug 26 18:38:32.378821: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:38:32.378822: | remote SPI 17 3b 1f 61 Aug 26 18:38:32.378825: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:38:32.378827: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378828: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378830: | length: 12 (0xc) Aug 26 18:38:32.378832: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.378833: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:32.378835: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.378837: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.378839: | length/value: 256 (0x100) Aug 26 18:38:32.378842: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:32.378845: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378846: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378848: | length: 8 (0x8) Aug 26 18:38:32.378850: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.378851: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:32.378854: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 18:38:32.378855: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378857: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.378859: | length: 8 (0x8) Aug 26 18:38:32.378860: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:32.378862: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:32.378864: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:38:32.378867: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 18:38:32.378869: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 18:38:32.378871: | remote proposal 1 matches local proposal 1 Aug 26 18:38:32.378875: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=173b1f61;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Aug 26 18:38:32.378878: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=173b1f61;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 18:38:32.378880: | converting proposal to internal trans attrs Aug 26 18:38:32.378896: | netlink_get_spi: allocated 0x9f33cf1b for esp.0@192.1.2.23 Aug 26 18:38:32.378899: | Emitting ikev2_proposal ... Aug 26 18:38:32.378901: | ****emit IKEv2 Security Association Payload: Aug 26 18:38:32.378903: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.378904: | flags: none (0x0) Aug 26 18:38:32.378907: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:32.378910: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.378913: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:32.378915: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:32.378916: | prop #: 1 (0x1) Aug 26 18:38:32.378918: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:32.378920: | spi size: 4 (0x4) Aug 26 18:38:32.378921: | # transforms: 3 (0x3) Aug 26 18:38:32.378923: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:32.378925: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:38:32.378927: | our spi 9f 33 cf 1b Aug 26 18:38:32.378929: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378930: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378932: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:32.378934: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:32.378937: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.378940: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:32.378943: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:32.378945: | length/value: 256 (0x100) Aug 26 18:38:32.378948: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:32.378951: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378954: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378956: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:32.378958: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:32.378964: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378967: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.378970: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:32.378972: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:32.378975: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:32.378978: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:32.378980: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:32.378983: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:32.378986: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:32.378989: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:32.378991: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 18:38:32.378994: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:32.378997: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 18:38:32.379000: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:32.379003: | received v2N_MOBIKE_SUPPORTED Aug 26 18:38:32.379006: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:32.379009: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.379011: | flags: none (0x0) Aug 26 18:38:32.379014: | number of TS: 1 (0x1) Aug 26 18:38:32.379017: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:38:32.379020: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.379023: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:32.379026: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:32.379028: | IP Protocol ID: 0 (0x0) Aug 26 18:38:32.379031: | start port: 0 (0x0) Aug 26 18:38:32.379033: | end port: 65535 (0xffff) Aug 26 18:38:32.379037: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:32.379040: | ipv4 start c0 00 03 00 Aug 26 18:38:32.379043: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:32.379045: | ipv4 end c0 00 03 ff Aug 26 18:38:32.379048: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:32.379050: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:38:32.379053: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:32.379056: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:32.379059: | flags: none (0x0) Aug 26 18:38:32.379061: | number of TS: 1 (0x1) Aug 26 18:38:32.379065: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:38:32.379068: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:32.379071: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:32.379073: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:32.379076: | IP Protocol ID: 0 (0x0) Aug 26 18:38:32.379079: | start port: 0 (0x0) Aug 26 18:38:32.379081: | end port: 65535 (0xffff) Aug 