Aug 26 18:38:32.922206: FIPS Product: YES Aug 26 18:38:32.922342: FIPS Kernel: NO Aug 26 18:38:32.922347: FIPS Mode: NO Aug 26 18:38:32.922350: NSS DB directory: sql:/etc/ipsec.d Aug 26 18:38:32.922508: Initializing NSS Aug 26 18:38:32.922516: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 18:38:32.962872: NSS initialized Aug 26 18:38:32.962889: NSS crypto library initialized Aug 26 18:38:32.962891: FIPS HMAC integrity support [enabled] Aug 26 18:38:32.962893: FIPS mode disabled for pluto daemon Aug 26 18:38:33.009125: FIPS HMAC integrity verification self-test FAILED Aug 26 18:38:33.009346: libcap-ng support [enabled] Aug 26 18:38:33.009363: Linux audit support [enabled] Aug 26 18:38:33.009395: Linux audit activated Aug 26 18:38:33.010063: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8177 Aug 26 18:38:33.010072: core dump dir: /tmp Aug 26 18:38:33.010075: secrets file: /etc/ipsec.secrets Aug 26 18:38:33.010078: leak-detective enabled Aug 26 18:38:33.010080: NSS crypto [enabled] Aug 26 18:38:33.010082: XAUTH PAM support [enabled] Aug 26 18:38:33.010156: | libevent is using pluto's memory allocator Aug 26 18:38:33.010163: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 18:38:33.010182: | libevent_malloc: new ptr-libevent@0x561d821d5178 size 40 Aug 26 18:38:33.010187: | libevent_malloc: new ptr-libevent@0x561d821d9cd8 size 40 Aug 26 18:38:33.010191: | libevent_malloc: new ptr-libevent@0x561d821d9dd8 size 40 Aug 26 18:38:33.010194: | creating event base Aug 26 18:38:33.010197: | libevent_malloc: new ptr-libevent@0x561d8225ca48 size 56 Aug 26 18:38:33.010203: | libevent_malloc: new ptr-libevent@0x561d82208e68 size 664 Aug 26 18:38:33.010215: | libevent_malloc: new ptr-libevent@0x561d8225cab8 size 24 Aug 26 18:38:33.010218: | libevent_malloc: new ptr-libevent@0x561d8225cb08 size 384 Aug 26 18:38:33.010228: | libevent_malloc: new ptr-libevent@0x561d8225ca08 size 16 Aug 26 18:38:33.010232: | libevent_malloc: new ptr-libevent@0x561d821d9908 size 40 Aug 26 18:38:33.010235: | libevent_malloc: new ptr-libevent@0x561d821d9d38 size 48 Aug 26 18:38:33.010240: | libevent_realloc: new ptr-libevent@0x561d82209968 size 256 Aug 26 18:38:33.010243: | libevent_malloc: new ptr-libevent@0x561d8225ccb8 size 16 Aug 26 18:38:33.010249: | libevent_free: release ptr-libevent@0x561d8225ca48 Aug 26 18:38:33.010254: | libevent initialized Aug 26 18:38:33.010258: | libevent_realloc: new ptr-libevent@0x561d8225ca48 size 64 Aug 26 18:38:33.010262: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 18:38:33.010283: | init_nat_traversal() initialized with keep_alive=0s Aug 26 18:38:33.010286: NAT-Traversal support [enabled] Aug 26 18:38:33.010300: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 18:38:33.010306: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 18:38:33.010314: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 18:38:33.010357: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 18:38:33.010362: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 18:38:33.010366: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 18:38:33.010418: Encryption algorithms: Aug 26 18:38:33.010429: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 18:38:33.010433: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 18:38:33.010438: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 18:38:33.010442: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 18:38:33.010445: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 18:38:33.010455: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 18:38:33.010460: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 18:38:33.010464: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 18:38:33.010468: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 18:38:33.010472: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 18:38:33.010476: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 18:38:33.010480: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 18:38:33.010485: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 18:38:33.010489: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 18:38:33.010492: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 18:38:33.010496: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 18:38:33.010499: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 18:38:33.010506: Hash algorithms: Aug 26 18:38:33.010509: MD5 IKEv1: IKE IKEv2: Aug 26 18:38:33.010512: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 18:38:33.010515: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 18:38:33.010518: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 18:38:33.010521: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 18:38:33.010534: PRF algorithms: Aug 26 18:38:33.010537: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 18:38:33.010540: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 18:38:33.010544: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 18:38:33.010547: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 18:38:33.010550: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 18:38:33.010553: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 18:38:33.010580: Integrity algorithms: Aug 26 18:38:33.010584: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 18:38:33.010588: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 18:38:33.010592: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 18:38:33.010596: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 18:38:33.010600: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 18:38:33.010603: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 18:38:33.010606: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 18:38:33.010609: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 18:38:33.010613: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 18:38:33.010625: DH algorithms: Aug 26 18:38:33.010629: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 18:38:33.010632: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 18:38:33.010635: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 18:38:33.010641: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 18:38:33.010644: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 18:38:33.010647: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 18:38:33.010649: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 18:38:33.010651: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 18:38:33.010653: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 18:38:33.010655: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 18:38:33.010657: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 18:38:33.010659: testing CAMELLIA_CBC: Aug 26 18:38:33.010661: Camellia: 16 bytes with 128-bit key Aug 26 18:38:33.010768: Camellia: 16 bytes with 128-bit key Aug 26 18:38:33.015360: Camellia: 16 bytes with 256-bit key Aug 26 18:38:33.015424: Camellia: 16 bytes with 256-bit key Aug 26 18:38:33.015456: testing AES_GCM_16: Aug 26 18:38:33.015460: empty string Aug 26 18:38:33.015491: one block Aug 26 18:38:33.015517: two blocks Aug 26 18:38:33.015543: two blocks with associated data Aug 26 18:38:33.015569: testing AES_CTR: Aug 26 18:38:33.015573: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 18:38:33.015601: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 18:38:33.015629: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 18:38:33.015658: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 18:38:33.015685: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 18:38:33.015716: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 18:38:33.015746: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 18:38:33.015773: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 18:38:33.015802: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 18:38:33.015831: testing AES_CBC: Aug 26 18:38:33.015835: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 18:38:33.015862: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 18:38:33.015892: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 18:38:33.015922: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 18:38:33.015957: testing AES_XCBC: Aug 26 18:38:33.015961: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 18:38:33.016081: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 18:38:33.016214: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 18:38:33.016375: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 18:38:33.016514: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 18:38:33.016644: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 18:38:33.016777: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 18:38:33.017075: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 18:38:33.017206: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 18:38:33.017354: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 18:38:33.017593: testing HMAC_MD5: Aug 26 18:38:33.017599: RFC 2104: MD5_HMAC test 1 Aug 26 18:38:33.017781: RFC 2104: MD5_HMAC test 2 Aug 26 18:38:33.017938: RFC 2104: MD5_HMAC test 3 Aug 26 18:38:33.018132: 8 CPU cores online Aug 26 18:38:33.018136: starting up 7 crypto helpers Aug 26 18:38:33.018168: started thread for crypto helper 0 Aug 26 18:38:33.018190: started thread for crypto helper 1 Aug 26 18:38:33.018197: | starting up helper thread 1 Aug 26 18:38:33.018208: started thread for crypto helper 2 Aug 26 18:38:33.018211: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 18:38:33.018218: | crypto helper 1 waiting (nothing to do) Aug 26 18:38:33.018226: started thread for crypto helper 3 Aug 26 18:38:33.018244: started thread for crypto helper 4 Aug 26 18:38:33.018261: started thread for crypto helper 5 Aug 26 18:38:33.018279: started thread for crypto helper 6 Aug 26 18:38:33.018283: | checking IKEv1 state table Aug 26 18:38:33.018320: | starting up helper thread 3 Aug 26 18:38:33.018333: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 18:38:33.018336: | crypto helper 3 waiting (nothing to do) Aug 26 18:38:33.018375: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018379: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 18:38:33.018382: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018385: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 18:38:33.018388: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 18:38:33.018390: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 18:38:33.018393: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:33.018395: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:33.018398: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 18:38:33.018400: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 18:38:33.018402: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:33.018404: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 18:38:33.018406: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 18:38:33.018409: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:33.018411: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:33.018414: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:33.018417: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 18:38:33.018419: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:33.018421: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:33.018424: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 18:38:33.018427: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 18:38:33.018429: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018432: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 18:38:33.018434: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018437: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018439: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 18:38:33.018441: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018444: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:33.018446: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 