Aug 26 18:38:32.642492: FIPS Product: YES Aug 26 18:38:32.642535: FIPS Kernel: NO Aug 26 18:38:32.642538: FIPS Mode: NO Aug 26 18:38:32.642541: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:38:32.642697: Initializing NSS Aug 26 18:38:32.642704: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:38:32.681506: NSS initialized Aug 26 18:38:32.681527: NSS crypto library initialized Aug 26 18:38:32.681530: FIPS HMAC integrity support [enabled] Aug 26 18:38:32.681533: FIPS mode disabled for pluto daemon Aug 26 18:38:32.747742: FIPS HMAC integrity verification self-test FAILED Aug 26 18:38:32.747855: libcap-ng support [enabled] Aug 26 18:38:32.747864: Linux audit support [enabled] Aug 26 18:38:32.748282: Linux audit activated Aug 26 18:38:32.748298: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:7308 Aug 26 18:38:32.748305: core dump dir: /tmp Aug 26 18:38:32.748308: secrets file: /etc/ipsec.secrets Aug 26 18:38:32.748311: leak-detective enabled Aug 26 18:38:32.748313: NSS crypto [enabled] Aug 26 18:38:32.748315: XAUTH PAM support [enabled] Aug 26 18:38:32.748396: | libevent is using pluto's memory allocator Aug 26 18:38:32.748405: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:38:32.748422: | libevent_malloc: new ptr-libevent@0x55e2616d1178 size 40 Aug 26 18:38:32.748430: | libevent_malloc: new ptr-libevent@0x55e2616d5cd8 size 40 Aug 26 18:38:32.748434: | libevent_malloc: new ptr-libevent@0x55e2616d5dd8 size 40 Aug 26 18:38:32.748436: | creating event base Aug 26 18:38:32.748440: | libevent_malloc: new ptr-libevent@0x55e261758a28 size 56 Aug 26 18:38:32.748445: | libevent_malloc: new ptr-libevent@0x55e261704e48 size 664 Aug 26 18:38:32.748455: | libevent_malloc: new ptr-libevent@0x55e261758a98 size 24 Aug 26 18:38:32.748458: | libevent_malloc: new ptr-libevent@0x55e261758ae8 size 384 Aug 26 18:38:32.748469: | libevent_malloc: new ptr-libevent@0x55e2617589e8 size 16 Aug 26 18:38:32.748472: | libevent_malloc: new ptr-libevent@0x55e2616d5908 size 40 Aug 26 18:38:32.748475: | libevent_malloc: new ptr-libevent@0x55e2616d5d38 size 48 Aug 26 18:38:32.748480: | libevent_realloc: new ptr-libevent@0x55e261705948 size 256 Aug 26 18:38:32.748483: | libevent_malloc: new ptr-libevent@0x55e261758c98 size 16 Aug 26 18:38:32.748488: | libevent_free: release ptr-libevent@0x55e261758a28 Aug 26 18:38:32.748492: | libevent initialized Aug 26 18:38:32.748496: | libevent_realloc: new ptr-libevent@0x55e261758a28 size 64 Aug 26 18:38:32.748500: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:38:32.748518: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:38:32.748522: NAT-Traversal support [enabled] Aug 26 18:38:32.748525: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:38:32.748531: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:38:32.748535: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:38:32.748573: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:38:32.748578: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:38:32.748581: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:38:32.748633: Encryption algorithms: Aug 26 18:38:32.748643: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:38:32.748648: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:38:32.748652: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:38:32.748656: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:38:32.748660: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:38:32.748672: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:38:32.748676: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:38:32.748680: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:38:32.748684: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:38:32.748687: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:38:32.748691: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:38:32.748694: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:38:32.748698: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:38:32.748702: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:38:32.748706: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:38:32.748710: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:38:32.748713: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:38:32.748721: Hash algorithms: Aug 26 18:38:32.748725: MD5 IKEv1: IKE IKEv2: Aug 26 18:38:32.748728: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:38:32.748732: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:38:32.748735: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:38:32.748739: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:38:32.748754: PRF algorithms: Aug 26 18:38:32.748758: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:38:32.748761: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:38:32.748765: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:38:32.748769: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:38:32.748773: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:38:32.748776: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:38:32.748804: Integrity algorithms: Aug 26 18:38:32.748809: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:38:32.748814: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:38:32.748818: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:38:32.748823: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:38:32.748827: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:38:32.748831: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:38:32.748835: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:38:32.748838: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:38:32.748842: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:38:32.748854: DH algorithms: Aug 26 18:38:32.748858: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:38:32.748862: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:38:32.748865: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:38:32.748871: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:38:32.748874: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:38:32.748877: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:38:32.748881: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:38:32.748884: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:38:32.748888: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:38:32.748891: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:38:32.748894: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:38:32.748897: testing CAMELLIA_CBC: Aug 26 18:38:32.748900: Camellia: 16 bytes with 128-bit key Aug 26 18:38:32.749039: Camellia: 16 bytes with 128-bit key Aug 26 18:38:32.749072: Camellia: 16 bytes with 256-bit key Aug 26 18:38:32.749106: Camellia: 16 bytes with 256-bit key Aug 26 18:38:32.749136: testing AES_GCM_16: Aug 26 18:38:32.749140: empty string Aug 26 18:38:32.749168: one block Aug 26 18:38:32.749195: two blocks Aug 26 18:38:32.749224: two blocks with associated data Aug 26 18:38:32.749256: testing AES_CTR: Aug 26 18:38:32.749263: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:38:32.749300: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:38:32.749335: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:38:32.749368: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:38:32.749399: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:38:32.749431: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:38:32.749463: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:38:32.749492: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:38:32.749522: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:38:32.749553: testing AES_CBC: Aug 26 18:38:32.749557: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:38:32.749587: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:38:32.749620: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:38:32.749653: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:38:32.749692: testing AES_XCBC: Aug 26 18:38:32.749697: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:38:32.749820: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:38:32.749959: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:38:32.750098: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:38:32.750232: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:38:32.750358: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:38:32.750506: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:38:32.750807: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:38:32.750947: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:38:32.751093: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:38:32.751345: testing HMAC_MD5: Aug 26 18:38:32.751357: RFC 2104: MD5_HMAC test 1 Aug 26 18:38:32.751541: RFC 2104: MD5_HMAC test 2 Aug 26 18:38:32.751707: RFC 2104: MD5_HMAC test 3 Aug 26 18:38:32.751904: 8 CPU cores online Aug 26 18:38:32.751910: starting up 7 crypto helpers Aug 26 18:38:32.752006: started thread for crypto helper 0 Aug 26 18:38:32.752035: started thread for crypto helper 1 Aug 26 18:38:32.752041: | starting up helper thread 1 Aug 26 18:38:32.752061: started thread for crypto helper 2 Aug 26 18:38:32.752084: started thread for crypto helper 3 Aug 26 18:38:32.752108: started thread for crypto helper 4 Aug 26 18:38:32.752133: started thread for crypto helper 5 Aug 26 18:38:32.752152: started thread for crypto helper 6 Aug 26 18:38:32.752160: | checking IKEv1 state table Aug 26 18:38:32.752169: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752173: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:38:32.752176: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752179: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:38:32.752183: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:38:32.752185: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:38:32.752188: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:32.752190: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:32.752193: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:38:32.752195: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:38:32.752198: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:32.752200: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:32.752203: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:38:32.752061: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:38:32.752212: | crypto helper 1 waiting (nothing to do) Aug 26 18:38:32.752485: | starting up helper thread 3 Aug 26 18:38:32.752502: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:38:32.752506: | crypto helper 3 waiting (nothing to do) Aug 26 18:38:32.752640: | starting up helper thread 6 Aug 26 18:38:32.752653: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:38:32.752657: | crypto helper 6 waiting (nothing to do) Aug 26 18:38:32.752205: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:32.752766: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:32.752771: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:32.752775: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:38:32.752777: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:32.752780: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:32.752782: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:32.752784: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:38:32.752787: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752789: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:38:32.752792: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752795: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752797: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:38:32.752799: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752802: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:32.752805: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:32.752807: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:38:32.752809: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:32.752812: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:32.752815: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:38:32.752817: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752819: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:38:32.752822: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752824: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:38:32.752827: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:38:32.752830: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:38:32.752832: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:38:32.752835: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:38:32.752838: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:38:32.752840: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:38:32.752843: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752845: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:38:32.752848: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752851: | INFO: category: informational flags: 0: Aug 26 18:38:32.752853: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752856: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:38:32.752859: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752861: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:38:32.752868: | -> XAUTH_R1 EVENT_NULL Aug 26 18:38:32.752872: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:38:32.752874: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:32.752877: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:38:32.752879: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:38:32.752881: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:38:32.752883: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:38:32.752886: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:38:32.752888: | -> UNDEFINED EVENT_NULL Aug 26 18:38:32.752891: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:38:32.752894: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:32.752896: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:38:32.752899: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:38:32.752902: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:38:32.752905: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:38:32.752911: | checking IKEv2 state table Aug 26 18:38:32.752918: | PARENT_I0: category: ignore flags: 0: Aug 26 18:38:32.752921: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:38:32.752924: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752927: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:38:32.752930: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:38:32.752934: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:38:32.752936: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:38:32.752939: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:38:32.752942: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:38:32.752945: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:38:32.752947: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:38:32.752951: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:38:32.752953: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:38:32.752956: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:38:32.752959: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:38:32.752962: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:38:32.752965: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752968: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:38:32.752971: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:38:32.752974: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:38:32.752977: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:38:32.752980: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:38:32.752983: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:38:32.752986: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:38:32.752989: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:38:32.752992: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:38:32.752995: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:38:32.752998: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:38:32.753001: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:38:32.753004: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:38:32.753007: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:38:32.753011: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:32.753016: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:38:32.753020: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:38:32.753023: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:38:32.753026: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:38:32.753029: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:38:32.753033: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:38:32.753036: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:38:32.753039: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:38:32.753042: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:32.753045: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:38:32.753048: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:38:32.753052: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:38:32.753055: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:38:32.753058: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:38:32.753061: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:38:32.753079: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:38:32.753334: | starting up helper thread 2 Aug 26 18:38:32.753353: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:38:32.753357: | crypto helper 2 waiting (nothing to do) Aug 26 18:38:32.753546: | Hard-wiring algorithms Aug 26 18:38:32.753554: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:38:32.753559: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:38:32.753562: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:38:32.753565: | adding 3DES_CBC to kernel algorithm db Aug 26 18:38:32.753567: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:38:32.753570: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:38:32.753573: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:38:32.753575: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:38:32.753579: | adding AES_CTR to kernel algorithm db Aug 26 18:38:32.753582: | adding AES_CBC to kernel algorithm db Aug 26 18:38:32.753584: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:38:32.753587: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:38:32.753590: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:38:32.753593: | adding NULL to kernel algorithm db Aug 26 