26 18:38:32.379085: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:32.379087: | ipv4 start c0 00 02 00 Aug 26 18:38:32.379090: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:32.379094: | ipv4 end c0 00 02 ff Aug 26 18:38:32.379097: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:32.379100: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:38:32.379103: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:32.379107: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Aug 26 18:38:32.379285: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:38:32.379305: | #1 spent 1.48 milliseconds Aug 26 18:38:32.379309: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:38:32.379313: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 18:38:32.379316: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:32.379319: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:32.379322: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:32.379325: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:32.379328: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:32.379334: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:32.379338: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 18:38:32.379342: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 18:38:32.379345: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 18:38:32.379350: | setting IPsec SA replay-window to 32 Aug 26 18:38:32.379353: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:32.379357: | netlink: enabling tunnel mode Aug 26 18:38:32.379360: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:32.379363: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:32.379434: | netlink response for Add SA esp.173b1f61@192.1.3.33 included non-error error Aug 26 18:38:32.379439: | set up outgoing SA, ref=0/0 Aug 26 18:38:32.379443: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 18:38:32.379446: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 18:38:32.379449: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 18:38:32.379453: | setting IPsec SA replay-window to 32 Aug 26 18:38:32.379456: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:32.379458: | netlink: enabling tunnel mode Aug 26 18:38:32.379461: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:32.379464: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:32.379501: | netlink response for Add SA esp.9f33cf1b@192.1.2.23 included non-error error Aug 26 18:38:32.379506: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:32.379514: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:32.379517: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:32.379542: | raw_eroute result=success Aug 26 18:38:32.379547: | set up incoming SA, ref=0/0 Aug 26 18:38:32.379550: | sr for #2: unrouted Aug 26 18:38:32.379553: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:38:32.379557: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:32.379560: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:32.379563: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:32.379567: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:32.379570: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:32.379575: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:32.379579: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 18:38:32.379583: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:32.379591: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 18:38:32.379597: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:32.379611: | raw_eroute result=success Aug 26 18:38:32.379615: | running updown command "ipsec _updown" for verb up Aug 26 18:38:32.379619: | command executing up-client Aug 26 18:38:32.379649: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 18:38:32.379654: | popen cmd is 1048 chars long Aug 26 18:38:32.379657: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 18:38:32.379660: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 18:38:32.379663: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 18:38:32.379666: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 18:38:32.379669: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 18:38:32.379672: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 18:38:32.379675: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 18:38:32.379678: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 18:38:32.379681: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 18:38:32.379684: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 18:38:32.379687: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 18:38:32.379690: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 18:38:32.379693: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x173b1f61 SPI_OUT=0x9f33cf1b ipsec _upd: Aug 26 18:38:32.379696: | cmd(1040):own 2>&1: Aug 26 18:38:32.391470: | route_and_eroute: firewall_notified: true Aug 26 18:38:32.391486: | running updown command "ipsec _updown" for verb prepare Aug 26 18:38:32.391490: | command executing prepare-client Aug 26 18:38:32.391523: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 18:38:32.391532: | popen cmd is 1053 chars long Aug 26 18:38:32.391536: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:32.391539: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:32.391542: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:32.391544: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:32.391547: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 18:38:32.391550: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 18:38:32.391553: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 18:38:32.391555: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 18:38:32.391558: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 18:38:32.391561: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 18:38:32.391564: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 18:38:32.391566: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 18:38:32.391569: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x173b1f61 SPI_OUT=0x9f33cf1b ipsec: Aug 26 18:38:32.391572: | cmd(1040): _updown 2>&1: Aug 26 18:38:32.403390: | running updown command "ipsec _updown" for verb route Aug 26 18:38:32.403413: | command executing route-client Aug 26 