18:38:33.018449: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 18:38:33.018451: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:33.018454: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 18:38:33.018456: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 18:38:33.018459: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018462: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 18:38:33.018464: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018467: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 18:38:33.018470: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 18:38:33.018472: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 18:38:33.018475: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 18:38:33.018478: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 18:38:33.018480: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 18:38:33.018483: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 18:38:33.018486: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018488: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 18:38:33.018491: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018494: | INFO: category: informational flags: 0: Aug 26 18:38:33.018496: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018499: | INFO_PROTECTED: category: informational flags: 0: Aug 26 18:38:33.018501: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018504: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 18:38:33.018507: | -> XAUTH_R1 EVENT_NULL Aug 26 18:38:33.018509: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 18:38:33.018512: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 18:38:33.018515: | MODE_CFG_R0: category: informational flags: 0: Aug 26 18:38:33.018521: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 18:38:33.018524: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 18:38:33.018526: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 18:38:33.018529: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 18:38:33.018532: | -> UNDEFINED EVENT_NULL Aug 26 18:38:33.018535: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 18:38:33.018537: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 18:38:33.018540: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 18:38:33.018542: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 18:38:33.018545: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 18:38:33.018548: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 18:38:33.018554: | checking IKEv2 state table Aug 26 18:38:33.018560: | PARENT_I0: category: ignore flags: 0: Aug 26 18:38:33.018563: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 18:38:33.018566: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018569: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 18:38:33.018572: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 18:38:33.018575: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 18:38:33.018578: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 18:38:33.018581: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 18:38:33.018584: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 18:38:33.018587: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 18:38:33.018589: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 18:38:33.018592: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 18:38:33.018595: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 18:38:33.018598: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 18:38:33.018600: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 18:38:33.018603: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 18:38:33.018606: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018609: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 18:38:33.018612: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 18:38:33.018614: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 18:38:33.018617: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 18:38:33.018620: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 18:38:33.018623: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 18:38:33.018626: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 18:38:33.018629: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 18:38:33.018631: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 18:38:33.018634: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 18:38:33.018637: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 18:38:33.018640: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 18:38:33.018643: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 18:38:33.018646: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 18:38:33.018649: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:33.018652: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 18:38:33.018654: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 18:38:33.018657: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 18:38:33.018664: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 18:38:33.018667: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 18:38:33.018670: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 18:38:33.018673: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 18:38:33.018676: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 18:38:33.018679: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 18:38:33.018682: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 18:38:33.018685: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 18:38:33.018688: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 18:38:33.018691: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 18:38:33.018694: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 18:38:33.018697: | CHILDSA_DEL: category: informational flags: 0: Aug 26 18:38:33.018767: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 18:38:33.019195: | Hard-wiring algorithms Aug 26 18:38:33.019201: | adding AES_CCM_16 to kernel algorithm db Aug 26 18:38:33.019205: | adding AES_CCM_12 to kernel algorithm db Aug 26 18:38:33.019208: | adding AES_CCM_8 to kernel algorithm db Aug 26 18:38:33.019211: | adding 3DES_CBC to kernel algorithm db Aug 26 18:38:33.019214: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 18:38:33.019216: | adding AES_GCM_16 to kernel algorithm db Aug 26 18:38:33.019219: | adding AES_GCM_12 to kernel algorithm db Aug 26 18:38:33.019222: | adding AES_GCM_8 to kernel algorithm db Aug 26 18:38:33.019224: | adding AES_CTR to kernel algorithm db Aug 26 18:38:33.019227: | adding AES_CBC to kernel algorithm db Aug 26 18:38:33.019229: | adding SERPENT_CBC to kernel algorithm db Aug 26 18:38:33.019232: | adding TWOFISH_CBC to kernel algorithm db Aug 26 18:38:33.019235: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 18:38:33.019238: | adding NULL to kernel algorithm db Aug 26 18:38:33.019240: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 18:38:33.019243: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 18:38:33.019246: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 18:38:33.019248: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 18:38:33.019251: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 18:38:33.019254: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 18:38:33.019256: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 18:38:33.019259: | adding AES_XCBC_96 to kernel algorithm db Aug 26 18:38:33.019261: | adding AES_CMAC_96 to kernel algorithm db Aug 26 18:38:33.019263: | adding NONE to kernel algorithm db Aug 26 18:38:33.019286: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 18:38:33.019297: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 18:38:33.019303: | setup kernel fd callback Aug 26 18:38:33.019307: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x561d822622c8 Aug 26 18:38:33.019312: | libevent_malloc: new ptr-libevent@0x561d82245b18 size 128 Aug 26 18:38:33.019315: | libevent_malloc: new ptr-libevent@0x561d82261828 size 16 Aug 26 18:38:33.019322: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x561d82261718 Aug 26 18:38:33.019326: | libevent_malloc: new ptr-libevent@0x561d8220c058 size 128 Aug 26 18:38:33.019329: | libevent_malloc: new ptr-libevent@0x561d82262218 size 16 Aug 26 18:38:33.019581: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 18:38:33.019590: selinux support is enabled. Aug 26 18:38:33.020123: | starting up helper thread 0 Aug 26 18:38:33.020137: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 18:38:33.020141: | crypto helper 0 waiting (nothing to do) Aug 26 18:38:33.020150: | starting up helper thread 2 Aug 26 18:38:33.020161: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 18:38:33.020164: | crypto helper 2 waiting (nothing to do) Aug 26 18:38:33.020171: | starting up helper thread 4 Aug 26 18:38:33.020177: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 18:38:33.020180: | crypto helper 4 waiting (nothing to do) Aug 26 18:38:33.020186: | starting up helper thread 5 Aug 26 18:38:33.020192: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 18:38:33.020195: | crypto helper 5 waiting (nothing to do) Aug 26 18:38:33.020201: | starting up helper thread 6 Aug 26 18:38:33.020206: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 18:38:33.020209: | crypto helper 6 waiting (nothing to do) Aug 26 18:38:33.023011: | unbound context created - setting debug level to 5 Aug 26 18:38:33.023199: | /etc/hosts lookups activated Aug 26 18:38:33.023222: | /etc/resolv.conf usage activated Aug 26 18:38:33.023423: | outgoing-port-avoid set 0-65535 Aug 26 18:38:33.023461: | outgoing-port-permit set 32768-60999 Aug 26 18:38:33.023465: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 18:38:33.023469: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 18:38:33.023473: | Setting up events, loop start Aug 26 18:38:33.023478: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x561d82262258 Aug 26 18:38:33.023482: | libevent_malloc: new ptr-libevent@0x561d8226e518 size 128 Aug 26 18:38:33.023487: | libevent_malloc: new ptr-libevent@0x561d82279828 size 16 Aug 26 18:38:33.023496: | libevent_realloc: new ptr-libevent@0x561d82208af8 size 256 Aug 26 18:38:33.023499: | libevent_malloc: new ptr-libevent@0x561d82279868 size 8 Aug 26 18:38:33.023503: | libevent_realloc: new ptr-libevent@0x561d822093a8 size 144 Aug 26 18:38:33.023506: | libevent_malloc: new ptr-libevent@0x561d82209808 size 152 Aug 26 18:38:33.023509: | libevent_malloc: new ptr-libevent@0x561d822798a8 size 16 Aug 26 18:38:33.023514: | signal event handler PLUTO_SIGCHLD installed Aug 26 18:38:33.023517: | libevent_malloc: new ptr-libevent@0x561d822798e8 size 8 Aug 26 18:38:33.023520: | libevent_malloc: new ptr-libevent@0x561d82279928 size 152 Aug 26 18:38:33.023524: | signal event handler PLUTO_SIGTERM installed Aug 26 18:38:33.023526: | libevent_malloc: new ptr-libevent@0x561d822799f8 size 8 Aug 26 18:38:33.023529: | libevent_malloc: new ptr-libevent@0x561d82279a38 size 152 Aug 26 18:38:33.023532: | signal event handler PLUTO_SIGHUP installed Aug 26 18:38:33.023535: | libevent_malloc: new ptr-libevent@0x561d82279b08 size 8 Aug 26 18:38:33.023538: | libevent_realloc: release ptr-libevent@0x561d822093a8 Aug 26 18:38:33.023541: | libevent_realloc: new ptr-libevent@0x561d82279b48 size 256 Aug 26 18:38:33.023544: | libevent_malloc: new ptr-libevent@0x561d82279c78 size 152 Aug 26 18:38:33.023547: | signal event handler PLUTO_SIGSYS installed Aug 26 18:38:33.023999: | created addconn helper (pid:8530) using fork+execve Aug 26 18:38:33.024015: | forked child 8530 Aug 26 18:38:33.024064: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:33.025364: listening for IKE messages Aug 26 18:38:33.025434: | Inspecting interface lo Aug 26 18:38:33.025443: | found lo with address 127.0.0.1 Aug 26 18:38:33.025448: | Inspecting interface eth0 Aug 26 18:38:33.025453: | found eth0 with address 192.0.2.254 Aug 26 18:38:33.025458: | Inspecting interface