18:38:32.753596: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:38:32.753599: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:38:32.753602: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:38:32.753604: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:38:32.753607: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:38:32.753610: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:38:32.753612: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:38:32.753615: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:38:32.753617: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:38:32.753620: | adding NONE to kernel algorithm db Aug 26 18:38:32.753646: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:38:32.753653: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:38:32.753657: | setup kernel fd callback Aug 26 18:38:32.753660: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55e26175e2a8 Aug 26 18:38:32.753665: | libevent_malloc: new ptr-libevent@0x55e261741af8 size 128 Aug 26 18:38:32.753669: | libevent_malloc: new ptr-libevent@0x55e26175d808 size 16 Aug 26 18:38:32.753676: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55e26175d6f8 Aug 26 18:38:32.753681: | libevent_malloc: new ptr-libevent@0x55e261708038 size 128 Aug 26 18:38:32.753687: | libevent_malloc: new ptr-libevent@0x55e26175e1f8 size 16 Aug 26 18:38:32.753933: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:38:32.753946: selinux support is enabled. Aug 26 18:38:32.754675: | unbound context created - setting debug level to 5 Aug 26 18:38:32.754709: | /etc/hosts lookups activated Aug 26 18:38:32.754725: | /etc/resolv.conf usage activated Aug 26 18:38:32.754796: | outgoing-port-avoid set 0-65535 Aug 26 18:38:32.754830: | outgoing-port-permit set 32768-60999 Aug 26 18:38:32.754834: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:38:32.754838: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:38:32.754842: | Setting up events, loop start Aug 26 18:38:32.754846: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55e26175e238 Aug 26 18:38:32.754850: | libevent_malloc: new ptr-libevent@0x55e26176a4f8 size 128 Aug 26 18:38:32.754854: | libevent_malloc: new ptr-libevent@0x55e261775808 size 16 Aug 26 18:38:32.754863: | libevent_realloc: new ptr-libevent@0x55e261704ad8 size 256 Aug 26 18:38:32.754867: | libevent_malloc: new ptr-libevent@0x55e261775848 size 8 Aug 26 18:38:32.754871: | libevent_realloc: new ptr-libevent@0x55e261705388 size 144 Aug 26 18:38:32.754874: | libevent_malloc: new ptr-libevent@0x55e2617057e8 size 152 Aug 26 18:38:32.754879: | libevent_malloc: new ptr-libevent@0x55e261775888 size 16 Aug 26 18:38:32.754883: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:38:32.754887: | libevent_malloc: new ptr-libevent@0x55e2617758c8 size 8 Aug 26 18:38:32.754891: | libevent_malloc: new ptr-libevent@0x55e261775908 size 152 Aug 26 18:38:32.754894: | signal event handler PLUTO_SIGTERM installed Aug 26 18:38:32.754897: | libevent_malloc: new ptr-libevent@0x55e2617759d8 size 8 Aug 26 18:38:32.754900: | libevent_malloc: new ptr-libevent@0x55e261775a18 size 152 Aug 26 18:38:32.754903: | signal event handler PLUTO_SIGHUP installed Aug 26 18:38:32.754907: | libevent_malloc: new ptr-libevent@0x55e261775ae8 size 8 Aug 26 18:38:32.754910: | libevent_realloc: release ptr-libevent@0x55e261705388 Aug 26 18:38:32.754913: | libevent_realloc: new ptr-libevent@0x55e261775b28 size 256 Aug 26 18:38:32.754916: | libevent_malloc: new ptr-libevent@0x55e261775c58 size 152 Aug 26 18:38:32.754920: | signal event handler PLUTO_SIGSYS installed Aug 26 18:38:32.755312: | starting up helper thread 0 Aug 26 18:38:32.755335: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:38:32.755344: | crypto helper 0 waiting (nothing to do) Aug 26 18:38:32.764196: | starting up helper thread 5 Aug 26 18:38:32.764221: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:38:32.764226: | crypto helper 5 waiting (nothing to do) Aug 26 18:38:32.764234: | created addconn helper (pid:7556) using fork+execve Aug 26 18:38:32.764240: | forked child 7556 Aug 26 18:38:32.764284: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:32.764313: listening for IKE messages Aug 26 18:38:32.764844: | Inspecting interface lo Aug 26 18:38:32.764854: | found lo with address 127.0.0.1 Aug 26 18:38:32.764858: | Inspecting interface eth0 Aug 26 18:38:32.764862: | found eth0 with address 192.0.2.254 Aug 26 18:38:32.764866: | Inspecting interface eth1 Aug 26 18:38:32.764870: | found eth1 with address 192.1.2.23 Aug 26 18:38:32.764939: Kernel supports NIC esp-hw-offload Aug 26 18:38:32.767222: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:38:32.767301: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:32.767311: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:32.767317: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:32.767357: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:38:32.767389: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:32.767394: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:32.767403: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:32.767437: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:38:32.767467: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:32.767472: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:32.767477: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:38:32.767554: | no interfaces to sort Aug 26 18:38:32.767560: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:32.767569: | add_fd_read_event_handler: new ethX-pe@0x55e261776128 Aug 26 18:38:32.767573: | libevent_malloc: new ptr-libevent@0x55e26176a448 size 128 Aug 26 18:38:32.767577: | libevent_malloc: new ptr-libevent@0x55e261776198 size 16 Aug 26 18:38:32.767585: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:32.767589: | add_fd_read_event_handler: new ethX-pe@0x55e2617761d8 Aug 26 18:38:32.767593: | libevent_malloc: new ptr-libevent@0x55e261706298 size 128 Aug 26 18:38:32.767595: | libevent_malloc: new ptr-libevent@0x55e261776248 size 16 Aug 26 18:38:32.767600: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:32.767602: | add_fd_read_event_handler: new ethX-pe@0x55e261776288 Aug 26 18:38:32.767605: | libevent_malloc: new ptr-libevent@0x55e261708138 size 128 Aug 26 18:38:32.767607: | libevent_malloc: new ptr-libevent@0x55e2617762f8 size 16 Aug 26 18:38:32.767611: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:32.767614: | add_fd_read_event_handler: new ethX-pe@0x55e261776338 Aug 26 18:38:32.767616: | libevent_malloc: new ptr-libevent@0x55e261705288 size 128 Aug 26 18:38:32.767619: | libevent_malloc: new ptr-libevent@0x55e2617763a8 size 16 Aug 26 18:38:32.767623: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:32.767626: | add_fd_read_event_handler: new ethX-pe@0x55e2617763e8 Aug 26 18:38:32.767631: | libevent_malloc: new ptr-libevent@0x55e2616d64e8 size 128 Aug 26 18:38:32.767633: | libevent_malloc: new ptr-libevent@0x55e261776458 size 16 Aug 26 18:38:32.767638: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:32.767641: | add_fd_read_event_handler: new ethX-pe@0x55e261776498 Aug 26 18:38:32.767644: | libevent_malloc: new ptr-libevent@0x55e2616d61d8 size 128 Aug 26 18:38:32.767646: | libevent_malloc: new ptr-libevent@0x55e261776508 size 16 Aug 26 18:38:32.767651: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:32.767656: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:32.767659: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:32.767678: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:32.767703: | Processing PSK at line 1: passed Aug 26 18:38:32.767708: | certs and keys locked by 'process_secret' Aug 26 18:38:32.767711: | certs and keys unlocked by 'process_secret' Aug 26 18:38:32.767818: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:32.767830: | spent 0.675 milliseconds in whack Aug 26 18:38:32.767847: | starting up helper thread 4 Aug 26 18:38:32.767855: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:38:32.767858: | crypto helper 4 waiting (nothing to do) Aug 26 18:38:32.798485: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:32.798525: listening for IKE messages Aug 26 18:38:32.798562: | Inspecting interface lo Aug 26 18:38:32.798571: | found lo with address 127.0.0.1 Aug 26 18:38:32.798575: | Inspecting interface eth0 Aug 26 18:38:32.798580: | found eth0 with address 192.0.2.254 Aug 26 18:38:32.798582: | Inspecting interface eth1 Aug 26 18:38:32.798587: | found eth1 with address 192.1.2.23 Aug 26 18:38:32.798652: | no interfaces to sort Aug 26 18:38:32.798663: | libevent_free: release ptr-libevent@0x55e26176a448 Aug 26 18:38:32.798668: | free_event_entry: release EVENT_NULL-pe@0x55e261776128 Aug 26 18:38:32.798677: | add_fd_read_event_handler: new ethX-pe@0x55e261776128 Aug 26 18:38:32.798681: | libevent_malloc: new ptr-libevent@0x55e26176a448 size 128 Aug 26 18:38:32.798689: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:32.798694: | libevent_free: release ptr-libevent@0x55e261706298 Aug 26 18:38:32.798697: | free_event_entry: release EVENT_NULL-pe@0x55e2617761d8 Aug 26 18:38:32.798700: | add_fd_read_event_handler: new ethX-pe@0x55e2617761d8 Aug 26 18:38:32.798703: | libevent_malloc: new ptr-libevent@0x55e261706298 size 128 Aug 26 18:38:32.798709: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:32.798713: | libevent_free: release ptr-libevent@0x55e261708138 Aug 26 18:38:32.798716: | free_event_entry: release EVENT_NULL-pe@0x55e261776288 Aug 26 18:38:32.798719: | add_fd_read_event_handler: new ethX-pe@0x55e261776288 Aug 26 18:38:32.798722: | libevent_malloc: new ptr-libevent@0x55e261708138 size 128 Aug 26 18:38:32.798727: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:32.798731: | libevent_free: release ptr-libevent@0x55e261705288 Aug 26 18:38:32.798735: | free_event_entry: release EVENT_NULL-pe@0x55e261776338 Aug 26 18:38:32.798738: | add_fd_read_event_handler: new ethX-pe@0x55e261776338 Aug 26 18:38:32.798741: | libevent_malloc: new ptr-libevent@0x55e261705288 size 128 Aug 26 18:38:32.798746: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:32.798750: | libevent_free: release ptr-libevent@0x55e2616d64e8 Aug 26 18:38:32.798753: | free_event_entry: release EVENT_NULL-pe@0x55e2617763e8 Aug 26 18:38:32.798756: | add_fd_read_event_handler: new ethX-pe@0x55e2617763e8 Aug 26 18:38:32.798759: | libevent_malloc: new ptr-libevent@0x55e2616d64e8 size 128 Aug 26 18:38:32.798764: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:32.798769: | libevent_free: release ptr-libevent@0x55e2616d61d8 Aug 26 18:38:32.798772: | free_event_entry: release EVENT_NULL-pe@0x55e261776498 Aug 26 18:38:32.798775: | add_fd_read_event_handler: new ethX-pe@0x55e261776498 Aug 26 18:38:32.798778: | libevent_malloc: new ptr-libevent@0x55e2616d61d8 size 128 Aug 26 18:38:32.798783: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:32.798787: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:32.798790: forgetting secrets Aug 26 18:38:32.798796: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:32.798811: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:32.798818: | Processing PSK at line 1: passed Aug 26 18:38:32.798822: | certs and keys locked by 'process_secret' Aug 26 18:38:32.798824: | certs and keys unlocked by 'process_secret' Aug 26 18:38:32.798832: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:32.798839: | spent 0.356 milliseconds in whack Aug 26 18:38:32.799303: | processing signal PLUTO_SIGCHLD Aug 26 18:38:32.799320: | waitpid returned pid 7556 (exited with status 0) Aug 26 18:38:32.799325: | reaped addconn helper child (status 0) Aug 26 18:38:32.799331: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:32.799336: | spent 0.0192 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:32.857421: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:32.857445: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:32.857449: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:32.857452: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:32.857454: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:32.857458: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:32.857507: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:32.857571: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:38:32.857582: | from whack: got --esp=aes256-sha2 Aug 26 18:38:32.857599: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Aug 26 18:38:32.857604: | counting wild cards for (none) is 15 Aug 26 18:38:32.857611: | counting wild cards for 192.1.2.23 is 0 Aug 26 18:38:32.857616: | based upon policy, the connection is a template. Aug 26 18:38:32.857624: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 18:38:32.857627: | new hp@0x55e261778458 Aug 26 18:38:32.857632: added connection description "eastnet-northnet" Aug 26 18:38:32.857643: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:32.857653: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 18:38:32.857662: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:32.857671: | spent 0.26 milliseconds in whack Aug 26 18:38:34.963730: | spent 0.00338 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:34.963761: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:34.963766: | c9 74 af 35 05 84 b2 d5 00 00 00 00 00 00 00 00 Aug 26 18:38:34.963768: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:38:34.963769: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:38:34.963771: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:38:34.963774: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:38:34.963776: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:38:34.963779: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:38:34.963781: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:38:34.963784: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:38:34.963786: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:38:34.963789: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:38:34.963791: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:38:34.963794: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:38:34.963796: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:38:34.963799: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:38:34.963801: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:38:34.963804: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:38:34.963807: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:38:34.963809: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:38:34.963812: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:38:34.963814: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:38:34.963817: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:38:34.963820: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:38:34.963822: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:38:34.963825: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:38:34.963827: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:38:34.963829: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:38:34.963831: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:38:34.963834: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:38:34.963836: | 28 00 01 08 00 0e 00 00 2f a0 15 7a 07 73 4d 0f Aug 26 18:38:34.963839: | d7 51 e2 53 57 41 40 61 cc c6 01 15 3b 2f d0 02 Aug 26 18:38:34.963842: | 6f 0d 3c ff 58 77 8c 5e 61 84 5a 9c 5d 4e 8d 70 Aug 26 18:38:34.963844: | f5 90 9f fa 68 34 28 61 5b f9 99 5e c4 0e 0e 24 Aug 26 18:38:34.963847: | 47 63 95 4d dd 3a 95 34 6f 10 9c 46 83 96 e1 79 Aug 26 18:38:34.963853: | 81 27 1c 3a 67 eb 4f 14 45 08 be f7 d4 9c 8e ba Aug 26 18:38:34.963856: | 87 69 0d 49 60 76 62 ed c1 8c 29 af fd 0d 60 f7 Aug 26 18:38:34.963858: | d3 3d d4 ed f4 e7 d6 7e 70 e5 05 c3 26 45 96 05 Aug 26 18:38:34.963861: | f9 6b da c0 9d fd ad 8a b1 26 13 57 a6 3f c3 58 Aug 26 18:38:34.963863: | c6 29 38 fd 38 9e 23 b8 e7 a7 50 af 28 f5 f7 9a Aug 26 18:38:34.963865: | d0 60 cb 89 82 cf bf e9 4c d9 94 cd ae a1 7d 7f Aug 26 18:38:34.963868: | 2b d4 d2 53 6a db cd 75 af 02 b0 3b fa a1 4d 9d Aug 26 18:38:34.963870: | 76 e1 ed 2d 2c ef 88 8e ef e9 e8 53 af ed fd 56 Aug 26 18:38:34.963873: | 7d 08 30 20 93 b0 be ab 0a a2 8d 34 c5 ca 0f 1a Aug 26 18:38:34.963876: | 5b a7 4f 20 51 ef da 08 df 26 7b 8e 80 4e 5b 40 Aug 26 18:38:34.963878: | 43 4b 42 8f c9 ae 3a f2 cd ea 54 5c b7 3c 2c 0c Aug 26 18:38:34.963881: | 26 02 43 fb fd 63 4e de 29 00 00 24 2b 41 87 b7 Aug 26 18:38:34.963883: | a6 9d 26 cf 75 5d f8 08 ad e0 df 36 4d 8f e5 03 Aug 26 18:38:34.963886: | 2c 34 d3 b7 3f 21 22 d8 89 89 0b db 29 00 00 08 Aug 26 18:38:34.963888: | 00 00 40 2e 29 00 00 1c 00 00 40 04 be a7 08 a4 Aug 26 18:38:34.963891: | 6d b3 8f 29 57 8d 17 8a c1 5c 94 34 d1 e6 dc e0 Aug 26 18:38:34.963893: | 00 00 00 1c 00 00 40 05 14 bf 7a 3e 8f 34 ec 3e Aug 26 18:38:34.963896: | da 9f 0d 56 04 e6 cf ea 46 31 da af Aug 26 18:38:34.963902: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:34.963906: | **parse ISAKMP Message: Aug 26 18:38:34.963909: | initiator cookie: Aug 26 18:38:34.963911: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.963914: | responder cookie: Aug 26 18:38:34.963916: | 00 00 00 00 00 00 00 00 Aug 26 18:38:34.963919: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:34.963922: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:34.963924: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:34.963927: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:34.963930: | Message ID: 0 (0x0) Aug 26 18:38:34.963932: | length: 828 (0x33c) Aug 26 18:38:34.963935: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:38:34.963939: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:38:34.963943: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:38:34.963946: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:34.963949: | ***parse IKEv2 Security Association Payload: Aug 26 18:38:34.963952: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:38:34.963955: | flags: none (0x0) Aug 26 18:38:34.963957: | length: 436 (0x1b4) Aug 26 18:38:34.963960: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:38:34.963963: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:38:34.963966: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:38:34.963969: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:38:34.963972: | flags: none (0x0) Aug 26 18:38:34.963974: | length: 264 (0x108) Aug 26 18:38:34.963977: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.963980: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:38:34.963983: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:38:34.963985: | ***parse IKEv2 Nonce Payload: Aug 26 