18:38:32.403447: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 18:38:32.403452: | popen cmd is 1051 chars long Aug 26 18:38:32.403455: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 18:38:32.403458: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 18:38:32.403461: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 18:38:32.403464: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 18:38:32.403466: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 18:38:32.403469: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 18:38:32.403472: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 18:38:32.403475: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 18:38:32.403478: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 18:38:32.403484: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 18:38:32.403487: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 18:38:32.403490: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 18:38:32.403492: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x173b1f61 SPI_OUT=0x9f33cf1b ipsec _: Aug 26 18:38:32.403495: | cmd(1040):updown 2>&1: Aug 26 18:38:32.420974: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x561d687fd7c8,sr=0x561d687fd7c8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:38:32.421071: | #1 spent 1.9 milliseconds in install_ipsec_sa() Aug 26 18:38:32.421080: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:38:32.421084: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:32.421088: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:32.421093: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:32.421096: | emitting length of IKEv2 Encryption Payload: 213 Aug 26 18:38:32.421098: | emitting length of ISAKMP Message: 241 Aug 26 18:38:32.421132: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:38:32.421138: | #1 spent 3.44 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:38:32.421147: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:32.421155: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:32.421159: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:38:32.421163: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:38:32.421167: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:38:32.421171: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:38:32.421177: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:32.421182: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:38:32.421185: | pstats #2 ikev2.child established Aug 26 18:38:32.421195: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:38:32.421201: | NAT-T: encaps is 'auto' Aug 26 18:38:32.421205: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x173b1f61 <0x9f33cf1b xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Aug 26 18:38:32.421212: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:32.421219: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:32.421225: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:32.421227: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Aug 26 18:38:32.421230: | 6d a3 5d 42 8f 58 84 d5 bc 1b 7f d8 fb 12 3c d8 Aug 26 18:38:32.421232: | d6 8c df 41 f0 04 1f a0 02 31 01 92 7d 97 98 9d Aug 26 18:38:32.421235: | fe 7c 2b b3 65 77 53 50 a9 e4 24 b8 8a 81 df 62 Aug 26 18:38:32.421238: | d5 71 7d 7d 76 25 cc f4 25 f4 dc c4 a8 fd 04 4f Aug 26 18:38:32.421240: | 1d fa 92 24 9a f3 15 38 21 9e 99 9e b0 11 f7 1a Aug 26 18:38:32.421243: | 78 05 14 58 df 48 45 2a 82 e2 1f 0f 4f a3 15 16 Aug 26 18:38:32.421245: | 36 84 bb 86 65 68 c7 d2 8f ac b5 ce 74 cf c8 73 Aug 26 18:38:32.421251: | db e2 2e 34 c0 c0 69 f1 11 1b 3c 80 43 1f 73 60 Aug 26 18:38:32.421253: | b2 21 da 76 2c b0 fb 1a e6 90 14 23 6e 32 88 c1 Aug 26 18:38:32.421256: | ba b8 61 80 7e 62 27 04 7c e3 42 00 83 64 f3 dc Aug 26 18:38:32.421258: | 80 2f c2 9d b8 72 21 cd 24 ec d9 f2 e5 d9 24 e5 Aug 26 18:38:32.421261: | b1 da 6b 24 79 92 10 50 49 50 7c 64 3a 01 3c 6b Aug 26 18:38:32.421263: | bf cd d3 7b aa 1d 42 13 69 70 87 03 d5 d8 82 86 Aug 26 18:38:32.421266: | 8c Aug 26 18:38:32.421333: | releasing whack for #2 (sock=fd@-1) Aug 26 18:38:32.421340: | releasing whack and unpending for parent #1 Aug 26 18:38:32.421345: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:32.421350: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:32.421355: | event_schedule: new EVENT_SA_REKEY-pe@0x561d688017b8 Aug 26 18:38:32.421361: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 18:38:32.421365: | libevent_malloc: new ptr-libevent@0x561d68800f38 size 128 Aug 26 18:38:32.421381: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:32.421390: | #1 spent 3.84 milliseconds in resume sending helper answer Aug 26 18:38:32.421396: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:32.421402: | libevent_free: release ptr-libevent@0x7fb890000f48 Aug 26 18:38:32.421420: | processing signal PLUTO_SIGCHLD Aug 26 18:38:32.421426: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:32.421431: | spent 0.00587 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:32.421434: | processing signal PLUTO_SIGCHLD Aug 26 18:38:32.421437: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:32.421441: | spent 0.00376 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:32.421444: | processing signal PLUTO_SIGCHLD Aug 26 18:38:32.421448: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:32.421452: | spent 0.00416 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:39.170704: | spent 0.00374 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:39.170736: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 18:38:39.170741: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.170744: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 18:38:39.170747: | 8e 50 c3 77 62 00 ae 13 99 b5 c8 76 37 4b 2d 66 Aug 26 18:38:39.170749: | 56 8d 0a f5 38 0b 9a 08 0f 59 8c 54 27 81 08 5d Aug 26 18:38:39.170751: | a3 9a 00 19 8c 55 8b 03 5b 7f 3a f4 cb 9c fe af Aug 26 18:38:39.170754: | fc 39 25 ae a2 8c cd d9 6f df 86 ce 03 c6 3f 07 Aug 26 18:38:39.170756: | b2 0e c9 99 d3 3c d8 97 19 54 be 8c 11 5a c4 4b Aug 26 18:38:39.170759: | f3 e7 d9 5d 4f 9d 42 fd 25 Aug 26 18:38:39.170764: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 18:38:39.170768: | **parse ISAKMP Message: Aug 26 18:38:39.170771: | initiator cookie: Aug 26 