eth1 Aug 26 18:38:33.025462: | found eth1 with address 192.1.2.23 Aug 26 18:38:33.025527: Kernel supports NIC esp-hw-offload Aug 26 18:38:33.025549: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 18:38:33.025578: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:33.025584: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:33.025588: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:33.025923: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 18:38:33.025971: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:33.025977: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:33.025982: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:33.026019: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 18:38:33.026049: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 18:38:33.026054: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 18:38:33.026058: adding interface lo/lo 127.0.0.1:4500 Aug 26 18:38:33.026132: | no interfaces to sort Aug 26 18:38:33.026138: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:33.026148: | add_fd_read_event_handler: new ethX-pe@0x561d8227a148 Aug 26 18:38:33.026152: | libevent_malloc: new ptr-libevent@0x561d8226e468 size 128 Aug 26 18:38:33.026157: | libevent_malloc: new ptr-libevent@0x561d8227a1b8 size 16 Aug 26 18:38:33.026165: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:33.026169: | add_fd_read_event_handler: new ethX-pe@0x561d8227a1f8 Aug 26 18:38:33.026174: | libevent_malloc: new ptr-libevent@0x561d8220a2b8 size 128 Aug 26 18:38:33.026177: | libevent_malloc: new ptr-libevent@0x561d8227a268 size 16 Aug 26 18:38:33.026182: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:33.026185: | add_fd_read_event_handler: new ethX-pe@0x561d8227a2a8 Aug 26 18:38:33.026188: | libevent_malloc: new ptr-libevent@0x561d8220c158 size 128 Aug 26 18:38:33.026191: | libevent_malloc: new ptr-libevent@0x561d8227a318 size 16 Aug 26 18:38:33.026196: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:33.026199: | add_fd_read_event_handler: new ethX-pe@0x561d8227a358 Aug 26 18:38:33.026202: | libevent_malloc: new ptr-libevent@0x561d822092a8 size 128 Aug 26 18:38:33.026204: | libevent_malloc: new ptr-libevent@0x561d8227a3c8 size 16 Aug 26 18:38:33.026209: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:33.026212: | add_fd_read_event_handler: new ethX-pe@0x561d8227a408 Aug 26 18:38:33.026218: | libevent_malloc: new ptr-libevent@0x561d821da4e8 size 128 Aug 26 18:38:33.026221: | libevent_malloc: new ptr-libevent@0x561d8227a478 size 16 Aug 26 18:38:33.026227: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:33.026229: | add_fd_read_event_handler: new ethX-pe@0x561d8227a4b8 Aug 26 18:38:33.026232: | libevent_malloc: new ptr-libevent@0x561d821da1d8 size 128 Aug 26 18:38:33.026235: | libevent_malloc: new ptr-libevent@0x561d8227a528 size 16 Aug 26 18:38:33.026241: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:33.026247: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:33.026249: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:33.026271: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:33.026297: | Processing PSK at line 1: passed Aug 26 18:38:33.026304: | certs and keys locked by 'process_secret' Aug 26 18:38:33.026310: | certs and keys unlocked by 'process_secret' Aug 26 18:38:33.026405: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:33.026416: | spent 0.64 milliseconds in whack Aug 26 18:38:33.113390: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:33.113418: listening for IKE messages Aug 26 18:38:33.113838: | Inspecting interface lo Aug 26 18:38:33.113847: | found lo with address 127.0.0.1 Aug 26 18:38:33.113850: | Inspecting interface eth0 Aug 26 18:38:33.113855: | found eth0 with address 192.0.2.254 Aug 26 18:38:33.113857: | Inspecting interface eth1 Aug 26 18:38:33.113861: | found eth1 with address 192.1.2.23 Aug 26 18:38:33.113925: | no interfaces to sort Aug 26 18:38:33.113936: | libevent_free: release ptr-libevent@0x561d8226e468 Aug 26 18:38:33.113939: | free_event_entry: release EVENT_NULL-pe@0x561d8227a148 Aug 26 18:38:33.113948: | add_fd_read_event_handler: new ethX-pe@0x561d8227a148 Aug 26 18:38:33.113951: | libevent_malloc: new ptr-libevent@0x561d8226e468 size 128 Aug 26 18:38:33.113959: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 18:38:33.113963: | libevent_free: release ptr-libevent@0x561d8220a2b8 Aug 26 18:38:33.113966: | free_event_entry: release EVENT_NULL-pe@0x561d8227a1f8 Aug 26 18:38:33.113969: | add_fd_read_event_handler: new ethX-pe@0x561d8227a1f8 Aug 26 18:38:33.113972: | libevent_malloc: new ptr-libevent@0x561d8220a2b8 size 128 Aug 26 18:38:33.113977: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 18:38:33.113981: | libevent_free: release ptr-libevent@0x561d8220c158 Aug 26 18:38:33.113984: | free_event_entry: release EVENT_NULL-pe@0x561d8227a2a8 Aug 26 18:38:33.113986: | add_fd_read_event_handler: new ethX-pe@0x561d8227a2a8 Aug 26 18:38:33.113989: | libevent_malloc: new ptr-libevent@0x561d8220c158 size 128 Aug 26 18:38:33.113994: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 18:38:33.113998: | libevent_free: release ptr-libevent@0x561d822092a8 Aug 26 18:38:33.114001: | free_event_entry: release EVENT_NULL-pe@0x561d8227a358 Aug 26 18:38:33.114004: | add_fd_read_event_handler: new ethX-pe@0x561d8227a358 Aug 26 18:38:33.114006: | libevent_malloc: new ptr-libevent@0x561d822092a8 size 128 Aug 26 18:38:33.114011: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 18:38:33.114015: | libevent_free: release ptr-libevent@0x561d821da4e8 Aug 26 18:38:33.114018: | free_event_entry: release EVENT_NULL-pe@0x561d8227a408 Aug 26 18:38:33.114021: | add_fd_read_event_handler: new ethX-pe@0x561d8227a408 Aug 26 18:38:33.114023: | libevent_malloc: new ptr-libevent@0x561d821da4e8 size 128 Aug 26 18:38:33.114028: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 18:38:33.114032: | libevent_free: release ptr-libevent@0x561d821da1d8 Aug 26 18:38:33.114035: | free_event_entry: release EVENT_NULL-pe@0x561d8227a4b8 Aug 26 18:38:33.114037: | add_fd_read_event_handler: new ethX-pe@0x561d8227a4b8 Aug 26 18:38:33.114040: | libevent_malloc: new ptr-libevent@0x561d821da1d8 size 128 Aug 26 18:38:33.114045: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 18:38:33.114048: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:33.114050: forgetting secrets Aug 26 18:38:33.114060: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:33.114074: loading secrets from "/etc/ipsec.secrets" Aug 26 18:38:33.114080: | Processing PSK at line 1: passed Aug 26 18:38:33.114083: | certs and keys locked by 'process_secret' Aug 26 18:38:33.114086: | certs and keys unlocked by 'process_secret' Aug 26 18:38:33.114095: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:33.114102: | spent 0.725 milliseconds in whack Aug 26 18:38:33.114610: | processing signal PLUTO_SIGCHLD Aug 26 18:38:33.114638: | waitpid returned pid 8530 (exited with status 0) Aug 26 18:38:33.114644: | reaped addconn helper child (status 0) Aug 26 18:38:33.114649: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:33.114655: | spent 0.0265 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:33.116964: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:33.117400: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:33.117411: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:33.117414: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:33.117416: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 18:38:33.117421: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 18:38:33.117462: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:33.117520: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 18:38:33.117531: | from whack: got --esp=aes_gcm Aug 26 18:38:33.117537: | ESP/AH string values: AES_GCM_16-NONE Aug 26 18:38:33.117541: | counting wild cards for (none) is 15 Aug 26 18:38:33.117546: | counting wild cards for 192.1.2.23 is 0 Aug 26 18:38:33.117552: | based upon policy, the connection is a template. Aug 26 18:38:33.117559: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 18:38:33.117562: | new hp@0x561d8227c478 Aug 26 18:38:33.117566: added connection description "eastnet-northnet" Aug 26 18:38:33.117576: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 18:38:33.117585: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 18:38:33.117592: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:33.117599: | spent 0.63 milliseconds in whack Aug 26 18:38:35.124091: | spent 0.00282 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:35.124121: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:35.124125: | 8d 28 fa 2f 37 b2 de 6b 00 00 00 00 00 00 00 00 Aug 26 18:38:35.124128: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 18:38:35.124130: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 18:38:35.124132: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 18:38:35.124133: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 18:38:35.124135: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 18:38:35.124136: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 18:38:35.124138: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 18:38:35.124139: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 18:38:35.124141: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 18:38:35.124142: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 18:38:35.124144: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 18:38:35.124145: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 18:38:35.124147: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 18:38:35.124148: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 18:38:35.124150: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 18:38:35.124151: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 18:38:35.124153: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 18:38:35.124154: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 18:38:35.124156: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 18:38:35.124157: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 18:38:35.124159: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 18:38:35.124160: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 18:38:35.124162: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 18:38:35.124163: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 18:38:35.124165: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 18:38:35.124166: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 18:38:35.124168: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 18:38:35.124169: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 18:38:35.124170: | 28 00 01 08 00 0e 00 00 40 55 0b 1c bc dd 65 ba Aug 26 18:38:35.124172: | 17 98 90 ee 07 cc c3 50 b8 bd 4f 0b 57 d0 39 f5 Aug 26 18:38:35.124173: | 21 3a 35 53 f9 50 26 15 75 21 de 9b b3 76 44 46 Aug 26 18:38:35.124175: | 9f ac 87 19 ee 74 ca 36 38 20 b9 26 fb b0 69 13 Aug 26 18:38:35.124176: | 33 41 aa 44 09 0a 27 3f 5f 13 ef 5d 54 4d 03 bd Aug 26 18:38:35.124180: | 5e fe fc c1 ed 9e ba 1c f0 c7 d0 0f ff 2d 82 f3 Aug 26 18:38:35.124182: | 19 6a f9 f8 ce 5b 09 e7 bf 30 85 a5 d9 38 5b 48 Aug 26 18:38:35.124184: | 68 52 3f cf b6 77 8f 1b 33 ff ca 32 3b f9 39 df Aug 26 18:38:35.124185: | 82 93 38 74 39 68 23 72 be 0c 24 7f 94 7c 17 12 Aug 26 18:38:35.124187: | 0e 73 51 23 16 32 26 e2 a1 57 fa 8b 91 66 34 34 Aug 26 18:38:35.124188: | e5 44 23 26 14 da 0e 4a 9c 12 af e7 59 bc f4 aa Aug 26 18:38:35.124190: | 62 f0 29 c0 74 05 1a 11 50 80 bc 29 7f 6f c9 67 Aug 26 18:38:35.124191: | 11 cb 15 14 ef f2 e9 4c 25 58 46 7e 7f 96 85 28 Aug 26 18:38:35.124193: | 1b 27 9b 24 e5 ca 8a 44 b6 df 77 3a 79 61 8d fa Aug 26 18:38:35.124194: | 4f ee ea 14 97 0c 92 5f 02 8d 5e a9 da 69 95 3e Aug 26 18:38:35.124195: | 1a ea ab af 9a b9 b4 10 99 3f d8 56 47 20 46 9b Aug 26 18:38:35.124197: | 83 7b 4f 5b 4e 7d 9d bb 29 00 00 24 d7 f0 48 de Aug 26 18:38:35.124198: | ba de 98 fb 93 44 bc 8f 8e ef a0 47 29 76 91 a7 Aug 26 18:38:35.124200: | 9c 5b 05 de 5c cb b8 9c 4b 89 79 da 29 00 00 08 Aug 26 18:38:35.124201: | 00 00 40 2e 29 00 00 1c 00 00 40 04 01 95 de 55 Aug 26 18:38:35.124203: | 80 29 55 8a cf 12 20 40 4d 0e 54 13 7d 15 e4 f1 Aug 26 18:38:35.124204: | 00 00 00 1c 00 00 40 05 96 3b 13 e8 95 b2 f7 1f Aug 26 18:38:35.124206: | db ff 2b c7 32 e0 b1 ca 95 fc 8e bc Aug 26 18:38:35.124211: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:35.124214: | **parse ISAKMP Message: Aug 26 18:38:35.124216: | initiator cookie: Aug 26 18:38:35.124217: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.124219: | responder cookie: Aug 26 18:38:35.124220: | 00 00 00 00 00 00 00 00 Aug 26 18:38:35.124222: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:35.124224: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:35.124226: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:35.124228: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:35.124229: | Message ID: 0 (0x0) Aug 26 18:38:35.124231: | length: 828 (0x33c) Aug 26 18:38:35.124233: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 18:38:35.124235: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 18:38:35.124238: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 18:38:35.124243: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:35.124246: | ***parse IKEv2 Security Association Payload: Aug 26 18:38:35.124247: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 18:38:35.124249: | flags: none (0x0) Aug 26 18:38:35.124251: | length: 436 (0x1b4) Aug 26 18:38:35.124252: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 18:38:35.124254: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 18:38:35.124256: | ***parse IKEv2 Key Exchange Payload: Aug 26 18:38:35.124258: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 18:38:35.124259: | flags: none (0x0) Aug 26 18:38:35.124261: | length: 264 (0x108) Aug 26 18:38:35.124262: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.124264: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 18:38:35.124265: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 18:38:35.124267: | ***parse IKEv2 Nonce Payload: Aug 26 18:38:35.124269: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:35.124270: | flags: none (0x0) Aug 26 18:38:35.124272: | length: 36 (0x24) Aug 26 18:38:35.124273: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 18:38:35.124275: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:35.124276: | ***parse IKEv2 Notify Payload: Aug 26 18:38:35.124278: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:35.124280: | flags: none (0x0) Aug 26 18:38:35.124281: | length: 8 (0x8) Aug 26 18:38:35.124283: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.124284: | SPI size: 0 (0x0) Aug 26 18:38:35.124286: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:35.124293: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:35.124297: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:35.124299: | ***parse IKEv2 Notify Payload: Aug 26 18:38:35.124300: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:35.124302: | flags: none (0x0) Aug 26 18:38:35.124303: | length: 28 (0x1c) Aug 26 18:38:35.124305: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.124306: | SPI size: 0 (0x0) Aug 26 18:38:35.124308: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:35.124310: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:35.124311: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:35.124313: | ***parse IKEv2 Notify Payload: Aug 26 18:38:35.124314: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.124316: | flags: none (0x0) Aug 26 18:38:35.124317: | length: 28 (0x1c) Aug 26 18:38:35.124319: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.124320: | SPI size: 0 (0x0) Aug 26 18:38:35.124322: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:35.124324: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:35.124325: | DDOS disabled and no cookie sent, continuing Aug 26 18:38:35.124329: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124332: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:35.124333: | find_next_host_connection returns empty Aug 26 18:38:35.124336: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124339: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:35.124341: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 18:38:35.124343: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:35.124345: | find_next_host_connection returns empty Aug 26 18:38:35.124347: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 18:38:35.124350: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124352: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:35.124354: | find_next_host_connection returns empty Aug 26 18:38:35.124356: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124359: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:35.124361: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 18:38:35.124363: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:35.124364: | find_next_host_connection returns empty Aug 26 18:38:35.124366: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 18:38:35.124369: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124371: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:35.124372: | find_next_host_connection returns empty Aug 26 18:38:35.124375: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 18:38:35.124377: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:35.124379: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:35.124381: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 18:38:35.124383: | find_next_host_connection returns eastnet-northnet Aug 26 18:38:35.124384: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 18:38:35.124386: | find_next_host_connection returns empty Aug 26 18:38:35.124389: | rw_instantiate Aug 26 18:38:35.124395: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 18:38:35.124397: | new hp@0x561d8227e3d8 Aug 26 18:38:35.124402: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 18:38:35.124404: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 18:38:35.124407: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 18:38:35.124426: | creating state object #1 at 0x561d8227e928 Aug 26 18:38:35.124428: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 18:38:35.124434: | pstats #1 ikev2.ike started Aug 26 18:38:35.124436: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 18:38:35.124439: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 18:38:35.124442: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:35.124448: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:35.124451: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:35.124454: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:35.124456: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 18:38:35.124459: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 18:38:35.124462: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 18:38:35.124463: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 18:38:35.124465: | selected state microcode Respond to IKE_SA_INIT Aug 26 18:38:35.124467: | Now let's proceed with state specific processing Aug 26 18:38:35.124468: | calling processor Respond to IKE_SA_INIT Aug 26 18:38:35.124472: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:35.124475: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 18:38:35.124480: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:35.124485: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:35.124488: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:35.124491: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:35.124494: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:35.124497: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:35.124500: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 18:38:35.124503: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:35.124510: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 18:38:35.124514: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 18:38:35.124516: | local proposal 1 type ENCR has 1 transforms Aug 26 18:38:35.124518: | local proposal 1 type PRF has 2 transforms Aug 26 18:38:35.124520: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:35.124521: | local proposal 1 type DH has 8 transforms Aug 26 18:38:35.124523: | local proposal 1 type ESN has 0 transforms Aug 26 18:38:35.124525: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:35.124527: | local proposal 2 type ENCR has 1 transforms Aug 26 18:38:35.124528: | local proposal 2 type PRF has 2 transforms Aug 26 18:38:35.124530: | local proposal 2 type INTEG has 1 transforms Aug 26 18:38:35.124532: | local proposal 2 type DH has 8 transforms Aug 26 18:38:35.124533: | local proposal 2 type ESN has 0 transforms Aug 26 18:38:35.124535: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 18:38:35.124537: | local proposal 3 type ENCR has 1 transforms Aug 26 18:38:35.124538: | local proposal 3 type PRF has 2 transforms Aug 26 18:38:35.124540: | local proposal 3 type INTEG has 2 transforms Aug 26 18:38:35.124542: | local proposal 3 type DH has 8 transforms Aug 26 18:38:35.124543: | local proposal 3 type ESN has 0 transforms Aug 26 18:38:35.124545: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:35.124547: | local proposal 4 type ENCR has 1 transforms Aug 26 18:38:35.124548: | local proposal 4 type PRF has 2 transforms Aug 26 18:38:35.124550: | local proposal 4 type INTEG has 2 transforms Aug 26 18:38:35.124552: | local proposal 4 type DH has 8 transforms Aug 26 18:38:35.124553: | local proposal 4 type ESN has 0 transforms Aug 26 18:38:35.124555: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 18:38:35.124557: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.124559: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:35.124561: | length: 100 (0x64) Aug 26 18:38:35.124562: | prop #: 1 (0x1) Aug 26 18:38:35.124564: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:35.124566: | spi size: 0 (0x0) Aug 26 18:38:35.124567: | # transforms: 11 (0xb) Aug 26 18:38:35.124570: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 18:38:35.124572: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124573: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124575: | length: 12 (0xc) Aug 26 18:38:35.124576: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.124578: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.124580: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.124582: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.124583: | length/value: 256 (0x100) Aug 26 18:38:35.124586: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:35.124588: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124590: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124591: | length: 8 (0x8) Aug 26 18:38:35.124593: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124594: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:35.124597: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 18:38:35.124600: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 18:38:35.124602: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 18:38:35.124604: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 18:38:35.124606: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124607: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124609: | length: 8 (0x8) Aug 26 18:38:35.124610: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124612: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:35.124614: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124617: | length: 8 (0x8) Aug 26 18:38:35.124618: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124620: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.124622: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 18:38:35.124624: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 