18:38:34.963988: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:34.963991: | flags: none (0x0) Aug 26 18:38:34.963994: | length: 36 (0x24) Aug 26 18:38:34.963996: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:38:34.963998: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:34.964001: | ***parse IKEv2 Notify Payload: Aug 26 18:38:34.964004: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:34.964006: | flags: none (0x0) Aug 26 18:38:34.964009: | length: 8 (0x8) Aug 26 18:38:34.964011: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.964014: | SPI size: 0 (0x0) Aug 26 18:38:34.964017: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:34.964021: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:34.964024: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:34.964027: | ***parse IKEv2 Notify Payload: Aug 26 18:38:34.964029: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:34.964031: | flags: none (0x0) Aug 26 18:38:34.964034: | length: 28 (0x1c) Aug 26 18:38:34.964036: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.964039: | SPI size: 0 (0x0) Aug 26 18:38:34.964041: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:34.964044: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:34.964046: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:34.964049: | ***parse IKEv2 Notify Payload: Aug 26 18:38:34.964052: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.964054: | flags: none (0x0) Aug 26 18:38:34.964057: | length: 28 (0x1c) Aug 26 18:38:34.964060: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.964063: | SPI size: 0 (0x0) Aug 26 18:38:34.964065: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:34.964068: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:34.964072: | DDOS disabled and no cookie sent, continuing Aug 26 18:38:34.964078: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964081: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:34.964083: | find_next_host_connection returns empty Aug 26 18:38:34.964085: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964089: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:34.964091: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:34.964093: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:34.964095: | find_next_host_connection returns empty Aug 26 18:38:34.964098: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:38:34.964101: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964103: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:34.964104: | find_next_host_connection returns empty Aug 26 18:38:34.964107: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964109: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:34.964111: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:34.964113: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:34.964115: | find_next_host_connection returns empty Aug 26 18:38:34.964117: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 18:38:34.964120: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964122: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:34.964123: | find_next_host_connection returns empty Aug 26 18:38:34.964126: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:34.964128: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:34.964130: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:34.964132: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:34.964134: | find_next_host_connection returns eastnet-northnet Aug 26 18:38:34.964135: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:34.964139: | find_next_host_connection returns empty Aug 26 18:38:34.964140: | rw_instantiate Aug 26 18:38:34.964147: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 18:38:34.964149: | new hp@0x55e26177a3b8 Aug 26 18:38:34.964153: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 18:38:34.964156: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 18:38:34.964159: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:34.964179: | creating state object #1 at 0x55e26177a908 Aug 26 18:38:34.964182: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:38:34.964187: | pstats #1 ikev2.ike started Aug 26 18:38:34.964190: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:38:34.964192: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:38:34.964196: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:34.964203: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:34.964205: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:34.964209: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:34.964211: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:38:34.964214: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:38:34.964216: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:38:34.964218: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:38:34.964220: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:38:34.964222: | Now let's proceed with state specific processing Aug 26 18:38:34.964224: | calling processor Respond to IKE_SA_INIT Aug 26 18:38:34.964231: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:34.964233: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 18:38:34.964239: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:34.964245: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:34.964247: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:34.964251: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:34.964254: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:34.964257: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:34.964259: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:34.964263: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:34.964269: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:34.964274: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:38:34.964276: | local proposal 1 type ENCR has 1 transforms Aug 26 18:38:34.964278: | local proposal 1 type PRF has 2 transforms Aug 26 18:38:34.964279: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:34.964281: | local proposal 1 type DH has 8 transforms Aug 26 18:38:34.964283: | local proposal 1 type ESN has 0 transforms Aug 26 18:38:34.964285: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:34.964287: | local proposal 2 type ENCR has 1 transforms Aug 26 18:38:34.964296: | local proposal 2 type PRF has 2 transforms Aug 26 18:38:34.964299: | local proposal 2 type INTEG has 1 transforms Aug 26 18:38:34.964302: | local proposal 2 type DH has 8 transforms Aug 26 18:38:34.964304: | local proposal 2 type ESN has 0 transforms Aug 26 18:38:34.964307: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:34.964310: | local proposal 3 type ENCR has 1 transforms Aug 26 18:38:34.964313: | local proposal 3 type PRF has 2 transforms Aug 26 18:38:34.964315: | local proposal 3 type INTEG has 2 transforms Aug 26 18:38:34.964318: | local proposal 3 type DH has 8 transforms Aug 26 18:38:34.964321: | local proposal 3 type ESN has 0 transforms Aug 26 18:38:34.964324: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:34.964327: | local proposal 4 type ENCR has 1 transforms Aug 26 18:38:34.964330: | local proposal 4 type PRF has 2 transforms Aug 26 18:38:34.964333: | local proposal 4 type INTEG has 2 transforms Aug 26 18:38:34.964335: | local proposal 4 type DH has 8 transforms Aug 26 18:38:34.964338: | local proposal 4 type ESN has 0 transforms Aug 26 18:38:34.964342: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:34.964345: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.964348: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:34.964351: | length: 100 (0x64) Aug 26 18:38:34.964353: | prop #: 1 (0x1) Aug 26 18:38:34.964356: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:34.964359: | spi size: 0 (0x0) Aug 26 18:38:34.964361: | # transforms: 11 (0xb) Aug 26 18:38:34.964365: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:38:34.964369: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964371: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964374: | length: 12 (0xc) Aug 26 18:38:34.964377: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.964379: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:34.964382: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.964385: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.964388: | length/value: 256 (0x100) Aug 26 18:38:34.964393: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:34.964396: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964399: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964402: | length: 8 (0x8) Aug 26 18:38:34.964405: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964408: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:34.964412: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:38:34.964418: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:38:34.964422: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:38:34.964425: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:38:34.964428: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964431: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964433: | length: 8 (0x8) Aug 26 18:38:34.964434: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964436: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:34.964438: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964439: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964441: | length: 8 (0x8) Aug 26 18:38:34.964442: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964444: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.964446: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:38:34.964448: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:38:34.964450: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:38:34.964452: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:38:34.964453: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964455: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964457: | length: 8 (0x8) Aug 26 18:38:34.964458: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964460: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:34.964461: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964463: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964465: | length: 8 (0x8) Aug 26 18:38:34.964466: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964468: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:34.964469: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964471: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964472: | length: 8 (0x8) Aug 26 18:38:34.964474: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964476: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:34.964477: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964479: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964480: | length: 8 (0x8) Aug 26 18:38:34.964482: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964484: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:34.964485: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964487: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964488: | length: 8 (0x8) Aug 26 18:38:34.964490: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964492: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:34.964493: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964495: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964496: | length: 8 (0x8) Aug 26 18:38:34.964498: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964499: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:34.964501: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964503: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.964504: | length: 8 (0x8) Aug 26 18:38:34.964506: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964507: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:34.964510: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:38:34.964515: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:38:34.964516: | remote proposal 1 matches local proposal 1 Aug 26 18:38:34.964518: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.964520: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:34.964522: | length: 100 (0x64) Aug 26 18:38:34.964523: | prop #: 2 (0x2) Aug 26 18:38:34.964525: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:34.964526: | spi size: 0 (0x0) Aug 26 18:38:34.964528: | # transforms: 11 (0xb) Aug 26 18:38:34.964530: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:34.964532: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964533: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964535: | length: 12 (0xc) Aug 26 18:38:34.964536: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.964538: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:34.964540: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.964541: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.964543: | length/value: 128 (0x80) Aug 26 18:38:34.964545: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964546: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964548: | length: 8 (0x8) Aug 26 18:38:34.964549: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964551: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:34.964553: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964554: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964556: | length: 8 (0x8) Aug 26 18:38:34.964557: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964559: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:34.964560: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964562: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964563: | length: 8 (0x8) Aug 26 18:38:34.964565: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964567: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.964568: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964570: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964571: | length: 8 (0x8) Aug 26 18:38:34.964573: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964575: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:34.964576: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964578: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964579: | length: 8 (0x8) Aug 26 18:38:34.964581: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964582: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:34.964584: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964586: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964587: | length: 8 (0x8) Aug 26 18:38:34.964589: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964590: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:34.964592: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964593: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964595: | length: 8 (0x8) Aug 26 18:38:34.964597: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964598: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:34.964600: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964601: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964603: | length: 8 (0x8) Aug 26 18:38:34.964604: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964606: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:34.964608: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964612: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964614: | length: 8 (0x8) Aug 26 18:38:34.964615: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964617: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:34.964619: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964620: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.964622: | length: 8 (0x8) Aug 26 18:38:34.964623: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964625: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:34.964627: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:38:34.964629: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:38:34.964631: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.964632: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:34.964634: | length: 116 (0x74) Aug 26 18:38:34.964635: | prop #: 3 (0x3) Aug 26 18:38:34.964637: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:34.964638: | spi size: 0 (0x0) Aug 26 18:38:34.964640: | # transforms: 13 (0xd) Aug 26 18:38:34.964642: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:34.964644: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964645: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964647: | length: 12 (0xc) Aug 26 18:38:34.964648: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.964650: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:34.964652: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.964653: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.964655: | length/value: 256 (0x100) Aug 26 18:38:34.964657: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964658: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964660: | length: 8 (0x8) Aug 26 18:38:34.964661: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964663: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:34.964664: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964666: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964667: | length: 8 (0x8) Aug 26 18:38:34.964669: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964671: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:34.964672: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964674: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964675: | length: 8 (0x8) Aug 26 18:38:34.964677: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.964679: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:34.964682: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964685: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964687: | length: 8 (0x8) Aug 26 18:38:34.964690: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.964692: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:34.964695: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964698: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964700: | length: 8 (0x8) Aug 26 18:38:34.964703: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964705: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.964709: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964711: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964714: | length: 8 (0x8) Aug 26 18:38:34.964717: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964720: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:34.964723: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964725: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964731: | length: 