18:38:39.170773: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:39.170776: | responder cookie: Aug 26 18:38:39.170778: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.170781: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:39.170784: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:39.170787: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:39.170792: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:39.170794: | Message ID: 2 (0x2) Aug 26 18:38:39.170797: | length: 121 (0x79) Aug 26 18:38:39.170800: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 18:38:39.170804: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 18:38:39.170809: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 18:38:39.170820: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:39.170823: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:39.170829: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:39.170832: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 18:38:39.170837: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 18:38:39.170839: | unpacking clear payload Aug 26 18:38:39.170842: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:39.170845: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:39.170848: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:39.170851: | flags: none (0x0) Aug 26 18:38:39.170853: | length: 93 (0x5d) Aug 26 18:38:39.170856: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 18:38:39.170861: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 18:38:39.170864: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:39.170884: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 18:38:39.170887: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:39.170890: | **parse IKEv2 Notify Payload: Aug 26 18:38:39.170893: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:39.170896: | flags: none (0x0) Aug 26 18:38:39.170898: | length: 8 (0x8) Aug 26 18:38:39.170901: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:39.170903: | SPI size: 0 (0x0) Aug 26 18:38:39.170906: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 18:38:39.170909: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:39.170912: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:39.170914: | **parse IKEv2 Notify Payload: Aug 26 18:38:39.170917: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:39.170919: | flags: none (0x0) Aug 26 18:38:39.170922: | length: 28 (0x1c) Aug 26 18:38:39.170924: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:39.170926: | SPI size: 0 (0x0) Aug 26 18:38:39.170929: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:39.170932: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:39.170934: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:39.170937: | **parse IKEv2 Notify Payload: Aug 26 18:38:39.170939: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:39.170942: | flags: none (0x0) Aug 26 18:38:39.170944: | length: 28 (0x1c) Aug 26 18:38:39.170947: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:39.170949: | SPI size: 0 (0x0) Aug 26 18:38:39.170952: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:39.170954: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:39.170957: | selected state microcode R2: process Informational Request Aug 26 18:38:39.170960: | Now let's proceed with state specific processing Aug 26 18:38:39.170962: | calling processor R2: process Informational Request Aug 26 18:38:39.170966: | an informational request should send a response Aug 26 18:38:39.170969: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 18:38:39.170972: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:39.170975: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:39.170980: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:39.170988: | responder migrate kernel SA esp.173b1f61@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 18:38:39.171065: | responder migrate kernel SA esp.9f33cf1b@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 18:38:39.171097: | responder migrate kernel SA esp.9f33cf1b@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 18:38:39.171115: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:39.171121: | free hp@0x561d687fdd78 Aug 26 18:38:39.171127: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 18:38:39.171130: | new hp@0x561d687fdd78 Aug 26 18:38:39.171137: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:39.171141: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 18:38:39.171169: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 18:38:39.171173: | **emit ISAKMP Message: Aug 26 18:38:39.171176: | initiator cookie: Aug 26 18:38:39.171178: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:39.171181: | responder cookie: Aug 26 18:38:39.171183: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.171186: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:39.171189: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:39.171191: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:39.171194: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:39.171197: | Message ID: 2 (0x2) Aug 26 18:38:39.171200: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:39.171203: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:39.171206: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:39.171208: | flags: none (0x0) Aug 26 18:38:39.171211: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:39.171215: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:39.171218: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:39.171231: | adding NATD payloads to MOBIKE response Aug 26 18:38:39.171234: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:39.171246: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:39.171249: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:39.171251: | natd_hash: rcookie= 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.171254: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:39.171256: | natd_hash: port=500 Aug 26 18:38:39.171259: | natd_hash: hash= 97 f6 0e 0b fe 2e 88 10 c2 f8 17 1e 13 48 c2 cd Aug 26 18:38:39.171261: | natd_hash: hash= 64 66 d9 a3 Aug 26 18:38:39.171264: | Adding a v2N Payload Aug 26 18:38:39.171267: | ****emit IKEv2 Notify Payload: Aug 26 18:38:39.171269: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:39.171272: | flags: none (0x0) Aug 26 18:38:39.171274: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:39.171277: | SPI size: 0 (0x0) Aug 26 18:38:39.171280: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:39.171283: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:39.171286: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:39.171296: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:39.171299: | Notify data 97 f6 0e 0b fe 2e 88 10 c2 f8 17 1e 13 48 c2 cd Aug 26 18:38:39.171302: | Notify data 64 66 d9 a3 Aug 26 18:38:39.171305: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:39.171312: | natd_hash: hasher=0x561d6752b800(20) Aug 26 18:38:39.171314: | natd_hash: icookie= ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:39.171317: | natd_hash: rcookie= 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.171319: | natd_hash: ip= c0 01 08 16 Aug 26 18:38:39.171321: | natd_hash: port=500 Aug 26 18:38:39.171328: | natd_hash: hash= f3 fa b6 43 bc e2 e5 03 37 60 30 20 9b 69 8f 01 Aug 26 18:38:39.171330: | natd_hash: hash= 78 b3 36 16 Aug 26 18:38:39.171332: | Adding a v2N Payload Aug 26 18:38:39.171337: | ****emit IKEv2 Notify Payload: Aug 26 18:38:39.171340: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:39.171343: | flags: none (0x0) Aug 26 18:38:39.171345: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:39.171348: | SPI size: 0 (0x0) Aug 26 18:38:39.171350: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:39.171354: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:39.171356: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:39.171360: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:39.171362: | Notify data f3 fa b6 43 bc e2 e5 03 37 60 30 20 9b 69 8f 01 Aug 26 18:38:39.171365: | Notify data 78 b3 36 16 Aug 26 18:38:39.171367: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:39.171370: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:39.171373: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:39.171377: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:39.171382: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 18:38:39.171386: | emitting length of ISAKMP Message: 113 Aug 26 18:38:39.171407: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:39.171413: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:39.171417: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 18:38:39.171421: | f4 2a ec 6d 31 02 51 82 15 60 97 7f 46 d2 79 28 Aug 26 18:38:39.171425: | 02 c2 03 16 b5 85 4b c4 2f 8f a3 e1 c3 ba 81 4f Aug 26 18:38:39.171429: | 97 0d 20 55 6e 62 17 c0 2e 00 28 4b af 2d 4f 7a Aug 26 18:38:39.171433: | f2 a5 95 77 8a d2 d1 4a 4a 64 ec d3 40 c8 c6 f6 Aug 26 18:38:39.171437: | 94 8b 9c ea 2d 39 64 c2 2b 5c 36 34 85 f6 bd 46 Aug 26 18:38:39.171441: | 20 Aug 26 18:38:39.171491: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:39.171502: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:39.171512: | #1 spent 0.512 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 18:38:39.171523: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:39.171529: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 18:38:39.171534: | Message ID: updating counters for #1 to 2 after switching state Aug 26 18:38:39.171541: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 18:38:39.171548: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:39.171553: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:39.171562: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:39.171571: | #1 spent 0.817 milliseconds in ikev2_process_packet() Aug 26 18:38:39.171578: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 18:38:39.171585: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:39.171590: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:39.171600: | spent 0.847 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:50.054604: | processing global timer EVENT_SHUNT_SCAN Aug 26 18:38:50.054622: | expiring aged bare shunts from shunt table Aug 26 18:38:50.054629: | spent 0.0053 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 18:38:52.599279: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:52.599302: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 18:38:52.599306: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:52.599313: | get_sa_info esp.9f33cf1b@192.1.2.23 Aug 26 18:38:52.599327: | get_sa_info esp.173b1f61@192.1.8.22 Aug 26 18:38:52.599341: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:52.599347: | spent 0.0728 milliseconds in whack Aug 26 18:38:52.854672: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:52.855379: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:52.855405: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:52.855749: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:38:52.855760: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:52.855802: | get_sa_info esp.9f33cf1b@192.1.2.23 Aug 26 18:38:52.855850: | get_sa_info esp.173b1f61@192.1.8.22 Aug 26 18:38:52.855923: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:52.855944: | spent 1.28 milliseconds in whack Aug 26 18:38:54.254416: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:54.254438: shutting down Aug 26 18:38:54.254445: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:38:54.254448: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:54.254449: forgetting secrets Aug 26 18:38:54.254456: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:54.254461: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 18:38:54.254464: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 18:38:54.254467: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:54.254468: | pass 0 Aug 26 18:38:54.254470: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:54.254472: | state #2 Aug 26 18:38:54.254475: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:54.254494: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:54.254496: | pstats #2 ikev2.child deleted completed Aug 26 18:38:54.254500: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:54.254504: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 21.875s and sending notification Aug 26 18:38:54.254506: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:38:54.254510: | get_sa_info esp.173b1f61@192.1.8.22 Aug 26 18:38:54.254535: | get_sa_info esp.9f33cf1b@192.1.2.23 Aug 26 18:38:54.254541: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Aug 26 18:38:54.254544: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:38:54.254546: | Opening output PBS informational exchange delete request Aug 26 18:38:54.254548: | **emit ISAKMP Message: Aug 26 18:38:54.254550: | initiator cookie: Aug 26 18:38:54.254552: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:54.254554: | responder cookie: Aug 26 18:38:54.254555: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:54.254557: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:54.254563: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:54.254566: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:54.254568: | flags: none (0x0) Aug 26 18:38:54.254569: | Message ID: 0 (0x0) Aug 26 18:38:54.254571: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:54.254574: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:54.254576: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:54.254577: | flags: none (0x0) Aug 26 18:38:54.254580: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:54.254581: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:54.254584: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:54.254592: | ****emit IKEv2 Delete Payload: Aug 26 18:38:54.254594: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:54.254595: | flags: none (0x0) Aug 26 18:38:54.254597: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:38:54.254599: | SPI size: 4 (0x4) Aug 26 18:38:54.254600: | number of SPIs: 1 (0x1) Aug 26 18:38:54.254603: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:54.254604: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:54.254607: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:38:54.254608: | local spis 9f 33 cf 1b Aug 26 18:38:54.254610: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:38:54.254612: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:54.254614: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:54.254616: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:54.254618: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 18:38:54.254619: | emitting length of ISAKMP Message: 69 Aug 26 18:38:54.254640: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 18:38:54.254642: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:54.254644: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 18:38:54.254645: | 0e bc 9a 4b 4c 87 e5 05 a0 f1 d3 f0 35 91 ca e7 Aug 26 18:38:54.254647: | 09 d4 8f ff 7b 9c dd a2 32 a2 98 39 a3 69 4b ed Aug 26 18:38:54.254648: | d9 a1 c6 91 34 Aug 26 18:38:54.254693: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:38:54.254697: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 18:38:54.254702: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:38:54.254705: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:54.254709: | libevent_free: release ptr-libevent@0x561d68800f38 Aug 26 18:38:54.254712: | free_event_entry: release EVENT_SA_REKEY-pe@0x561d688017b8 Aug 26 18:38:54.254761: | running updown command "ipsec _updown" for verb down Aug 26 18:38:54.254765: | command executing down-client Aug 26 18:38:54.254810: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844712' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 18:38:54.254815: | popen cmd is 1061 chars long Aug 26 18:38:54.254819: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 18:38:54.254822: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 18:38:54.254825: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 18:38:54.254828: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 18:38:54.254831: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 18:38:54.254846: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 18:38:54.254849: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 18:38:54.254852: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844712' PLUTO_CONN_P: Aug 26 18:38:54.254855: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 18:38:54.254857: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 18:38:54.254860: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 18:38:54.254863: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 18:38:54.254866: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x173b1f61 SPI_OUT=0x9f33cf: Aug 26 18:38:54.254869: | cmd(1040):1b ipsec _updown 2>&1: Aug 26 18:38:54.262561: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:38:54.262578: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:54.262581: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:54.262585: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:54.262615: | delete esp.173b1f61@192.1.8.22 Aug 26 18:38:54.262667: | netlink response for Del SA esp.173b1f61@192.1.8.22 included non-error error Aug 26 18:38:54.262673: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:54.262682: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:54.262706: | raw_eroute result=success Aug 26 18:38:54.262712: | delete esp.9f33cf1b@192.1.2.23 Aug 26 18:38:54.262725: | netlink response for Del SA esp.9f33cf1b@192.1.2.23 included non-error error Aug 26 18:38:54.262743: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:38:54.262750: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:38:54.262754: | in connection_discard for connection eastnet-northnet Aug 26 18:38:54.262758: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 18:38:54.262766: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:38:54.262774: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:54.262784: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:54.262785: | state #1 Aug 26 18:38:54.262787: | pass 1 Aug 26 18:38:54.262789: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:54.262790: | state #1 Aug 26 18:38:54.262794: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:54.262799: | pstats #1 ikev2.ike deleted completed Aug 26 18:38:54.262805: | #1 spent 9.76 milliseconds in total Aug 26 18:38:54.262808: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:54.262812: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 21.894s and sending notification Aug 26 18:38:54.262814: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 18:38:54.262861: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:38:54.262866: | Opening output PBS informational exchange delete request Aug 26 18:38:54.262869: | **emit ISAKMP Message: Aug 26 18:38:54.262871: | initiator cookie: Aug 26 18:38:54.262873: | ad 6d 60 74 a3 e2 ed 1a Aug 26 18:38:54.262874: | responder cookie: Aug 26 18:38:54.262876: | 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:54.262878: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:54.262880: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:54.262882: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:54.262885: | flags: none (0x0) Aug 26 18:38:54.262887: | Message ID: 1 (0x1) Aug 26 18:38:54.262889: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:54.262892: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:54.262894: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:54.262895: | flags: none (0x0) Aug 26 18:38:54.262897: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:54.262899: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:54.262902: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:54.262915: | ****emit IKEv2 Delete Payload: Aug 26 18:38:54.262917: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:54.262918: | flags: none (0x0) Aug 26 18:38:54.262920: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:38:54.262922: | SPI size: 0 (0x0) Aug 26 18:38:54.262923: | number of SPIs: 0 (0x0) Aug 26 18:38:54.262926: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:54.262928: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:54.262929: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:38:54.262931: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:54.262934: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:54.262936: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:54.262937: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 18:38:54.262939: | emitting length of ISAKMP Message: 65 Aug 26 18:38:54.262963: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:54.262965: | ad 6d 60 74 a3 e2 ed 1a 47 4e 95 2d b8 ba d3 51 Aug 26 18:38:54.262967: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 18:38:54.262968: | 3a 6a 5c 13 57 0c 5b 58 4a 4c b8 60 7e 91 8d 82 Aug 26 18:38:54.262970: | 4a 60 b5 50 8a ed 09 8e 6e f2 ac 2f b4 85 0d a1 Aug 26 18:38:54.262971: | ea Aug 26 18:38:54.263014: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:38:54.263017: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 18:38:54.263021: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 18:38:54.263027: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 18:38:54.263029: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:54.263037: | libevent_free: release ptr-libevent@0x561d68800838 Aug 26 18:38:54.263039: | free_event_entry: release EVENT_SA_REKEY-pe@0x561d687fdea8 Aug 26 18:38:54.263043: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:38:54.263045: | in connection_discard for connection eastnet-northnet Aug 26 18:38:54.263047: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 18:38:54.263049: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:38:54.263077: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:54.263099: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:54.263102: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:38:54.263104: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:54.263106: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:54.263120: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:54.263127: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:54.263130: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:54.263131: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:54.263133: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:54.263135: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:54.263137: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 18:38:54.263139: | running updown command "ipsec _updown" for verb unroute Aug 26 18:38:54.263141: | command executing unroute-client Aug 26 18:38:54.263159: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 18:38:54.263161: | popen cmd is 1042 chars long Aug 26 18:38:54.263163: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:54.263165: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:54.263167: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:54.263169: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:54.263170: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 18:38:54.263172: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 18:38:54.263174: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 18:38:54.263176: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 18:38:54.263180: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 18:38:54.263183: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 18:38:54.263186: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 18:38:54.263189: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 18:38:54.263191: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 18:38:54.263193: | cmd(1040):&1: Aug 26 18:38:54.271548: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271566: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271568: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271571: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271573: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271574: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271576: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271578: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271585: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271634: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271641: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271642: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271644: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271645: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271648: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271649: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271651: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271664: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271668: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271680: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.271685: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:54.276172: | free hp@0x561d687fdd78 Aug 26 18:38:54.276187: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:54.276191: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:38:54.276200: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 18:38:54.276202: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:54.276204: | pass 0 Aug 26 18:38:54.276206: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:54.276207: | pass 1 Aug 26 18:38:54.276209: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:54.276211: | free hp@0x561d687fbe18 Aug 26 18:38:54.276213: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:54.276215: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 18:38:54.276224: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:38:54.276226: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:38:54.276235: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:38:54.276238: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:38:54.276240: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:54.276242: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:38:54.276244: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:54.276246: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:38:54.276249: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:38:54.276263: | libevent_free: release ptr-libevent@0x561d687eddc8 Aug 26 18:38:54.276265: | free_event_entry: release EVENT_NULL-pe@0x561d687f9be8 Aug 26 18:38:54.276274: | libevent_free: release ptr-libevent@0x561d6878a468 Aug 26 18:38:54.276276: | free_event_entry: release EVENT_NULL-pe@0x561d687f9c98 Aug 26 18:38:54.276281: | libevent_free: release ptr-libevent@0x561d6878a368 Aug 26 18:38:54.276282: | free_event_entry: release EVENT_NULL-pe@0x561d687f9d48 Aug 26 18:38:54.276310: | libevent_free: release ptr-libevent@0x561d6878b748 Aug 26 18:38:54.276312: | free_event_entry: release EVENT_NULL-pe@0x561d687f9df8 Aug 26 18:38:54.276332: | libevent_free: release ptr-libevent@0x561d6875fba8 Aug 26 18:38:54.276334: | free_event_entry: release EVENT_NULL-pe@0x561d687f9ea8 Aug 26 18:38:54.276339: | libevent_free: release ptr-libevent@0x561d6875a1d8 Aug 26 18:38:54.276340: | free_event_entry: release EVENT_NULL-pe@0x561d687f9f58 Aug 26 18:38:54.276344: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:54.276709: | libevent_free: release ptr-libevent@0x561d687ede78 Aug 26 18:38:54.276715: | free_event_entry: release EVENT_NULL-pe@0x561d687e1c38 Aug 26 18:38:54.276720: | libevent_free: release ptr-libevent@0x561d6878be18 Aug 26 18:38:54.276722: | free_event_entry: release EVENT_NULL-pe@0x561d687e10f8 Aug 26 18:38:54.276725: | libevent_free: release ptr-libevent@0x561d687c54b8 Aug 26 18:38:54.276727: | free_event_entry: release EVENT_NULL-pe@0x561d687e1ca8 Aug 26 18:38:54.276730: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:38:54.276732: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:38:54.276734: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:38:54.276735: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:38:54.276737: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:38:54.276738: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:38:54.276740: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:38:54.276742: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:38:54.276743: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:38:54.276747: | libevent_free: release ptr-libevent@0x561d6878d088 Aug 26 18:38:54.276749: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:38:54.276751: | libevent_free: release ptr-libevent@0x561d687f9338 Aug 26 18:38:54.276753: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:38:54.276755: | libevent_free: release ptr-libevent@0x561d687f9448 Aug 26 18:38:54.276756: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:38:54.276758: | libevent_free: release ptr-libevent@0x561d687f9688 Aug 26 18:38:54.276760: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:38:54.276762: | releasing event base Aug 26 18:38:54.276771: | libevent_free: release ptr-libevent@0x561d687f9558 Aug 26 18:38:54.276773: | libevent_free: release ptr-libevent@0x561d687dc4e8 Aug 26 18:38:54.276775: | libevent_free: release ptr-libevent@0x561d687dc498 Aug 26 18:38:54.276777: | libevent_free: release ptr-libevent@0x561d687dc428 Aug 26 18:38:54.276779: | libevent_free: release ptr-libevent@0x561d687dc3e8 Aug 26 18:38:54.276781: | libevent_free: release ptr-libevent@0x561d687f9108 Aug 26 18:38:54.276782: | libevent_free: release ptr-libevent@0x561d687f92b8 Aug 26 18:38:54.276784: | libevent_free: release ptr-libevent@0x561d687dc698 Aug 26 18:38:54.276785: | libevent_free: release ptr-libevent@0x561d687e1208 Aug 26 18:38:54.276787: | libevent_free: release ptr-libevent@0x561d687e1bf8 Aug 26 18:38:54.276788: | libevent_free: release ptr-libevent@0x561d687f9fc8 Aug 26 18:38:54.276790: | libevent_free: release ptr-libevent@0x561d687f9f18 Aug 26 18:38:54.276792: | libevent_free: release ptr-libevent@0x561d687f9e68 Aug 26 18:38:54.276793: | libevent_free: release ptr-libevent@0x561d687f9db8 Aug 26 18:38:54.276795: | libevent_free: release ptr-libevent@0x561d687f9d08 Aug 26 18:38:54.276796: | libevent_free: release ptr-libevent@0x561d687f9c58 Aug 26 18:38:54.276798: | libevent_free: release ptr-libevent@0x561d68788ba8 Aug 26 18:38:54.276803: | libevent_free: release ptr-libevent@0x561d687f9408 Aug 26 18:38:54.276804: | libevent_free: release ptr-libevent@0x561d687f92f8 Aug 26 18:38:54.276806: | libevent_free: release ptr-libevent@0x561d687f9278 Aug 26 18:38:54.276808: | libevent_free: release ptr-libevent@0x561d687f9518 Aug 26 18:38:54.276809: | libevent_free: release ptr-libevent@0x561d687f9148 Aug 26 18:38:54.276811: | libevent_free: release ptr-libevent@0x561d68759908 Aug 26 18:38:54.276813: | libevent_free: release ptr-libevent@0x561d68759d38 Aug 26 18:38:54.276814: | libevent_free: release ptr-libevent@0x561d68788f18 Aug 26 18:38:54.276816: | releasing global libevent data Aug 26 18:38:54.276818: | libevent_free: release ptr-libevent@0x561d6878bec8 Aug 26 18:38:54.276820: | libevent_free: release ptr-libevent@0x561d68759cd8 Aug 26 18:38:54.276822: | libevent_free: release ptr-libevent@0x561d68759dd8 Aug 26 18:38:54.276856: leak detective found no leaks