18:38:35.124626: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 18:38:35.124628: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 18:38:35.124629: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124631: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124632: | length: 8 (0x8) Aug 26 18:38:35.124634: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124636: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:35.124637: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124639: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124640: | length: 8 (0x8) Aug 26 18:38:35.124642: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124644: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:35.124645: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124647: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124648: | length: 8 (0x8) Aug 26 18:38:35.124650: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124652: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:35.124653: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124655: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124656: | length: 8 (0x8) Aug 26 18:38:35.124658: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124660: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:35.124661: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124663: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124664: | length: 8 (0x8) Aug 26 18:38:35.124666: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124668: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:35.124669: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124671: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124672: | length: 8 (0x8) Aug 26 18:38:35.124674: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124675: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:35.124677: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124679: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.124680: | length: 8 (0x8) Aug 26 18:38:35.124682: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124683: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:35.124686: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 18:38:35.124690: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 18:38:35.124691: | remote proposal 1 matches local proposal 1 Aug 26 18:38:35.124693: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.124695: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:35.124696: | length: 100 (0x64) Aug 26 18:38:35.124698: | prop #: 2 (0x2) Aug 26 18:38:35.124700: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:35.124701: | spi size: 0 (0x0) Aug 26 18:38:35.124703: | # transforms: 11 (0xb) Aug 26 18:38:35.124705: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:35.124706: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124708: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124710: | length: 12 (0xc) Aug 26 18:38:35.124711: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.124713: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.124714: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.124716: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.124718: | length/value: 128 (0x80) Aug 26 18:38:35.124719: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124721: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124722: | length: 8 (0x8) Aug 26 18:38:35.124724: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124726: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:35.124727: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124729: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124730: | length: 8 (0x8) Aug 26 18:38:35.124732: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124734: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:35.124735: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124737: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124738: | length: 8 (0x8) Aug 26 18:38:35.124740: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124741: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.124743: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124745: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124746: | length: 8 (0x8) Aug 26 18:38:35.124748: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124749: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:35.124751: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124753: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124754: | length: 8 (0x8) Aug 26 18:38:35.124756: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124757: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:35.124759: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124760: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124762: | length: 8 (0x8) Aug 26 18:38:35.124763: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124765: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:35.124767: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124768: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124770: | length: 8 (0x8) Aug 26 18:38:35.124771: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124773: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:35.124775: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124776: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124778: | length: 8 (0x8) Aug 26 18:38:35.124779: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124781: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:35.124782: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124786: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124788: | length: 8 (0x8) Aug 26 18:38:35.124790: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124791: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:35.124793: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124795: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.124796: | length: 8 (0x8) Aug 26 18:38:35.124798: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124799: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:35.124801: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 18:38:35.124803: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 18:38:35.124805: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.124807: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 18:38:35.124808: | length: 116 (0x74) Aug 26 18:38:35.124810: | prop #: 3 (0x3) Aug 26 18:38:35.124811: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:35.124813: | spi size: 0 (0x0) Aug 26 18:38:35.124814: | # transforms: 13 (0xd) Aug 26 18:38:35.124816: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:35.124818: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124819: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124821: | length: 12 (0xc) Aug 26 18:38:35.124822: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.124824: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:35.124826: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.124827: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.124829: | length/value: 256 (0x100) Aug 26 18:38:35.124831: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124834: | length: 8 (0x8) Aug 26 18:38:35.124835: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124837: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:35.124838: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124840: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124842: | length: 8 (0x8) Aug 26 18:38:35.124843: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124845: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:35.124846: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124850: | length: 8 (0x8) Aug 26 18:38:35.124853: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:35.124855: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:35.124858: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124862: | length: 8 (0x8) Aug 26 18:38:35.124864: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:35.124867: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:35.124870: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124873: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124874: | length: 8 (0x8) Aug 26 18:38:35.124876: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124877: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.124879: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124881: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124882: | length: 8 (0x8) Aug 26 18:38:35.124884: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124885: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:35.124887: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124888: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124890: | length: 8 (0x8) Aug 26 18:38:35.124894: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124895: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:35.124897: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124899: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124900: | length: 8 (0x8) Aug 26 18:38:35.124902: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124903: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:35.124905: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124907: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124908: | length: 8 (0x8) Aug 26 18:38:35.124910: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124911: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:35.124913: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124914: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124916: | length: 8 (0x8) Aug 26 18:38:35.124917: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124919: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:35.124921: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124922: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124924: | length: 8 (0x8) Aug 26 18:38:35.124925: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124927: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:35.124929: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124930: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.124932: | length: 8 (0x8) Aug 26 18:38:35.124933: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.124935: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:35.124937: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:35.124939: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:35.124941: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.124943: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:35.124944: | length: 116 (0x74) Aug 26 18:38:35.124946: | prop #: 4 (0x4) Aug 26 18:38:35.124947: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:35.124949: | spi size: 0 (0x0) Aug 26 18:38:35.124950: | # transforms: 13 (0xd) Aug 26 18:38:35.124952: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 18:38:35.124954: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124955: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124957: | length: 12 (0xc) Aug 26 18:38:35.124958: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.124960: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 18:38:35.124962: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.124963: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.124965: | length/value: 128 (0x80) Aug 26 18:38:35.124967: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124968: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124970: | length: 8 (0x8) Aug 26 18:38:35.124971: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124973: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:35.124974: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124976: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124978: | length: 8 (0x8) Aug 26 