8 (0x8) Aug 26 18:38:34.964734: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964737: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:34.964740: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964743: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964745: | length: 8 (0x8) Aug 26 18:38:34.964748: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964750: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:34.964753: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964756: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964758: | length: 8 (0x8) Aug 26 18:38:34.964761: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964764: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:34.964767: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964769: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964771: | length: 8 (0x8) Aug 26 18:38:34.964774: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964776: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:34.964779: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964782: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964785: | length: 8 (0x8) Aug 26 18:38:34.964787: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964790: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:34.964792: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964793: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.964795: | length: 8 (0x8) Aug 26 18:38:34.964796: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964798: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:34.964801: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:34.964802: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:34.964804: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.964806: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:34.964807: | length: 116 (0x74) Aug 26 18:38:34.964809: | prop #: 4 (0x4) Aug 26 18:38:34.964810: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:34.964812: | spi size: 0 (0x0) Aug 26 18:38:34.964813: | # transforms: 13 (0xd) Aug 26 18:38:34.964816: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:34.964817: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964819: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964820: | length: 12 (0xc) Aug 26 18:38:34.964822: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.964824: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:34.964825: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.964827: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.964828: | length/value: 128 (0x80) Aug 26 18:38:34.964830: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964833: | length: 8 (0x8) Aug 26 18:38:34.964835: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964837: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:34.964838: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964840: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964841: | length: 8 (0x8) Aug 26 18:38:34.964843: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.964844: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:34.964846: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964849: | length: 8 (0x8) Aug 26 18:38:34.964851: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.964854: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:34.964856: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964857: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964859: | length: 8 (0x8) Aug 26 18:38:34.964861: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.964862: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:34.964864: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964865: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964867: | length: 8 (0x8) Aug 26 18:38:34.964868: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964870: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.964872: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964873: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964875: | length: 8 (0x8) Aug 26 18:38:34.964876: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964878: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:34.964880: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964881: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964883: | length: 8 (0x8) Aug 26 18:38:34.964884: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964886: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:34.964888: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964889: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964891: | length: 8 (0x8) Aug 26 18:38:34.964892: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964894: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:34.964895: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964897: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964898: | length: 8 (0x8) Aug 26 18:38:34.964900: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964902: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:34.964903: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964905: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964906: | length: 8 (0x8) Aug 26 18:38:34.964908: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964909: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:34.964911: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964913: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.964914: | length: 8 (0x8) Aug 26 18:38:34.964916: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964917: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:34.964919: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.964921: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.964922: | length: 8 (0x8) Aug 26 18:38:34.964924: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.964925: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:34.964928: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:34.964929: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:34.964934: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:38:34.964938: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:38:34.964939: | converting proposal to internal trans attrs Aug 26 18:38:34.964943: | natd_hash: rcookie is zero Aug 26 18:38:34.964954: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:34.964956: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.964957: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:34.964959: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:34.964960: | natd_hash: port=500 Aug 26 18:38:34.964962: | natd_hash: hash= 14 bf 7a 3e 8f 34 ec 3e da 9f 0d 56 04 e6 cf ea Aug 26 18:38:34.964964: | natd_hash: hash= 46 31 da af Aug 26 18:38:34.964965: | natd_hash: rcookie is zero Aug 26 18:38:34.964969: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:34.964971: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.964973: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:34.964974: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:34.964976: | natd_hash: port=500 Aug 26 18:38:34.964977: | natd_hash: hash= be a7 08 a4 6d b3 8f 29 57 8d 17 8a c1 5c 94 34 Aug 26 18:38:34.964979: | natd_hash: hash= d1 e6 dc e0 Aug 26 18:38:34.964980: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:38:34.964982: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:38:34.964983: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:38:34.964986: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 18:38:34.964990: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:38:34.964992: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e26177a4e8 Aug 26 18:38:34.964995: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:34.964997: | libevent_malloc: new ptr-libevent@0x55e26177cc68 size 128 Aug 26 18:38:34.965008: | #1 spent 0.777 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:38:34.965012: | crypto helper 1 resuming Aug 26 18:38:34.965016: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:34.965024: | crypto helper 1 starting work-order 1 for state #1 Aug 26 18:38:34.965036: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:34.965039: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:38:34.965044: | suspending state #1 and saving MD Aug 26 18:38:34.965053: | #1 is busy; has a suspended MD Aug 26 18:38:34.965061: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:34.965066: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:34.965072: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:34.965078: | #1 spent 1.33 milliseconds in ikev2_process_packet() Aug 26 18:38:34.965083: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:34.965086: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:34.965089: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:34.965093: | spent 1.34 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:34.966023: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000983 seconds Aug 26 18:38:34.966037: | (#1) spent 0.98 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:38:34.966042: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 18:38:34.966047: | scheduling resume sending helper answer for #1 Aug 26 18:38:34.966051: | libevent_malloc: new ptr-libevent@0x7f5fd4002888 size 128 Aug 26 18:38:34.966060: | crypto helper 1 waiting (nothing to do) Aug 26 18:38:34.966067: | processing resume sending helper answer for #1 Aug 26 18:38:34.966075: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:34.966080: | crypto helper 1 replies to request ID 1 Aug 26 18:38:34.966083: | calling continuation function 0x55e25f9e5b50 Aug 26 18:38:34.966086: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:38:34.966117: | **emit ISAKMP Message: Aug 26 18:38:34.966120: | initiator cookie: Aug 26 18:38:34.966122: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.966125: | responder cookie: Aug 26 18:38:34.966127: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.966130: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:34.966133: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:34.966136: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:34.966139: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:34.966142: | Message ID: 0 (0x0) Aug 26 18:38:34.966145: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:34.966148: | Emitting ikev2_proposal ... Aug 26 18:38:34.966151: | ***emit IKEv2 Security Association Payload: Aug 26 18:38:34.966154: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.966156: | flags: none (0x0) Aug 26 18:38:34.966160: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:34.966163: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966166: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.966169: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:34.966171: | prop #: 1 (0x1) Aug 26 18:38:34.966174: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:34.966176: | spi size: 0 (0x0) Aug 26 18:38:34.966179: | # transforms: 3 (0x3) Aug 26 18:38:34.966182: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:34.966185: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.966188: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.966190: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.966193: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:34.966196: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.966199: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.966203: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.966205: | length/value: 256 (0x100) Aug 26 18:38:34.966208: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:34.966211: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.966214: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.966216: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:34.966219: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:34.966222: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.966225: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.966228: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:34.966231: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.966233: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.966236: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:34.966238: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.966244: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.966247: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.966250: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:34.966252: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:38:34.966255: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:34.966258: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:38:34.966261: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:34.966265: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:38:34.966268: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.966270: | flags: none (0x0) Aug 26 18:38:34.966273: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:34.966276: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:38:34.966279: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966283: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:38:34.966286: | ikev2 g^x f4 51 ea cf f9 17 6f 0e b6 b8 a8 31 7e 8c 8c 97 Aug 26 18:38:34.966292: | ikev2 g^x ce 09 1c 83 e8 15 e3 3b b8 bf ab 7c 71 28 8a 4d Aug 26 18:38:34.966298: | ikev2 g^x 6b bb 0b 64 22 e4 ab e1 dd 92 97 e8 e7 89 d8 73 Aug 26 18:38:34.966300: | ikev2 g^x fd 6f e8 73 36 30 92 04 39 eb 46 7c ac 5a bf e6 Aug 26 18:38:34.966303: | ikev2 g^x 99 af f0 1c 84 8d 4c 2f 05 a0 60 f2 5e 7d 6c 7b Aug 26 18:38:34.966305: | ikev2 g^x 53 1f 8d dc 61 57 69 9d ed 3c 69 e7 11 4d 0d e4 Aug 26 18:38:34.966308: | ikev2 g^x bf a7 86 f5 02 9d d7 f6 82 97 ae 90 8f 69 35 f1 Aug 26 18:38:34.966310: | ikev2 g^x 51 b1 98 e1 2c 18 1e 46 55 cc e0 a9 68 d6 0d d6 Aug 26 18:38:34.966313: | ikev2 g^x 6f 33 86 9f 4b 9f bc 6d 57 ba 3c b1 1d d8 1e 54 Aug 26 18:38:34.966315: | ikev2 g^x a1 e8 a0 ba 84 6c 9f 73 6f ab b7 d4 51 b9 20 e0 Aug 26 18:38:34.966318: | ikev2 g^x a0 f6 1a e4 3f 3b 57 4c ca d7 52 32 0a 44 f7 2b Aug 26 18:38:34.966320: | ikev2 g^x 08 d5 0a ba ed 57 cf ad d1 aa 5c 35 dd aa d9 9f Aug 26 18:38:34.966323: | ikev2 g^x d7 a7 5a 0f 14 c7 b6 52 2b 7d 08 e1 87 fe e0 94 Aug 26 18:38:34.966325: | ikev2 g^x c9 f4 95 ad 3c ec 23 26 6c 82 37 f4 84 df 0b 26 Aug 26 18:38:34.966328: | ikev2 g^x 3b 09 c9 66 58 97 91 04 1c fc 5d e2 31 07 7a ad Aug 26 18:38:34.966331: | ikev2 g^x ab 58 22 cf 07 30 6e 50 40 bc 70 96 04 68 68 cc Aug 26 18:38:34.966333: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:38:34.966336: | ***emit IKEv2 Nonce Payload: Aug 26 18:38:34.966339: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:34.966342: | flags: none (0x0) Aug 26 18:38:34.966345: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:38:34.966348: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:38:34.966351: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966354: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:38:34.966357: | IKEv2 nonce 49 b3 e4 b1 cc 2e be cb e8 54 25 73 63 10 01 9c Aug 26 18:38:34.966359: | IKEv2 nonce da 8e 2b bd 86 8c 19 9c 94 e9 d8 57 d6 f9 cc ec Aug 26 18:38:34.966362: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:38:34.966364: | Adding a v2N Payload Aug 26 18:38:34.966367: | ***emit IKEv2 Notify Payload: Aug 26 18:38:34.966371: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.966374: | flags: none (0x0) Aug 26 18:38:34.966377: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.966379: | SPI size: 0 (0x0) Aug 26 18:38:34.966382: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:34.966385: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:34.966388: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966391: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:34.966394: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:34.966406: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:34.966409: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.966412: | natd_hash: rcookie= bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.966414: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:34.966417: | natd_hash: port=500 Aug 26 18:38:34.966419: | natd_hash: hash= a7 1c a9 f6 20 39 d0 52 d0 0f 01 ec 99 71 23 33 Aug 26 18:38:34.966422: | natd_hash: hash= 68 4f 0f 9d Aug 26 18:38:34.966424: | Adding a v2N Payload Aug 26 18:38:34.966427: | ***emit IKEv2 Notify Payload: Aug 26 18:38:34.966429: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.966432: | flags: none (0x0) Aug 26 18:38:34.966434: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.966437: | SPI size: 0 (0x0) Aug 26 18:38:34.966440: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:34.966443: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:34.966446: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966449: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:34.966451: | Notify data a7 1c a9 f6 20 39 d0 52 d0 0f 01 ec 99 71 23 33 Aug 26 18:38:34.966454: | Notify data 68 4f 0f 9d Aug 26 18:38:34.966456: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:34.966463: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:34.966466: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.966468: | natd_hash: rcookie= bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.966471: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:34.966473: | natd_hash: port=500 Aug 26 18:38:34.966476: | natd_hash: hash= 54 30 83 c4 1a 7d 04 c1 f4 52 3b 20 e2 56 ba f4 Aug 26 18:38:34.966478: | natd_hash: hash= 96 fa ac a9 Aug 26 18:38:34.966480: | Adding a v2N Payload Aug 26 18:38:34.966483: | ***emit IKEv2 Notify Payload: Aug 26 18:38:34.966485: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.966488: | flags: none (0x0) Aug 26 18:38:34.966491: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.966493: | SPI size: 0 (0x0) Aug 26 18:38:34.966496: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:34.966499: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:34.966502: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.966505: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:34.966507: | Notify data 54 30 83 c4 1a 7d 04 c1 f4 52 3b 20 e2 56 ba f4 Aug 26 18:38:34.966510: | Notify data 96 fa ac a9 Aug 26 18:38:34.966512: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:34.966515: | emitting length of ISAKMP Message: 432 Aug 26 18:38:34.966525: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:34.966529: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:38:34.966532: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:38:34.966537: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:38:34.966540: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:38:34.966545: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:38:34.966550: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:34.966556: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:38:34.966561: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:34.966567: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:34.966570: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.966572: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 18:38:34.966575: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:38:34.966577: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:38:34.966580: | 04 00 00 0e 28 00 01 08 00 0e 00 00 f4 51 ea cf Aug 26 18:38:34.966582: | f9 17 6f 0e b6 b8 a8 31 7e 8c 8c 97 ce 09 1c 83 Aug 26 18:38:34.966585: | e8 15 e3 3b b8 bf ab 7c 71 28 8a 4d 6b bb 0b 64 Aug 26 18:38:34.966587: | 22 e4 ab e1 dd 92 97 e8 e7 89 d8 73 fd 6f e8 73 Aug 26 18:38:34.966590: | 36 30 92 04 39 eb 46 7c ac 5a bf e6 99 af f0 1c Aug 26 18:38:34.966592: | 84 8d 4c 2f 05 a0 60 f2 5e 7d 6c 7b 53 1f 8d dc Aug 26 18:38:34.966595: | 61 57 69 9d ed 3c 69 e7 11 4d 0d e4 bf a7 86 f5 Aug 26 18:38:34.966597: | 02 9d d7 f6 82 97 ae 90 8f 69 35 f1 51 b1 98 e1 Aug 26 18:38:34.966600: | 2c 18 1e 46 55 cc e0 a9 68 d6 0d d6 6f 33 86 9f Aug 26 18:38:34.966602: | 4b 9f bc 6d 57 ba 3c b1 1d d8 1e 54 a1 e8 a0 ba Aug 26 18:38:34.966605: | 84 6c 9f 73 6f ab b7 d4 51 b9 20 e0 a0 f6 1a e4 Aug 26 18:38:34.966607: | 3f 3b 57 4c ca d7 52 32 0a 44 f7 2b 08 d5 0a ba Aug 26 18:38:34.966610: | ed 57 cf ad d1 aa 5c 35 dd aa d9 9f d7 a7 5a 0f Aug 26 18:38:34.966612: | 14 c7 b6 52 2b 7d 08 e1 87 fe e0 94 c9 f4 95 ad Aug 26 18:38:34.966615: | 3c ec 23 26 6c 82 37 f4 84 df 0b 26 3b 09 c9 66 Aug 26 18:38:34.966617: | 58 97 91 04 1c fc 5d e2 31 07 7a ad ab 58 22 cf Aug 26 18:38:34.966620: | 07 30 6e 50 40 bc 70 96 04 68 68 cc 29 00 00 24 Aug 26 18:38:34.966622: | 49 b3 e4 b1 cc 2e be cb e8 54 25 73 63 10 01 9c Aug 26 18:38:34.966625: | da 8e 2b bd 86 8c 19 9c 94 e9 d8 57 d6 f9 cc ec Aug 26 18:38:34.966627: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:38:34.966630: | a7 1c a9 f6 20 39 d0 52 d0 0f 01 ec 99 71 23 33 Aug 26 18:38:34.966632: | 68 4f 0f 9d 00 00 00 1c 00 00 40 05 54 30 83 c4 Aug 26 18:38:34.966635: | 1a 7d 04 c1 f4 52 3b 20 e2 56 ba f4 96 fa ac a9 Aug 26 18:38:34.966684: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:34.966689: | libevent_free: release ptr-libevent@0x55e26177cc68 Aug 26 18:38:34.966693: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e26177a4e8 Aug 26 18:38:34.966696: | event_schedule: new EVENT_SO_DISCARD-pe@0x55e26177a4e8 Aug 26 18:38:34.966700: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:38:34.966703: | libevent_malloc: new ptr-libevent@0x55e26177ddb8 size 128 Aug 26 18:38:34.966707: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:34.966713: | #1 spent 0.603 milliseconds in resume sending helper answer Aug 26 18:38:34.966719: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:34.966722: | libevent_free: release ptr-libevent@0x7f5fd4002888 Aug 26 18:38:34.969056: | spent 0.00272 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:34.969081: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:34.969086: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.969089: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Aug 26 18:38:34.969092: | 19 36 20 fa 00 80 4e d6 1c 2b cb 79 81 c0 b7 bb Aug 26 18:38:34.969094: | 2b 4f 01 df 70 e0 01 30 91 32 21 10 3f ff 76 87 Aug 26 18:38:34.969096: | d2 30 86 94 c3 62 1c 78 66 ca aa 0a 9e 06 95 be Aug 26 18:38:34.969099: | 20 c5 e5 b5 97 6d 6a b4 4f eb 7a 3b 3d a8 c0 0a Aug 26 18:38:34.969101: | 9b 44 d5 8d 15 99 24 a1 3c f8 1e da 83 f3 cd 8a Aug 26 18:38:34.969104: | 51 14 de 8b e4 28 ad e0 cc 49 bf cf 31 6b 5e f3 Aug 26 18:38:34.969106: | 54 d6 49 4c 16 75 7b 7d 79 9f 65 b7 58 d0 1b d2 Aug 26 18:38:34.969107: | 43 f1 8c 50 09 39 3a c1 af 6c 20 44 a6 a1 ed 42 Aug 26 18:38:34.969109: | 13 2b ac cd da eb ae 32 eb 4a 05 64 07 20 95 94 Aug 26 18:38:34.969110: | c5 f3 7e 80 b2 dd a5 6c 2f 29 a3 73 12 83 41 0a Aug 26 18:38:34.969112: | b8 a2 ed 9f 24 d8 dd 83 13 2f 74 9c 2c ba 71 13 Aug 26 18:38:34.969113: | 29 ae 6b 26 e3 b2 bb 2a 95 3e aa bd ef ed 5d 5e Aug 26 18:38:34.969115: | be ba 5e eb 43 92 e0 14 23 75 38 9f 54 ae 2d 5b Aug 26 18:38:34.969116: | 58 Aug 26 18:38:34.969120: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:34.969123: | **parse ISAKMP Message: Aug 26 18:38:34.969125: | initiator cookie: Aug 26 18:38:34.969127: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.969128: | responder cookie: Aug 26 18:38:34.969130: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.969132: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:34.969133: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:34.969135: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:34.969137: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:34.969139: | Message ID: 1 (0x1) Aug 26 18:38:34.969140: | length: 241 (0xf1) Aug 26 18:38:34.969142: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:38:34.969145: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:38:34.969148: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:38:34.969153: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:34.969155: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:34.969158: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:34.969160: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:38:34.969163: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:38:34.969165: | unpacking clear payload Aug 26 18:38:34.969167: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:34.969169: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:34.969170: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:38:34.969172: | flags: none (0x0) Aug 26 18:38:34.969173: | length: 213 (0xd5) Aug 26 18:38:34.969175: | processing payload: ISAKMP_NEXT_v2SK (len=209) Aug 26 18:38:34.969178: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:34.969180: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:34.969182: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:34.969184: | Now let's proceed with state specific processing Aug 26 18:38:34.969185: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:34.969188: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:38:34.969191: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:38:34.969195: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:38:34.969197: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:38:34.969200: | libevent_free: release ptr-libevent@0x55e26177ddb8 Aug 26 18:38:34.969203: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55e26177a4e8 Aug 26 18:38:34.969205: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e26177a4e8 Aug 26 18:38:34.969207: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:34.969209: | libevent_malloc: new ptr-libevent@0x7f5fd4002888 size 128 Aug 26 18:38:34.969218: | #1 spent 0.0287 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:38:34.969222: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:34.969223: | crypto helper 3 resuming Aug 26 18:38:34.969224: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:34.969235: | crypto helper 3 starting work-order 2 for state #1 Aug 26 18:38:34.969237: | suspending state #1 and saving MD Aug 26 18:38:34.969240: | #1 is busy; has a suspended MD Aug 26 18:38:34.969240: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:38:34.969244: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:34.969247: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:34.969250: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:34.969255: | #1 spent 0.179 milliseconds in ikev2_process_packet() Aug 26 18:38:34.969259: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:34.969262: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:34.969265: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:34.969269: | spent 0.194 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:34.969911: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:38:34.970185: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000945 seconds Aug 26 18:38:34.970191: | (#1) spent 0.94 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:38:34.970194: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Aug 26 18:38:34.970196: | scheduling resume sending helper answer for #1 Aug 26 18:38:34.970198: | libevent_malloc: new ptr-libevent@0x7f5fcc000f48 size 128 Aug 26 18:38:34.970204: | crypto helper 3 waiting (nothing to do) Aug 26 18:38:34.970241: | processing resume sending helper answer for #1 Aug 26 18:38:34.970251: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:34.970255: | crypto helper 3 replies to request ID 2 Aug 26 18:38:34.970257: | calling continuation function 0x55e25f9e5b50 Aug 26 18:38:34.970259: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:38:34.970261: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:34.970271: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:38:34.970273: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:38:34.970276: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:38:34.970278: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:38:34.970280: | flags: none (0x0) Aug 26 18:38:34.970281: | length: 12 (0xc) Aug 26 18:38:34.970283: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:34.970285: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 18:38:34.970298: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:38:34.970305: | **parse IKEv2 Authentication Payload: Aug 26 18:38:34.970307: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:34.970308: | flags: none (0x0) Aug 26 18:38:34.970310: | length: 72 (0x48) Aug 26 18:38:34.970312: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:34.970313: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 18:38:34.970315: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:34.970317: | **parse IKEv2 Security Association Payload: Aug 26 18:38:34.970319: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:38:34.970320: | flags: none (0x0) Aug 26 18:38:34.970322: | length: 44 (0x2c) Aug 26 18:38:34.970323: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 18:38:34.970325: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:38:34.970327: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:34.970328: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:38:34.970330: | flags: none (0x0) Aug 26 18:38:34.970331: | length: 24 (0x18) Aug 26 18:38:34.970333: | number of TS: 1 (0x1) Aug 26 18:38:34.970334: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:38:34.970336: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:38:34.970338: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:34.970339: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:34.970341: | flags: none (0x0) Aug 26 18:38:34.970342: | length: 24 (0x18) Aug 26 18:38:34.970344: | number of TS: 1 (0x1) Aug 26 18:38:34.970345: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:38:34.970347: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:34.970349: | **parse IKEv2 Notify Payload: Aug 26 18:38:34.970350: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.970352: | flags: none (0x0) Aug 26 18:38:34.970353: | length: 8 (0x8) Aug 26 18:38:34.970355: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.970357: | SPI size: 0 (0x0) Aug 26 18:38:34.970359: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:34.970360: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:34.970362: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:38:34.970364: | Now let's proceed with state specific processing Aug 26 18:38:34.970365: | calling processor Responder: process IKE_AUTH request Aug 26 18:38:34.970370: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 18:38:34.970374: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:34.970376: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 18:38:34.970378: | peer ID c0 01 03 21 Aug 26 18:38:34.970381: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:34.970385: | match_id a=192.1.3.33 Aug 26 18:38:34.970387: | b=192.1.3.33 Aug 26 18:38:34.970389: | results matched Aug 26 18:38:34.970393: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:38:34.970394: | Warning: not switching back to template of current instance Aug 26 18:38:34.970396: | No IDr payload received from peer Aug 26 18:38:34.970399: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 18:38:34.970402: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970404: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970407: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:34.970410: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970413: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970415: | line 1: match=002 Aug 26 18:38:34.970417: | match 002 beats previous best_match 000 match=0x55e2616d1c48 (line=1) Aug 26 18:38:34.970419: | concluding with best_match=002 best=0x55e2616d1c48 (lineno=1) Aug 26 18:38:34.970421: | returning because exact peer id match Aug 26 18:38:34.970423: | offered CA: '%none' Aug 26 18:38:34.970425: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 18:38:34.970427: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 18:38:34.970441: | verifying AUTH payload Aug 26 18:38:34.970444: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 18:38:34.970446: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970449: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970451: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:34.970453: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970455: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970457: | line 1: match=002 Aug 26 18:38:34.970458: | match 002 beats previous best_match 000 match=0x55e2616d1c48 (line=1) Aug 26 18:38:34.970460: | concluding with best_match=002 best=0x55e2616d1c48 (lineno=1) Aug 26 18:38:34.970498: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 18:38:34.970502: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:38:34.970505: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:34.970507: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:34.970510: | libevent_free: release ptr-libevent@0x7f5fd4002888 Aug 26 18:38:34.970512: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e26177a4e8 Aug 26 18:38:34.970514: | event_schedule: new EVENT_SA_REKEY-pe@0x55e26177a4e8 Aug 26 18:38:34.970516: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 18:38:34.970518: | libevent_malloc: new ptr-libevent@0x55e26177ce78 size 128 Aug 26 18:38:34.970575: | pstats #1 ikev2.ike established Aug 26 18:38:34.970581: | **emit ISAKMP Message: Aug 26 18:38:34.970583: | initiator cookie: Aug 26 18:38:34.970585: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:34.970586: | responder cookie: Aug 26 18:38:34.970588: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:34.970590: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:34.970591: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:34.970593: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:34.970595: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:34.970597: | Message ID: 1 (0x1) Aug 26 18:38:34.970599: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:34.970601: | IKEv2 CERT: send a certificate? Aug 26 18:38:34.970603: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 18:38:34.970604: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:34.970606: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.970608: | flags: none (0x0) Aug 26 18:38:34.970610: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:34.970616: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.970621: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:34.970628: | Adding a v2N Payload Aug 26 18:38:34.970631: | ****emit IKEv2 Notify Payload: Aug 26 18:38:34.970634: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.970637: | flags: none (0x0) Aug 26 18:38:34.970639: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:34.970642: | SPI size: 0 (0x0) Aug 26 18:38:34.970645: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:34.970652: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:34.970656: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.970659: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:34.970663: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:34.970676: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:38:34.970680: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.970683: | flags: none (0x0) Aug 26 18:38:34.970686: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:34.970688: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:38:34.970690: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.970692: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:38:34.970694: | my identity c0 01 02 17 Aug 26 18:38:34.970695: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:38:34.970701: | assembled IDr payload Aug 26 18:38:34.970703: | CHILD SA proposals received Aug 26 18:38:34.970704: | going to assemble AUTH payload Aug 26 18:38:34.970706: | ****emit IKEv2 Authentication Payload: Aug 26 18:38:34.970708: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:34.970709: | flags: none (0x0) Aug 26 18:38:34.970711: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:34.970713: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:38:34.970715: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:38:34.970717: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.970719: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 18:38:34.970722: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970725: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:34.970728: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:34.970730: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970732: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:34.970733: | line 1: match=002 Aug 26 18:38:34.970735: | match 002 beats previous best_match 000 match=0x55e2616d1c48 (line=1) Aug 26 18:38:34.970737: | concluding with best_match=002 best=0x55e2616d1c48 (lineno=1) Aug 26 18:38:34.970771: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 18:38:34.970774: | PSK auth 5b e0 62 18 0d d8 da bd 46 c3 2c e5 d7 6e d6 9e Aug 26 18:38:34.970776: | PSK auth ad ef 56 8a 8c ed 01 32 eb 1f cb 56 fd 3e 81 48 Aug 26 18:38:34.970777: | PSK auth 2d 97 a2 66 85 c4 0c b4 b0 e7 4a 40 b2 49 33 13 Aug 26 18:38:34.970779: | PSK auth ba a3 6d 1b 79 ce 39 f6 06 32 97 2c a8 01 d3 ce Aug 26 