18:38:35.124979: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.124981: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 18:38:35.124982: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124984: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124985: | length: 8 (0x8) Aug 26 18:38:35.124987: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:35.124990: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 18:38:35.124992: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.124993: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.124995: | length: 8 (0x8) Aug 26 18:38:35.124996: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 18:38:35.124998: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 18:38:35.124999: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125001: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125002: | length: 8 (0x8) Aug 26 18:38:35.125004: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125006: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.125007: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125009: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125010: | length: 8 (0x8) Aug 26 18:38:35.125012: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125014: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 18:38:35.125015: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125017: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125018: | length: 8 (0x8) Aug 26 18:38:35.125020: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125021: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 18:38:35.125023: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125025: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125026: | length: 8 (0x8) Aug 26 18:38:35.125028: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125029: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 18:38:35.125031: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125032: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125034: | length: 8 (0x8) Aug 26 18:38:35.125036: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125037: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 18:38:35.125039: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125040: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125042: | length: 8 (0x8) Aug 26 18:38:35.125043: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125045: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 18:38:35.125047: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125048: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.125050: | length: 8 (0x8) Aug 26 18:38:35.125051: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125053: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 18:38:35.125055: | *****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.125056: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.125058: | length: 8 (0x8) Aug 26 18:38:35.125059: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.125061: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 18:38:35.125063: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 18:38:35.125065: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 18:38:35.125069: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 18:38:35.125072: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 18:38:35.125074: | converting proposal to internal trans attrs Aug 26 18:38:35.125077: | natd_hash: rcookie is zero Aug 26 18:38:35.125085: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:35.125088: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.125090: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:35.125092: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:35.125094: | natd_hash: port=500 Aug 26 18:38:35.125097: | natd_hash: hash= 96 3b 13 e8 95 b2 f7 1f db ff 2b c7 32 e0 b1 ca Aug 26 18:38:35.125099: | natd_hash: hash= 95 fc 8e bc Aug 26 18:38:35.125102: | natd_hash: rcookie is zero Aug 26 18:38:35.125109: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:35.125112: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.125114: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 18:38:35.125117: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:35.125119: | natd_hash: port=500 Aug 26 18:38:35.125121: | natd_hash: hash= 01 95 de 55 80 29 55 8a cf 12 20 40 4d 0e 54 13 Aug 26 18:38:35.125123: | natd_hash: hash= 7d 15 e4 f1 Aug 26 18:38:35.125126: | NAT_TRAVERSAL encaps using auto-detect Aug 26 18:38:35.125128: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 18:38:35.125130: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 18:38:35.125134: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 18:38:35.125139: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 18:38:35.125142: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x561d8227e508 Aug 26 18:38:35.125146: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:35.125149: | libevent_malloc: new ptr-libevent@0x561d82280c88 size 128 Aug 26 18:38:35.125159: | #1 spent 0.687 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 18:38:35.125167: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.125171: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:35.125174: | suspending state #1 and saving MD Aug 26 18:38:35.125176: | #1 is busy; has a suspended MD Aug 26 18:38:35.125181: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:35.125186: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:35.125191: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:35.125196: | #1 spent 1.09 milliseconds in ikev2_process_packet() Aug 26 18:38:35.125200: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:35.125203: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:35.125206: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:35.125210: | spent 1.1 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:35.125220: | crypto helper 1 resuming Aug 26 18:38:35.125226: | crypto helper 1 starting work-order 1 for state #1 Aug 26 18:38:35.125229: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 18:38:35.125883: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000654 seconds Aug 26 18:38:35.125893: | (#1) spent 0.66 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 18:38:35.125895: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 18:38:35.125897: | scheduling resume sending helper answer for #1 Aug 26 18:38:35.125901: | libevent_malloc: new ptr-libevent@0x7f4c5c002888 size 128 Aug 26 18:38:35.125908: | crypto helper 1 waiting (nothing to do) Aug 26 18:38:35.125917: | processing resume sending helper answer for #1 Aug 26 18:38:35.125941: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:35.125946: | crypto helper 1 replies to request ID 1 Aug 26 18:38:35.125949: | calling continuation function 0x561d81d5bb50 Aug 26 18:38:35.125952: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 18:38:35.125981: | **emit ISAKMP Message: Aug 26 18:38:35.125984: | initiator cookie: Aug 26 18:38:35.125986: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.125989: | responder cookie: Aug 26 18:38:35.125991: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.125994: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:35.125997: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:35.126000: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 18:38:35.126002: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:35.126005: | Message ID: 0 (0x0) Aug 26 18:38:35.126009: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:35.126012: | Emitting ikev2_proposal ... Aug 26 18:38:35.126014: | ***emit IKEv2 Security Association Payload: Aug 26 18:38:35.126017: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.126019: | flags: none (0x0) Aug 26 18:38:35.126023: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:35.126026: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126029: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.126031: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:35.126034: | prop #: 1 (0x1) Aug 26 18:38:35.126036: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 18:38:35.126039: | spi size: 0 (0x0) Aug 26 18:38:35.126041: | # transforms: 3 (0x3) Aug 26 18:38:35.126044: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:35.126047: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:35.126049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.126052: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.126055: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.126058: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:35.126060: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.126063: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.126066: | length/value: 256 (0x100) Aug 26 18:38:35.126069: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:35.126072: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:35.126074: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.126077: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 18:38:35.126079: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 18:38:35.126082: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.126085: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:35.126088: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:35.126091: | *****emit IKEv2 Transform Substructure Payload: Aug 26 18:38:35.126093: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.126096: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 18:38:35.126098: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.126103: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.126106: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:35.126109: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:35.126112: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 18:38:35.126114: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:35.126117: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 18:38:35.126120: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:35.126123: | ***emit IKEv2 Key Exchange Payload: Aug 26 18:38:35.126126: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.126128: | flags: none (0x0) Aug 26 18:38:35.126131: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 18:38:35.126134: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 18:38:35.126137: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126140: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 18:38:35.126143: | ikev2 g^x 71 f3 0a a4 b5 94 15 70 28 1e 32 c6 b8 77 95 29 Aug 26 18:38:35.126146: | ikev2 g^x 8f 94 b9 ec a2 4d b7 44 22 af bc 0e 2a 06 ce 14 Aug 26 18:38:35.126148: | ikev2 g^x 98 07 11 54 e7 68 f8 c6 5c 8f fc 5f 1a e7 1b 4f Aug 26 18:38:35.126150: | ikev2 g^x 66 ff 2c fa 0a 69 bd b5 a4 1a 47 4d de 7b bd 77 Aug 26 18:38:35.126153: | ikev2 g^x 0d b1 09 f2 80 14 f8 9e 78 cb 59 97 7f bc 56 30 Aug 26 18:38:35.126155: | ikev2 g^x 8c f9 de 2a 0b c3 c6 6e 95 c1 67 a9 7b 7d d8 3a Aug 26 18:38:35.126158: | ikev2 g^x 8d c7 52 2e 4c 30 2c 1d 91 55 f7 d3 66 84 34 00 Aug 26 18:38:35.126160: | ikev2 g^x a4 fc 6c 8a 7a 25 d3 34 dc 48 a9 3f 21 82 14 cd Aug 26 18:38:35.126163: | ikev2 g^x 5d 02 38 ba 63 22 d7 50 d0 56 3e d4 58 7a 15 2e Aug 26 18:38:35.126165: | ikev2 g^x 26 95 17 c6 0a 78 31 2c 2f 0d 56 b3 10 d0 a1 94 Aug 26 18:38:35.126168: | ikev2 g^x fc 56 d1 9e c8 30 d1 9c 9e 2f 41 4a f0 52 94 c8 Aug 26 18:38:35.126170: | ikev2 g^x d8 3d f4 2c 24 a8 19 a4 48 16 0a 87 6b 1f 01 4d Aug 26 18:38:35.126173: | ikev2 g^x 2f 08 93 58 23 cb d3 79 15 1f b7 83 fa 27 d3 b1 Aug 26 18:38:35.126175: | ikev2 g^x ea 87 09 76 1d dc 34 13 65 1c 44 7c ef 46 ce 38 Aug 26 18:38:35.126177: | ikev2 g^x af d5 6c 02 36 36 43 84 bf 98 a2 d3 2c 69 4f 51 Aug 26 18:38:35.126180: | ikev2 g^x e8 31 d5 db 31 19 31 6c 2f 79 a4 8c 09 90 fb 15 Aug 26 18:38:35.126182: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 18:38:35.126185: | ***emit IKEv2 Nonce Payload: Aug 26 18:38:35.126188: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:35.126190: | flags: none (0x0) Aug 26 18:38:35.126193: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 18:38:35.126196: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 18:38:35.126199: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126202: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 18:38:35.126205: | IKEv2 nonce 28 b2 4f 05 a0 a9 c0 c2 bd 99 18 60 95 bb 3b 0c Aug 26 18:38:35.126207: | IKEv2 nonce 32 cd 17 85 2b 31 53 de ec ee a3 ab be 1a ce 68 Aug 26 18:38:35.126210: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 18:38:35.126213: | Adding a v2N Payload Aug 26 18:38:35.126215: | ***emit IKEv2 Notify Payload: Aug 26 18:38:35.126219: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.126222: | flags: none (0x0) Aug 26 18:38:35.126224: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.126227: | SPI size: 0 (0x0) Aug 26 18:38:35.126229: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 18:38:35.126233: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:35.126235: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126238: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:35.126241: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:35.126251: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:35.126253: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.126256: | natd_hash: rcookie= f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.126259: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:35.126261: | natd_hash: port=500 Aug 26 18:38:35.126264: | natd_hash: hash= a7 75 b3 2c 1f 59 ab f0 05 48 c2 36 66 55 5e 5f Aug 26 18:38:35.126266: | natd_hash: hash= 6a f4 8f 12 Aug 26 18:38:35.126268: | Adding a v2N Payload Aug 26 18:38:35.126271: | ***emit IKEv2 Notify Payload: Aug 26 18:38:35.126273: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.126276: | flags: none (0x0) Aug 26 18:38:35.126278: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.126281: | SPI size: 0 (0x0) Aug 26 18:38:35.126283: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:35.126286: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:35.126305: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126308: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:35.126313: | Notify data a7 75 b3 2c 1f 59 ab f0 05 48 c2 36 66 55 5e 5f Aug 26 18:38:35.126316: | Notify data 6a f4 8f 12 Aug 26 18:38:35.126318: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:35.126340: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:35.126342: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.126345: | natd_hash: rcookie= f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.126347: | natd_hash: ip= c0 01 03 21 Aug 26 18:38:35.126350: | natd_hash: port=500 Aug 26 18:38:35.126352: | natd_hash: hash= 70 91 fc d3 17 46 cf ba dd 77 5e ff 81 7d 80 cc Aug 26 18:38:35.126355: | natd_hash: hash= 02 56 a4 19 Aug 26 18:38:35.126357: | Adding a v2N Payload Aug 26 18:38:35.126359: | ***emit IKEv2 Notify Payload: Aug 26 18:38:35.126362: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.126364: | flags: none (0x0) Aug 26 18:38:35.126367: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.126369: | SPI size: 0 (0x0) Aug 26 18:38:35.126372: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:35.126375: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:35.126378: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.126381: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:35.126383: | Notify data 70 91 fc d3 17 46 cf ba dd 77 5e ff 81 7d 80 cc Aug 26 18:38:35.126386: | Notify data 02 56 a4 19 Aug 26 18:38:35.126388: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:35.126391: | emitting length of ISAKMP Message: 432 Aug 26 18:38:35.126398: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.126402: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 18:38:35.126404: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 18:38:35.126409: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 18:38:35.126413: | Message ID: updating counters for #1 to 0 after switching state Aug 26 18:38:35.126418: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 18:38:35.126422: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:35.126427: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 18:38:35.126432: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:35.126440: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:35.126443: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.126445: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 18:38:35.126448: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 18:38:35.126450: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 18:38:35.126453: | 04 00 00 0e 28 00 01 08 00 0e 00 00 71 f3 0a a4 Aug 26 18:38:35.126455: | b5 94 15 70 28 1e 32 c6 b8 77 95 29 8f 94 b9 ec Aug 26 18:38:35.126457: | a2 4d b7 44 22 af bc 0e 2a 06 ce 14 98 07 11 54 Aug 26 18:38:35.126460: | e7 68 f8 c6 5c 8f fc 5f 1a e7 1b 4f 66 ff 2c fa Aug 26 18:38:35.126462: | 0a 69 bd b5 a4 1a 47 4d de 7b bd 77 0d b1 09 f2 Aug 26 18:38:35.126465: | 80 14 f8 9e 78 cb 59 97 7f bc 56 30 8c f9 de 2a Aug 26 18:38:35.126467: | 0b c3 c6 6e 95 c1 67 a9 7b 7d d8 3a 8d c7 52 2e Aug 26 18:38:35.126469: | 4c 30 2c 1d 91 55 f7 d3 66 84 34 00 a4 fc 6c 8a Aug 26 18:38:35.126472: | 7a 25 d3 34 dc 48 a9 3f 21 82 14 cd 5d 02 38 ba Aug 26 18:38:35.126474: | 63 22 d7 50 d0 56 3e d4 58 7a 15 2e 26 95 17 c6 Aug 26 18:38:35.126477: | 0a 78 31 2c 2f 0d 56 b3 10 d0 a1 94 fc 56 d1 9e Aug 26 18:38:35.126479: | c8 30 d1 9c 9e 2f 41 4a f0 52 94 c8 d8 3d f4 2c Aug 26 18:38:35.126482: | 24 a8 19 a4 48 16 0a 87 6b 1f 01 4d 2f 08 93 58 Aug 26 18:38:35.126484: | 23 cb d3 79 15 1f b7 83 fa 27 d3 b1 ea 87 09 76 Aug 26 18:38:35.126486: | 1d dc 34 13 65 1c 44 7c ef 46 ce 38 af d5 6c 02 Aug 26 18:38:35.126489: | 36 36 43 84 bf 98 a2 d3 2c 69 4f 51 e8 31 d5 db Aug 26 18:38:35.126491: | 31 19 31 6c 2f 79 a4 8c 09 90 fb 15 29 00 00 24 Aug 26 18:38:35.126494: | 28 b2 4f 05 a0 a9 c0 c2 bd 99 18 60 95 bb 3b 0c Aug 26 18:38:35.126496: | 32 cd 17 85 2b 31 53 de ec ee a3 ab be 1a ce 68 Aug 26 18:38:35.126499: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 18:38:35.126501: | a7 75 b3 2c 1f 59 ab f0 05 48 c2 36 66 55 5e 5f Aug 26 18:38:35.126518: | 6a f4 8f 12 00 00 00 1c 00 00 40 05 70 91 fc d3 Aug 26 18:38:35.126520: | 17 46 cf ba dd 77 5e ff 81 7d 80 cc 02 56 a4 19 Aug 26 18:38:35.126561: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:35.126566: | libevent_free: release ptr-libevent@0x561d82280c88 Aug 26 18:38:35.126570: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x561d8227e508 Aug 26 18:38:35.126573: | event_schedule: new EVENT_SO_DISCARD-pe@0x561d8227e508 Aug 26 18:38:35.126577: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 18:38:35.126580: | libevent_malloc: new ptr-libevent@0x561d82281dd8 size 128 Aug 26 18:38:35.126584: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:35.126590: | #1 spent 0.618 milliseconds in resume sending helper answer Aug 26 18:38:35.126596: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:35.126599: | libevent_free: release ptr-libevent@0x7f4c5c002888 Aug 26 18:38:35.129114: | spent 0.00266 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:35.129139: | *received 245 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 18:38:35.129143: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.129146: | 2e 20 23 08 00 00 00 01 00 00 00 f5 23 00 00 d9 Aug 26 18:38:35.129148: | c4 cd 57 19 91 3a d3 ad 86 0c 76 40 cf fc 08 1f Aug 26 18:38:35.129151: | 48 79 5d eb a0 49 2f e6 e8 52 3e 92 ba 65 c4 7a Aug 26 18:38:35.129153: | 5a 2e 2c 54 44 6c 30 38 1e 4d c1 2f 75 64 39 61 Aug 26 18:38:35.129156: | dd 20 00 2f 37 86 31 6e 6a ad 8d c5 d1 ef b2 b5 Aug 26 18:38:35.129158: | 72 54 68 55 3e dd f7 8f 0b 21 f2 1a 4c 37 88 3d Aug 26 18:38:35.129161: | eb 04 66 04 d0 c5 3a 1a c8 39 66 9e 23 32 2f 92 Aug 26 18:38:35.129163: | b9 f2 77 c2 26 ff 9b 7f d0 b6 c6 a6 2b 62 7f 60 Aug 26 18:38:35.129165: | b5 70 df 69 c3 53 68 fb 70 a2 80 06 34 09 b8 94 Aug 26 18:38:35.129168: | ca 66 42 a8 36 c6 e0 64 bd b2 f6 26 74 7b 24 42 Aug 26 18:38:35.129170: | de 94 59 51 8e 1f 6a f6 8e db 44 da 94 09 86 2e Aug 26 18:38:35.129172: | fc 52 1c bd ea b4 f2 fc 29 c2 44 59 6d ef c8 10 Aug 26 18:38:35.129175: | 0e 08 37 91 3d 5c 4a 44 68 3f 62 03 e0 94 d9 76 Aug 26 18:38:35.129177: | 57 4d ac 98 cf 6f a0 c4 e3 99 7d f4 f4 e9 5d c7 Aug 26 18:38:35.129180: | 5e 82 1c be 76 Aug 26 18:38:35.129185: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 18:38:35.129188: | **parse ISAKMP Message: Aug 26 18:38:35.129191: | initiator cookie: Aug 26 18:38:35.129193: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.129196: | responder cookie: Aug 26 18:38:35.129198: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.129201: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:35.129204: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:35.129206: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:35.129209: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:35.129212: | Message ID: 1 (0x1) Aug 26 18:38:35.129214: | length: 245 (0xf5) Aug 26 18:38:35.129217: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 18:38:35.129221: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 18:38:35.129224: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 18:38:35.129232: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:35.129235: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:35.129242: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:35.129245: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 18:38:35.129249: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 18:38:35.129252: | unpacking clear payload Aug 26 18:38:35.129255: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:35.129258: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:35.129260: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 18:38:35.129263: | flags: none (0x0) Aug 26 18:38:35.129266: | length: 217 (0xd9) Aug 26 18:38:35.129268: | processing payload: ISAKMP_NEXT_v2SK (len=213) Aug 26 18:38:35.129273: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:35.129276: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:35.129279: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:35.129282: | Now let's proceed with state specific processing Aug 26 18:38:35.129285: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 18:38:35.129292: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 18:38:35.129299: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 18:38:35.129304: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 18:38:35.129307: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 18:38:35.129311: | libevent_free: release ptr-libevent@0x561d82281dd8 Aug 26 18:38:35.129314: | free_event_entry: release EVENT_SO_DISCARD-pe@0x561d8227e508 Aug 26 18:38:35.129318: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x561d8227e508 Aug 26 18:38:35.129321: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 18:38:35.129324: | libevent_malloc: new ptr-libevent@0x7f4c5c002888 size 128 Aug 26 18:38:35.129336: | #1 spent 0.0425 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 18:38:35.129342: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.129340: | crypto helper 3 resuming Aug 26 18:38:35.129350: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 18:38:35.129357: | crypto helper 3 starting work-order 2 for state #1 Aug 26 18:38:35.129363: | suspending state #1 and saving MD Aug 26 18:38:35.129369: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 18:38:35.129374: | #1 is busy; has a suspended MD Aug 26 18:38:35.129384: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 18:38:35.129389: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 18:38:35.129394: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:35.129399: | #1 spent 0.26 milliseconds in ikev2_process_packet() Aug 26 