18:38:34.970780: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 18:38:34.970786: | creating state object #2 at 0x55e26177ee48 Aug 26 18:38:34.970788: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:38:34.970791: | pstats #2 ikev2.child started Aug 26 18:38:34.970794: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 18:38:34.970797: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:38:34.970801: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:34.970806: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:34.970809: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:34.970811: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:38:34.970813: | TSi: parsing 1 traffic selectors Aug 26 18:38:34.970815: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:34.970817: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:34.970818: | IP Protocol ID: 0 (0x0) Aug 26 18:38:34.970820: | length: 16 (0x10) Aug 26 18:38:34.970821: | start port: 0 (0x0) Aug 26 18:38:34.970823: | end port: 65535 (0xffff) Aug 26 18:38:34.970825: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:34.970826: | TS low c0 00 03 00 Aug 26 18:38:34.970828: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:34.970830: | TS high c0 00 03 ff Aug 26 18:38:34.970831: | TSi: parsed 1 traffic selectors Aug 26 18:38:34.970833: | TSr: parsing 1 traffic selectors Aug 26 18:38:34.970834: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:34.970836: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:34.970838: | IP Protocol ID: 0 (0x0) Aug 26 18:38:34.970839: | length: 16 (0x10) Aug 26 18:38:34.970841: | start port: 0 (0x0) Aug 26 18:38:34.970842: | end port: 65535 (0xffff) Aug 26 18:38:34.970844: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:34.970845: | TS low c0 00 02 00 Aug 26 18:38:34.970847: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:34.970848: | TS high c0 00 02 ff Aug 26 18:38:34.970850: | TSr: parsed 1 traffic selectors Aug 26 18:38:34.970851: | looking for best SPD in current connection Aug 26 18:38:34.970855: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:34.970859: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:34.970863: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:34.970865: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:34.970867: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:34.970868: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:34.970870: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:34.970873: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:34.970876: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:34.970878: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:34.970880: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:34.970882: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:34.970883: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:34.970885: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:34.970887: | found better spd route for TSi[0],TSr[0] Aug 26 18:38:34.970888: | looking for better host pair Aug 26 18:38:34.970891: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:38:34.970894: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 18:38:34.970896: | investigating connection "eastnet-northnet" as a better match Aug 26 18:38:34.970899: | match_id a=192.1.3.33 Aug 26 18:38:34.970900: | b=192.1.3.33 Aug 26 18:38:34.970902: | results matched Aug 26 18:38:34.970905: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:34.970908: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:34.970911: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:34.970914: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:34.970916: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:34.970918: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:34.970919: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:34.970922: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:34.970925: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:34.970927: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:34.970929: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:34.970930: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:34.970932: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:34.970934: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:34.970935: | did not find a better connection using host pair Aug 26 18:38:34.970937: | printing contents struct traffic_selector Aug 26 18:38:34.970938: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:34.970940: | ipprotoid: 0 Aug 26 18:38:34.970941: | port range: 0-65535 Aug 26 18:38:34.970944: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:38:34.970945: | printing contents struct traffic_selector Aug 26 18:38:34.970947: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:34.970948: | ipprotoid: 0 Aug 26 18:38:34.970950: | port range: 0-65535 Aug 26 18:38:34.970952: | ip range: 192.0.3.0-192.0.3.255 Aug 26 18:38:34.970955: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:38:34.970958: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Aug 26 18:38:34.970962: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:38:34.970965: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 18:38:34.970968: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 18:38:34.970972: | local proposal 1 type ENCR has 1 transforms Aug 26 18:38:34.970974: | local proposal 1 type PRF has 0 transforms Aug 26 18:38:34.970975: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:34.970977: | local proposal 1 type DH has 1 transforms Aug 26 18:38:34.970979: | local proposal 1 type ESN has 1 transforms Aug 26 18:38:34.970981: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 18:38:34.970983: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.970985: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:34.970986: | length: 40 (0x28) Aug 26 18:38:34.970988: | prop #: 1 (0x1) Aug 26 18:38:34.970989: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:34.970991: | spi size: 4 (0x4) Aug 26 18:38:34.970993: | # transforms: 3 (0x3) Aug 26 18:38:34.970995: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:38:34.970996: | remote SPI 08 52 ab bc Aug 26 18:38:34.970998: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:38:34.971000: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971002: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971004: | length: 12 (0xc) Aug 26 18:38:34.971005: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.971007: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:34.971009: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.971011: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.971012: | length/value: 256 (0x100) Aug 26 18:38:34.971015: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:34.971018: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971019: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971021: | length: 8 (0x8) Aug 26 18:38:34.971023: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.971024: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:34.971027: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 18:38:34.971028: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971030: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.971031: | length: 8 (0x8) Aug 26 18:38:34.971033: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:34.971035: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:34.971037: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:38:34.971039: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 18:38:34.971042: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 18:38:34.971044: | remote proposal 1 matches local proposal 1 Aug 26 18:38:34.971048: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=0852abbc;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Aug 26 18:38:34.971051: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=0852abbc;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 18:38:34.971053: | converting proposal to internal trans attrs Aug 26 18:38:34.971066: | netlink_get_spi: allocated 0x2535316c for esp.0@192.1.2.23 Aug 26 18:38:34.971069: | Emitting ikev2_proposal ... Aug 26 18:38:34.971070: | ****emit IKEv2 Security Association Payload: Aug 26 18:38:34.971072: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.971074: | flags: none (0x0) Aug 26 18:38:34.971076: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:34.971078: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.971080: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:34.971082: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:34.971083: | prop #: 1 (0x1) Aug 26 18:38:34.971085: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:34.971086: | spi size: 4 (0x4) Aug 26 18:38:34.971088: | # transforms: 3 (0x3) Aug 26 18:38:34.971090: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:34.971092: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:38:34.971094: | our spi 25 35 31 6c Aug 26 18:38:34.971095: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971097: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971099: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:34.971100: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:34.971102: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.971104: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:34.971106: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:34.971107: | length/value: 256 (0x100) Aug 26 18:38:34.971109: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:34.971111: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971112: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971114: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:34.971116: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:34.971119: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971122: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.971123: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:34.971125: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:34.971127: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:34.971128: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:34.971130: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:34.971132: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:34.971133: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:34.971135: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:34.971137: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 18:38:34.971139: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:34.971140: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 18:38:34.971142: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:34.971144: | received v2N_MOBIKE_SUPPORTED Aug 26 18:38:34.971146: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:34.971147: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.971149: | flags: none (0x0) Aug 26 18:38:34.971150: | number of TS: 1 (0x1) Aug 26 18:38:34.971153: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:38:34.971154: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.971156: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:34.971158: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:34.971159: | IP Protocol ID: 0 (0x0) Aug 26 18:38:34.971161: | start port: 0 (0x0) Aug 26 18:38:34.971163: | end port: 65535 (0xffff) Aug 26 18:38:34.971165: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:34.971166: | ipv4 start c0 00 03 00 Aug 26 18:38:34.971168: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:34.971169: | ipv4 end c0 00 03 ff Aug 26 18:38:34.971171: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:34.971173: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:38:34.971174: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:34.971176: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:34.971177: | flags: none (0x0) Aug 26 18:38:34.971179: | number of TS: 1 (0x1) Aug 26 18:38:34.971181: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:38:34.971183: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:34.971184: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:34.971186: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:34.971188: | IP Protocol ID: 0 (0x0) Aug 26 18:38:34.971189: | start port: 0 (0x0) Aug 26 18:38:34.971191: | end port: 65535 (0xffff) Aug 26 18:38:34.971192: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:34.971194: | ipv4 start c0 00 02 00 Aug 26 18:38:34.971196: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:34.971198: | ipv4 end c0 00 02 ff Aug 26 18:38:34.971200: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:34.971202: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:38:34.971203: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:34.971206: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Aug 26 18:38:34.971306: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:38:34.971314: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:38:34.971316: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 18:38:34.971318: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:34.971320: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:34.971322: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:34.971323: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:34.971325: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:34.971329: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:34.971331: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 18:38:34.971333: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 18:38:34.971335: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 18:38:34.971338: | setting IPsec SA replay-window to 32 Aug 26 18:38:34.971340: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:34.971342: | netlink: enabling tunnel mode Aug 26 18:38:34.971344: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:34.971346: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:34.971403: | netlink response for Add SA esp.852abbc@192.1.3.33 included non-error error Aug 26 18:38:34.971406: | set up outgoing SA, ref=0/0 Aug 26 18:38:34.971408: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 18:38:34.971410: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 18:38:34.971412: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 18:38:34.971414: | setting IPsec SA replay-window to 32 Aug 26 18:38:34.971416: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:34.971418: | netlink: enabling tunnel mode Aug 26 18:38:34.971420: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:34.971421: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:34.971453: | netlink response for Add SA esp.2535316c@192.1.2.23 included non-error error Aug 26 18:38:34.971460: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:34.971468: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:34.971472: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:34.971495: | raw_eroute result=success Aug 26 18:38:34.971499: | set up incoming SA, ref=0/0 Aug 26 18:38:34.971503: | sr for #2: unrouted Aug 26 18:38:34.971506: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:38:34.971509: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:34.971513: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:34.971517: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:34.971521: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:34.971524: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:34.971530: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:34.971534: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 18:38:34.971537: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:34.971542: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 18:38:34.971545: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:34.971556: | raw_eroute result=success Aug 26 18:38:34.971559: | running updown command "ipsec _updown" for verb up Aug 26 18:38:34.971563: | command executing up-client Aug 26 18:38:34.971588: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 18:38:34.971591: | popen cmd is 1047 chars long Aug 26 18:38:34.971593: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 18:38:34.971595: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 18:38:34.971597: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 18:38:34.971599: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 18:38:34.971600: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 18:38:34.971602: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 18:38:34.971604: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 18:38:34.971605: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 18:38:34.971607: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 18:38:34.971613: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 18:38:34.971617: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 18:38:34.971620: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 18:38:34.971623: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x852abbc SPI_OUT=0x2535316c ipsec _updo: Aug 26 18:38:34.971626: | cmd(1040):wn 2>&1: Aug 26 18:38:34.982256: | route_and_eroute: firewall_notified: true Aug 26 18:38:34.982270: | running updown command "ipsec _updown" for verb prepare Aug 26 18:38:34.982273: | command executing prepare-client Aug 26 18:38:34.982307: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 18:38:34.982318: | popen cmd is 1052 chars long Aug 26 18:38:34.982322: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:34.982326: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:34.982329: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:34.982332: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:34.982336: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 18:38:34.982339: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 18:38:34.982342: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 18:38:34.982345: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 18:38:34.982348: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 18:38:34.982351: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 18:38:34.982354: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 18:38:34.982358: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 18:38:34.982360: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x852abbc SPI_OUT=0x2535316c ipsec : Aug 26 18:38:34.982363: | cmd(1040):_updown 2>&1: Aug 26 18:38:34.992065: | running updown command "ipsec _updown" for verb route Aug 26 18:38:34.992089: | command executing route-client Aug 26 18:38:34.992124: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 18:38:34.992130: | popen cmd is 1050 chars long Aug 26 18:38:34.992134: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 18:38:34.992137: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 18:38:34.992140: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 18:38:34.992142: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 18:38:34.992145: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 18:38:34.992148: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 18:38:34.992151: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 18:38:34.992153: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 18:38:34.992156: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 18:38:34.992159: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 18:38:34.992165: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 18:38:34.992168: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 18:38:34.992170: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x852abbc SPI_OUT=0x2535316c ipsec _u: Aug 26 18:38:34.992173: | cmd(1040):pdown 2>&1: Aug 26 18:38:35.005119: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x55e261779e08,sr=0x55e261779e08} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:38:35.005351: | #1 spent 1.77 milliseconds in install_ipsec_sa() Aug 26 18:38:35.005362: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:38:35.005366: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:35.005370: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:35.005376: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:35.005379: | emitting length of IKEv2 Encryption Payload: 213 Aug 26 18:38:35.005382: | emitting length of ISAKMP Message: 241 Aug 26 18:38:35.005415: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:38:35.005421: | #1 spent 2.79 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:38:35.005429: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.005436: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.005441: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:38:35.005445: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:38:35.005448: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:38:35.005453: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:38:35.005458: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:35.005464: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:38:35.005467: | pstats #2 ikev2.child established Aug 26 18:38:35.005477: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:38:35.005482: | NAT-T: encaps is 'auto' Aug 26 18:38:35.005487: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x0852abbc <0x2535316c xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Aug 26 18:38:35.005494: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:35.005502: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:35.005508: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:35.005510: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Aug 26 18:38:35.005513: | 2b 21 18 99 a7 fc 16 79 28 63 62 3d df 09 b4 df Aug 26 18:38:35.005515: | 8a fc 0d d6 ff c1 ef 93 81 86 41 75 24 15 c0 d3 Aug 26 18:38:35.005518: | 66 c5 70 47 aa 17 b5 00 1c 27 89 24 9d 31 ed 5b Aug 26 18:38:35.005520: | ef c8 d8 69 97 ec b8 53 3d b8 e9 de 8d 07 df 80 Aug 26 18:38:35.005523: | 82 87 24 ea be e0 18 88 4f e9 c5 32 1d d5 0c a8 Aug 26 18:38:35.005525: | 54 39 23 86 b3 43 ae 5d 1c 96 f6 a2 d4 66 22 32 Aug 26 18:38:35.005528: | 98 0a 0c e5 e0 e1 08 f6 62 8c 52 03 47 31 6d ea Aug 26 18:38:35.005532: | 2c ca 65 39 78 b3 a1 ea 9d ac 2f 61 44 4f dc 51 Aug 26 18:38:35.005535: | 4e 34 0f 93 8b 4f 98 fd c6 29 a6 2e 94 a8 65 31 Aug 26 18:38:35.005538: | c4 84 b4 5f 39 2d 44 54 9e cc 35 f3 b1 1a 22 ce Aug 26 18:38:35.005540: | ed 0b d2 92 d0 a3 c2 68 9b 98 34 65 0e 3f 83 93 Aug 26 18:38:35.005543: | 0c d0 ab 55 9a bf 91 31 1b 2d e4 2c 8f 59 3c 12 Aug 26 18:38:35.005545: | ae b8 ad b7 90 a8 d4 9c 29 a1 b1 9e 77 2c 2e da Aug 26 18:38:35.005547: | d5 Aug 26 18:38:35.005599: | releasing whack for #2 (sock=fd@-1) Aug 26 18:38:35.005603: | releasing whack and unpending for parent #1 Aug 26 18:38:35.005607: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:35.005612: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:35.005616: | event_schedule: new EVENT_SA_REKEY-pe@0x55e26177ddf8 Aug 26 18:38:35.005620: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 18:38:35.005624: | libevent_malloc: new ptr-libevent@0x55e26177d4c8 size 128 Aug 26 18:38:35.005637: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:35.005644: | #1 spent 3.09 milliseconds in resume sending helper answer Aug 26 18:38:35.005650: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:35.005655: | libevent_free: release ptr-libevent@0x7f5fcc000f48 Aug 26 18:38:35.005670: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.005676: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.005680: | spent 0.00533 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:35.005683: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.005686: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.005690: | spent 0.00348 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:35.005693: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.005696: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.005700: | spent 0.00346 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:44.659129: | spent 0.00277 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:44.659152: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 18:38:44.659155: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659157: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 18:38:44.659159: | 5b f3 f7 44 7f f2 5c 67 35 6d d4 d4 03 51 dc 14 Aug 26 18:38:44.659160: | 3c 49 d9 3c 80 bc 83 15 49 2e 92 72 0c 00 9a 89 Aug 26 18:38:44.659162: | 7b c2 97 43 34 fe 19 35 34 da d9 58 09 d6 19 9a Aug 26 18:38:44.659163: | f2 6a 08 6e 0d e9 59 22 85 3e 2d ae f5 8f 87 74 Aug 26 18:38:44.659165: | 07 94 b6 f1 5a b1 0b 73 62 2d 05 8b 41 a0 48 54 Aug 26 18:38:44.659167: | 4f 45 ae 38 1e 8f e8 bb af Aug 26 18:38:44.659170: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 18:38:44.659173: | **parse ISAKMP Message: Aug 26 18:38:44.659175: | initiator cookie: Aug 26 18:38:44.659177: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:44.659178: | responder cookie: Aug 26 18:38:44.659180: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659182: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:44.659184: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:44.659186: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:44.659190: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:44.659192: | Message ID: 2 (0x2) Aug 26 18:38:44.659193: | length: 121 (0x79) Aug 26 18:38:44.659196: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 18:38:44.659198: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 18:38:44.659202: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 18:38:44.659208: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:44.659213: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:44.659217: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:44.659219: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 18:38:44.659222: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 18:38:44.659224: | unpacking clear payload Aug 26 18:38:44.659226: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:44.659228: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:44.659230: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:44.659231: | flags: none (0x0) Aug 26 18:38:44.659233: | length: 93 (0x5d) Aug 26 18:38:44.659235: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 18:38:44.659238: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 18:38:44.659241: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:44.659255: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 18:38:44.659257: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:44.659259: | **parse IKEv2 Notify Payload: Aug 26 18:38:44.659261: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:44.659263: | flags: none (0x0) Aug 26 18:38:44.659265: | length: 8 (0x8) Aug 26 18:38:44.659266: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:44.659268: | SPI size: 0 (0x0) Aug 26 18:38:44.659270: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 18:38:44.659272: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:44.659274: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:44.659275: | **parse IKEv2 Notify Payload: Aug 26 18:38:44.659277: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:44.659279: | flags: none (0x0) Aug 26 18:38:44.659280: | length: 28 (0x1c) Aug 26 18:38:44.659282: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:44.659284: | SPI size: 0 (0x0) Aug 26 18:38:44.659286: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:44.659287: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:44.659294: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:44.659296: | **parse IKEv2 Notify Payload: Aug 26 18:38:44.659298: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:44.659299: | flags: none (0x0) Aug 26 18:38:44.659301: | length: 28 (0x1c) Aug 26 18:38:44.659303: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:44.659304: | SPI size: 0 (0x0) Aug 26 18:38:44.659306: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:44.659308: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:44.659310: | selected state microcode R2: process Informational Request Aug 26 18:38:44.659312: | Now let's proceed with state specific processing Aug 26 18:38:44.659313: | calling processor R2: process Informational Request Aug 26 18:38:44.659317: | an informational request should send a response Aug 26 18:38:44.659319: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 18:38:44.659320: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:44.659322: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:44.659326: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:44.659335: | responder migrate kernel SA esp.852abbc@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 18:38:44.659391: | responder migrate kernel SA esp.2535316c@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 18:38:44.659413: | responder migrate kernel SA esp.2535316c@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 18:38:44.659423: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:44.659429: | free hp@0x55e26177a3b8 Aug 26 18:38:44.659434: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 18:38:44.659436: | new hp@0x55e26177a3b8 Aug 26 18:38:44.659441: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:44.659443: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 18:38:44.659463: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 18:38:44.659466: | **emit ISAKMP Message: Aug 26 18:38:44.659468: | initiator cookie: Aug 26 18:38:44.659469: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:44.659471: | responder cookie: Aug 26 18:38:44.659473: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659475: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:44.659477: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:44.659478: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:44.659480: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:44.659482: | Message ID: 2 (0x2) Aug 26 18:38:44.659484: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:44.659486: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:44.659488: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:44.659490: | flags: none (0x0) Aug 26 18:38:44.659492: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:44.659494: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:44.659496: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:44.659507: | adding NATD payloads to MOBIKE response Aug 26 18:38:44.659509: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:44.659519: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:44.659522: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:44.659523: | natd_hash: rcookie= bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659525: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:44.659527: | natd_hash: port=500 Aug 26 18:38:44.659528: | natd_hash: hash= a7 1c a9 f6 20 39 d0 52 d0 0f 01 ec 99 71 23 33 Aug 26 18:38:44.659530: | natd_hash: hash= 68 4f 0f 9d Aug 26 18:38:44.659532: | Adding a v2N Payload Aug 26 18:38:44.659533: | ****emit IKEv2 Notify Payload: Aug 26 18:38:44.659535: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:44.659537: | flags: none (0x0) Aug 26 18:38:44.659539: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:44.659540: | SPI size: 0 (0x0) Aug 26 18:38:44.659542: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:44.659544: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:44.659546: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:44.659549: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:44.659551: | Notify data a7 1c a9 f6 20 39 d0 52 d0 0f 01 ec 99 71 23 33 Aug 26 18:38:44.659552: | Notify data 68 4f 0f 9d Aug 26 18:38:44.659554: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:44.659559: | natd_hash: hasher=0x55e25faba800(20) Aug 26 18:38:44.659561: | natd_hash: icookie= c9 74 af 35 05 84 b2 d5 Aug 26 18:38:44.659563: | natd_hash: rcookie= bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659564: | natd_hash: ip= c0 01 08 16 Aug 26 18:38:44.659566: | natd_hash: port=500 Aug 26 18:38:44.659568: | natd_hash: hash= 29 a1 99 6d 44 93 1f 6b 76 1e 3f b1 32 b9 56 6f Aug 26 18:38:44.659569: | natd_hash: hash= 46 1d d9 88 Aug 26 18:38:44.659571: | Adding a v2N Payload Aug 26 18:38:44.659573: | ****emit IKEv2 Notify Payload: Aug 26 18:38:44.659576: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:44.659578: | flags: none (0x0) Aug 26 18:38:44.659580: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:44.659581: | SPI size: 0 (0x0) Aug 26 18:38:44.659583: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:44.659585: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:44.659587: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:44.659589: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:44.659591: | Notify data 29 a1 99 6d 44 93 1f 6b 76 1e 3f b1 32 b9 56 6f Aug 26 18:38:44.659593: | Notify data 46 1d d9 88 Aug 26 18:38:44.659594: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:44.659596: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:44.659599: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:44.659601: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:44.659602: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 18:38:44.659604: | emitting length of ISAKMP Message: 113 Aug 26 18:38:44.659613: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:44.659615: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:44.659617: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 18:38:44.659619: | 4d a3 b3 af 7d 6d 8e 8a 68 b6 1b 11 ff a2 5a 9b Aug 26 18:38:44.659620: | fc eb 84 f7 fa 3f b1 65 7e 40 41 1c 2f 47 0a c6 Aug 26 18:38:44.659622: | d9 c0 5b b1 e6 43 3b ee 7c 18 a5 13 13 59 0c 24 Aug 26 18:38:44.659623: | 6d 2b b1 b4 f6 5a 1a c1 ce 62 c1 d9 70 55 57 0e Aug 26 18:38:44.659625: | 21 c7 25 80 56 22 e1 19 f4 5e d2 7b 37 11 fd 95 Aug 26 18:38:44.659627: | cb Aug 26 18:38:44.659654: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:44.659658: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:44.659663: | #1 spent 0.331 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 18:38:44.659667: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:44.659670: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 18:38:44.659673: | Message ID: updating counters for #1 to 2 after switching state Aug 26 18:38:44.659676: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 18:38:44.659679: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:44.659681: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:44.659684: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:44.659688: | #1 spent 0.529 milliseconds in ikev2_process_packet() Aug 26 18:38:44.659690: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 18:38:44.659693: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:44.659695: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:44.659698: | spent 0.539 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:51.205589: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:51.205676: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 18:38:51.205692: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:51.205717: | get_sa_info esp.2535316c@192.1.2.23 Aug 26 18:38:51.205769: | get_sa_info esp.852abbc@192.1.8.22 Aug 26 18:38:51.205835: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:51.205858: | spent 0.282 milliseconds in whack Aug 26 18:38:51.576555: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:51.577643: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:51.577676: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:51.578108: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:38:51.578126: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:51.578179: | get_sa_info esp.2535316c@192.1.2.23 Aug 26 18:38:51.578237: | get_sa_info esp.852abbc@192.1.8.22 Aug 26 18:38:51.578368: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:51.578401: | spent 1.83 milliseconds in whack Aug 26 18:38:52.756923: | processing global timer EVENT_SHUNT_SCAN Aug 26 18:38:52.756992: | expiring aged bare shunts from shunt table Aug 26 18:38:52.757013: | spent 0.0172 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 18:38:53.069355: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:53.069389: shutting down Aug 26 18:38:53.069396: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:38:53.069398: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:53.069400: forgetting secrets Aug 26 18:38:53.069406: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:53.069411: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 18:38:53.069415: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 18:38:53.069417: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:53.069419: | pass 0 Aug 26 18:38:53.069420: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:53.069422: | state #2 Aug 26 18:38:53.069425: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:53.069430: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:53.069432: | pstats #2 ikev2.child deleted completed Aug 26 18:38:53.069435: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:53.069439: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 18.098s and sending notification Aug 26 18:38:53.069441: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:38:53.069445: | get_sa_info esp.852abbc@192.1.8.22 Aug 26 18:38:53.069456: | get_sa_info esp.2535316c@192.1.2.23 Aug 26 18:38:53.069462: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=168B out=168B Aug 26 18:38:53.069466: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:38:53.069468: | Opening output PBS informational exchange delete request Aug 26 18:38:53.069470: | **emit ISAKMP Message: Aug 26 18:38:53.069472: | initiator cookie: Aug 26 18:38:53.069474: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:53.069475: | responder cookie: Aug 26 18:38:53.069477: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:53.069479: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:53.069481: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:53.069486: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:53.069488: | flags: none (0x0) Aug 26 18:38:53.069489: | Message ID: 0 (0x0) Aug 26 18:38:53.069491: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:53.069493: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:53.069495: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:53.069497: | flags: none (0x0) Aug 26 18:38:53.069499: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:53.069501: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:53.069503: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:53.069511: | ****emit IKEv2 Delete Payload: Aug 26 18:38:53.069513: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:53.069514: | flags: none (0x0) Aug 26 18:38:53.069516: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:38:53.069518: | SPI size: 4 (0x4) Aug 26 18:38:53.069519: | number of SPIs: 1 (0x1) Aug 26 18:38:53.069521: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:53.069523: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:53.069525: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:38:53.069527: | local spis 25 35 31 6c Aug 26 18:38:53.069529: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:38:53.069530: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:53.069533: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:53.069535: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:53.069536: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 18:38:53.069538: | emitting length of ISAKMP Message: 69 Aug 26 18:38:53.069557: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 18:38:53.069559: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:53.069560: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 18:38:53.069562: | 99 42 31 98 77 eb 31 5d 10 8e 64 49 e4 87 38 aa Aug 26 18:38:53.069563: | be 15 a2 33 c3 00 9b 12 11 21 92 18 1e 34 6c 91 Aug 26 18:38:53.069565: | 40 b0 3f e2 47 Aug 26 18:38:53.069608: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:38:53.069611: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 18:38:53.069614: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:38:53.069616: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:53.069620: | libevent_free: release ptr-libevent@0x55e26177d4c8 Aug 26 18:38:53.069622: | free_event_entry: release EVENT_SA_REKEY-pe@0x55e26177ddf8 Aug 26 18:38:53.069889: | running updown command "ipsec _updown" for verb down Aug 26 18:38:53.069893: | command executing down-client Aug 26 18:38:53.069912: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844714' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 18:38:53.069915: | popen cmd is 1060 chars long Aug 26 18:38:53.069918: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 18:38:53.069919: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 18:38:53.069921: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 18:38:53.069923: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 18:38:53.069924: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 18:38:53.069926: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 18:38:53.069928: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 18:38:53.069929: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844714' PLUTO_CONN_P: Aug 26 18:38:53.069931: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 18:38:53.069932: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 18:38:53.069951: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 18:38:53.069953: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 18:38:53.069955: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x852abbc SPI_OUT=0x2535316: Aug 26 18:38:53.069956: | cmd(1040):c ipsec _updown 2>&1: Aug 26 18:38:53.077219: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:38:53.077233: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:53.077236: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:53.077239: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:53.077268: | delete esp.852abbc@192.1.8.22 Aug 26 18:38:53.077284: | netlink response for Del SA esp.852abbc@192.1.8.22 included non-error error Aug 26 18:38:53.077287: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:53.077311: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:53.077332: | raw_eroute result=success Aug 26 18:38:53.077338: | delete esp.2535316c@192.1.2.23 Aug 26 18:38:53.077350: | netlink response for Del SA esp.2535316c@192.1.2.23 included non-error error Aug 26 18:38:53.077393: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:38:53.077398: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:38:53.077402: | in connection_discard for connection eastnet-northnet Aug 26 18:38:53.077406: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 18:38:53.077414: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:38:53.077438: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:53.077452: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:53.077456: | state #1 Aug 26 18:38:53.077459: | pass 1 Aug 26 18:38:53.077462: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:53.077465: | state #1 Aug 26 18:38:53.077470: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:53.077475: | pstats #1 ikev2.ike deleted completed Aug 26 18:38:53.077480: | #1 spent 7.64 milliseconds in total Aug 26 18:38:53.077483: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:53.077487: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 18.113s and sending notification Aug 26 18:38:53.077489: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 18:38:53.077556: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:38:53.077563: | Opening output PBS informational exchange delete request Aug 26 18:38:53.077566: | **emit ISAKMP Message: Aug 26 18:38:53.077568: | initiator cookie: Aug 26 18:38:53.077570: | c9 74 af 35 05 84 b2 d5 Aug 26 18:38:53.077572: | responder cookie: Aug 26 18:38:53.077575: | bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:53.077594: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:53.077598: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:53.077601: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:53.077606: | flags: none (0x0) Aug 26 18:38:53.077609: | Message ID: 1 (0x1) Aug 26 18:38:53.077613: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:53.077616: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:53.077619: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:53.077622: | flags: none (0x0) Aug 26 18:38:53.077626: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:53.077630: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:53.077634: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:53.077648: | ****emit IKEv2 Delete Payload: Aug 26 18:38:53.077651: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:53.077652: | flags: none (0x0) Aug 26 18:38:53.077654: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:38:53.077679: | SPI size: 0 (0x0) Aug 26 18:38:53.077681: | number of SPIs: 0 (0x0) Aug 26 18:38:53.077683: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:53.077687: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:53.077691: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:38:53.077695: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:53.077699: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:53.077703: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:53.077706: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 18:38:53.077710: | emitting length of ISAKMP Message: 65 Aug 26 18:38:53.077750: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:53.077755: | c9 74 af 35 05 84 b2 d5 bc e1 cd a6 b7 47 b3 05 Aug 26 18:38:53.077758: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 18:38:53.077762: | 1a 2c 90 07 0d 9b 6f db 36 3b 66 c1 25 24 9f 09 Aug 26 18:38:53.077765: | b2 b6 c3 77 b3 05 17 54 61 98 54 a3 0d b5 80 7f Aug 26 18:38:53.077767: | e7 Aug 26 18:38:53.077809: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:38:53.077813: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 18:38:53.077817: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 18:38:53.077822: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 18:38:53.077825: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:53.077831: | libevent_free: release ptr-libevent@0x55e26177ce78 Aug 26 18:38:53.077833: | free_event_entry: release EVENT_SA_REKEY-pe@0x55e26177a4e8 Aug 26 18:38:53.077836: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:38:53.077839: | in connection_discard for connection eastnet-northnet Aug 26 18:38:53.077840: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 18:38:53.077843: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:38:53.077868: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:53.077889: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:53.077892: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:38:53.077894: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:53.077896: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:53.077912: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:53.077919: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:53.077921: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:53.077923: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:53.077925: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:53.077927: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:53.077929: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 18:38:53.077931: | running updown command "ipsec _updown" for verb unroute Aug 26 18:38:53.077932: | command executing unroute-client Aug 26 18:38:53.077960: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 18:38:53.077963: | popen cmd is 1042 chars long Aug 26 18:38:53.077965: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:53.077967: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:53.077969: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:53.077970: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:53.077972: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 18:38:53.077974: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 18:38:53.077975: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 18:38:53.077977: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 18:38:53.077979: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 18:38:53.077982: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 18:38:53.077984: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 18:38:53.077985: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 18:38:53.077987: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 18:38:53.077988: | cmd(1040):&1: Aug 26 18:38:53.086149: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086165: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086167: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086170: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086178: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086188: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086198: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086208: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086217: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086227: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086237: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086247: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086258: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086267: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.086280: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:53.090760: | free hp@0x55e26177a3b8 Aug 26 18:38:53.090773: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:53.090776: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:38:53.090786: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 18:38:53.090788: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:53.090790: | pass 0 Aug 26 18:38:53.090791: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:53.090793: | pass 1 Aug 26 18:38:53.090794: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:53.090796: | free hp@0x55e261778458 Aug 26 18:38:53.090798: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:53.090800: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 18:38:53.090809: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:38:53.090811: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:38:53.090818: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:38:53.090820: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:38:53.090822: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:53.090824: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:38:53.090826: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:53.090828: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:38:53.090831: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:38:53.090842: | libevent_free: release ptr-libevent@0x55e26176a448 Aug 26 18:38:53.090844: | free_event_entry: release EVENT_NULL-pe@0x55e261776128 Aug 26 18:38:53.090853: | libevent_free: release ptr-libevent@0x55e261706298 Aug 26 18:38:53.090855: | free_event_entry: release EVENT_NULL-pe@0x55e2617761d8 Aug 26 18:38:53.090861: | libevent_free: release ptr-libevent@0x55e261708138 Aug 26 18:38:53.090862: | free_event_entry: release EVENT_NULL-pe@0x55e261776288 Aug 26 18:38:53.090868: | libevent_free: release ptr-libevent@0x55e261705288 Aug 26 18:38:53.090870: | free_event_entry: release EVENT_NULL-pe@0x55e261776338 Aug 26 18:38:53.090878: | libevent_free: release ptr-libevent@0x55e2616d64e8 Aug 26 18:38:53.090880: | free_event_entry: release EVENT_NULL-pe@0x55e2617763e8 Aug 26 18:38:53.090885: | libevent_free: release ptr-libevent@0x55e2616d61d8 Aug 26 18:38:53.090886: | free_event_entry: release EVENT_NULL-pe@0x55e261776498 Aug 26 18:38:53.090890: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:53.091232: | libevent_free: release ptr-libevent@0x55e26176a4f8 Aug 26 18:38:53.091238: | free_event_entry: release EVENT_NULL-pe@0x55e26175e238 Aug 26 18:38:53.091242: | libevent_free: release ptr-libevent@0x55e261708038 Aug 26 18:38:53.091245: | free_event_entry: release EVENT_NULL-pe@0x55e26175d6f8 Aug 26 18:38:53.091248: | libevent_free: release ptr-libevent@0x55e261741af8 Aug 26 18:38:53.091250: | free_event_entry: release EVENT_NULL-pe@0x55e26175e2a8 Aug 26 18:38:53.091253: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:38:53.091254: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:38:53.091256: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:38:53.091258: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:38:53.091259: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:38:53.091261: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:38:53.091262: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:38:53.091264: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:38:53.091265: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:38:53.091269: | libevent_free: release ptr-libevent@0x55e2617057e8 Aug 26 18:38:53.091271: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:38:53.091273: | libevent_free: release ptr-libevent@0x55e261775908 Aug 26 18:38:53.091275: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:38:53.091277: | libevent_free: release ptr-libevent@0x55e261775a18 Aug 26 18:38:53.091278: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:38:53.091280: | libevent_free: release ptr-libevent@0x55e261775c58 Aug 26 18:38:53.091282: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:38:53.091283: | releasing event base Aug 26 18:38:53.091298: | libevent_free: release ptr-libevent@0x55e261775b28 Aug 26 18:38:53.091302: | libevent_free: release ptr-libevent@0x55e261758ae8 Aug 26 18:38:53.091305: | libevent_free: release ptr-libevent@0x55e261758a98 Aug 26 18:38:53.091306: | libevent_free: release ptr-libevent@0x55e261758a28 Aug 26 18:38:53.091328: | libevent_free: release ptr-libevent@0x55e2617589e8 Aug 26 18:38:53.091330: | libevent_free: release ptr-libevent@0x55e261775808 Aug 26 18:38:53.091332: | libevent_free: release ptr-libevent@0x55e261775888 Aug 26 18:38:53.091333: | libevent_free: release ptr-libevent@0x55e261758c98 Aug 26 18:38:53.091335: | libevent_free: release ptr-libevent@0x55e26175d808 Aug 26 18:38:53.091337: | libevent_free: release ptr-libevent@0x55e26175e1f8 Aug 26 18:38:53.091338: | libevent_free: release ptr-libevent@0x55e261776508 Aug 26 18:38:53.091340: | libevent_free: release ptr-libevent@0x55e261776458 Aug 26 18:38:53.091341: | libevent_free: release ptr-libevent@0x55e2617763a8 Aug 26 18:38:53.091343: | libevent_free: release ptr-libevent@0x55e2617762f8 Aug 26 18:38:53.091344: | libevent_free: release ptr-libevent@0x55e261776248 Aug 26 18:38:53.091346: | libevent_free: release ptr-libevent@0x55e261776198 Aug 26 18:38:53.091348: | libevent_free: release ptr-libevent@0x55e261705948 Aug 26 18:38:53.091349: | libevent_free: release ptr-libevent@0x55e2617759d8 Aug 26 18:38:53.091364: | libevent_free: release ptr-libevent@0x55e2617758c8 Aug 26 18:38:53.091365: | libevent_free: release ptr-libevent@0x55e261775848 Aug 26 18:38:53.091367: | libevent_free: release ptr-libevent@0x55e261775ae8 Aug 26 18:38:53.091369: | libevent_free: release ptr-libevent@0x55e261704ad8 Aug 26 18:38:53.091370: | libevent_free: release ptr-libevent@0x55e2616d5908 Aug 26 18:38:53.091372: | libevent_free: release ptr-libevent@0x55e2616d5d38 Aug 26 18:38:53.091374: | libevent_free: release ptr-libevent@0x55e261704e48 Aug 26 18:38:53.091378: | releasing global libevent data Aug 26 18:38:53.091380: | libevent_free: release ptr-libevent@0x55e2616d1178 Aug 26 18:38:53.091382: | libevent_free: release ptr-libevent@0x55e2616d5cd8 Aug 26 18:38:53.091391: | libevent_free: release ptr-libevent@0x55e2616d5dd8 Aug 26 18:38:53.091412: leak detective found no leaks