18:38:35.129403: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 18:38:35.129406: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:35.129409: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:35.129413: | spent 0.274 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:35.130198: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 18:38:35.130474: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001105 seconds Aug 26 18:38:35.130483: | (#1) spent 1.1 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 18:38:35.130485: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Aug 26 18:38:35.130487: | scheduling resume sending helper answer for #1 Aug 26 18:38:35.130490: | libevent_malloc: new ptr-libevent@0x7f4c54000f48 size 128 Aug 26 18:38:35.130496: | crypto helper 3 waiting (nothing to do) Aug 26 18:38:35.130502: | processing resume sending helper answer for #1 Aug 26 18:38:35.130512: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 18:38:35.130516: | crypto helper 3 replies to request ID 2 Aug 26 18:38:35.130519: | calling continuation function 0x561d81d5bb50 Aug 26 18:38:35.130522: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 18:38:35.130525: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 18:38:35.130537: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 18:38:35.130540: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 18:38:35.130543: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 18:38:35.130546: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 18:38:35.130549: | flags: none (0x0) Aug 26 18:38:35.130551: | length: 12 (0xc) Aug 26 18:38:35.130554: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:35.130557: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 18:38:35.130562: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 18:38:35.130565: | **parse IKEv2 Authentication Payload: Aug 26 18:38:35.130568: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:35.130570: | flags: none (0x0) Aug 26 18:38:35.130573: | length: 72 (0x48) Aug 26 18:38:35.130576: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:35.130578: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 18:38:35.130581: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 18:38:35.130583: | **parse IKEv2 Security Association Payload: Aug 26 18:38:35.130586: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 18:38:35.130589: | flags: none (0x0) Aug 26 18:38:35.130591: | length: 48 (0x30) Aug 26 18:38:35.130594: | processing payload: ISAKMP_NEXT_v2SA (len=44) Aug 26 18:38:35.130596: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 18:38:35.130599: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:35.130602: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 18:38:35.130604: | flags: none (0x0) Aug 26 18:38:35.130607: | length: 24 (0x18) Aug 26 18:38:35.130609: | number of TS: 1 (0x1) Aug 26 18:38:35.130612: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 18:38:35.130614: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 18:38:35.130617: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:35.130620: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:35.130622: | flags: none (0x0) Aug 26 18:38:35.130625: | length: 24 (0x18) Aug 26 18:38:35.130627: | number of TS: 1 (0x1) Aug 26 18:38:35.130630: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 18:38:35.130632: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:35.130635: | **parse IKEv2 Notify Payload: Aug 26 18:38:35.130638: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.130640: | flags: none (0x0) Aug 26 18:38:35.130643: | length: 8 (0x8) Aug 26 18:38:35.130645: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.130648: | SPI size: 0 (0x0) Aug 26 18:38:35.130651: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:35.130653: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:35.130656: | selected state microcode Responder: process IKE_AUTH request Aug 26 18:38:35.130658: | Now let's proceed with state specific processing Aug 26 18:38:35.130661: | calling processor Responder: process IKE_AUTH request Aug 26 18:38:35.130668: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 18:38:35.130674: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:35.130677: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 18:38:35.130680: | peer ID c0 01 03 21 Aug 26 18:38:35.130685: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:35.130691: | match_id a=192.1.3.33 Aug 26 18:38:35.130693: | b=192.1.3.33 Aug 26 18:38:35.130696: | results matched Aug 26 18:38:35.130702: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 18:38:35.130704: | Warning: not switching back to template of current instance Aug 26 18:38:35.130707: | No IDr payload received from peer Aug 26 18:38:35.130712: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 18:38:35.130717: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.130720: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.130725: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:35.130729: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.130732: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.130736: | line 1: match=002 Aug 26 18:38:35.130739: | match 002 beats previous best_match 000 match=0x561d821d5c48 (line=1) Aug 26 18:38:35.130742: | concluding with best_match=002 best=0x561d821d5c48 (lineno=1) Aug 26 18:38:35.130745: | returning because exact peer id match Aug 26 18:38:35.130748: | offered CA: '%none' Aug 26 18:38:35.130753: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 18:38:35.130756: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 18:38:35.130775: | verifying AUTH payload Aug 26 18:38:35.130780: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 18:38:35.130784: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.130788: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.130792: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:35.130795: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.130798: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.130801: | line 1: match=002 Aug 26 18:38:35.130804: | match 002 beats previous best_match 000 match=0x561d821d5c48 (line=1) Aug 26 18:38:35.130807: | concluding with best_match=002 best=0x561d821d5c48 (lineno=1) Aug 26 18:38:35.130868: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 18:38:35.130873: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 18:38:35.130877: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:35.130880: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 18:38:35.130884: | libevent_free: release ptr-libevent@0x7f4c5c002888 Aug 26 18:38:35.130887: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x561d8227e508 Aug 26 18:38:35.130890: | event_schedule: new EVENT_SA_REKEY-pe@0x561d8227e508 Aug 26 18:38:35.130894: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 18:38:35.130897: | libevent_malloc: new ptr-libevent@0x561d82280e98 size 128 Aug 26 18:38:35.130981: | pstats #1 ikev2.ike established Aug 26 18:38:35.130989: | **emit ISAKMP Message: Aug 26 18:38:35.130992: | initiator cookie: Aug 26 18:38:35.130994: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:35.130997: | responder cookie: Aug 26 18:38:35.130999: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.131002: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:35.131005: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:35.131007: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 18:38:35.131010: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:35.131013: | Message ID: 1 (0x1) Aug 26 18:38:35.131016: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:35.131019: | IKEv2 CERT: send a certificate? Aug 26 18:38:35.131022: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 18:38:35.131025: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:35.131028: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131030: | flags: none (0x0) Aug 26 18:38:35.131033: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:35.131037: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131040: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:35.131049: | Adding a v2N Payload Aug 26 18:38:35.131051: | ****emit IKEv2 Notify Payload: Aug 26 18:38:35.131054: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131057: | flags: none (0x0) Aug 26 18:38:35.131059: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:35.131062: | SPI size: 0 (0x0) Aug 26 18:38:35.131065: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 18:38:35.131070: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:35.131073: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131076: | emitting length of IKEv2 Notify Payload: 8 Aug 26 18:38:35.131079: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:35.131091: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 18:38:35.131095: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131097: | flags: none (0x0) Aug 26 18:38:35.131100: | ID type: ID_IPV4_ADDR (0x1) Aug 26 18:38:35.131103: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 18:38:35.131106: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131110: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 18:38:35.131112: | my identity c0 01 02 17 Aug 26 18:38:35.131115: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 18:38:35.131123: | assembled IDr payload Aug 26 18:38:35.131125: | CHILD SA proposals received Aug 26 18:38:35.131127: | going to assemble AUTH payload Aug 26 18:38:35.131130: | ****emit IKEv2 Authentication Payload: Aug 26 18:38:35.131133: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 18:38:35.131135: | flags: none (0x0) Aug 26 18:38:35.131138: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 18:38:35.131141: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 18:38:35.131145: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 18:38:35.131147: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131151: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 18:38:35.131155: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.131160: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 18:38:35.131164: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 18:38:35.131168: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.131171: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 18:38:35.131173: | line 1: match=002 Aug 26 18:38:35.131176: | match 002 beats previous best_match 000 match=0x561d821d5c48 (line=1) Aug 26 18:38:35.131179: | concluding with best_match=002 best=0x561d821d5c48 (lineno=1) Aug 26 18:38:35.131234: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 18:38:35.131237: | PSK auth 3f 3c 96 5a c9 f6 d0 93 1e 43 ce d7 c5 77 c9 47 Aug 26 18:38:35.131240: | PSK auth 04 12 be dc ce 1c af af 7a 04 9e 7b 87 f1 4f 17 Aug 26 18:38:35.131243: | PSK auth be ae 6e 4a bd 1e 21 0d 32 77 26 62 16 08 02 b6 Aug 26 18:38:35.131245: | PSK auth 8e 93 df 88 b0 e1 7d 4c b1 45 45 74 b6 54 d7 97 Aug 26 18:38:35.131248: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 18:38:35.131255: | creating state object #2 at 0x561d82282e68 Aug 26 18:38:35.131258: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 18:38:35.131263: | pstats #2 ikev2.child started Aug 26 18:38:35.131267: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 18:38:35.131272: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 18:38:35.131278: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 18:38:35.131283: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:35.131301: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 18:38:35.131307: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 18:38:35.131310: | TSi: parsing 1 traffic selectors Aug 26 18:38:35.131313: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:35.131316: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:35.131318: | IP Protocol ID: 0 (0x0) Aug 26 18:38:35.131321: | length: 16 (0x10) Aug 26 18:38:35.131323: | start port: 0 (0x0) Aug 26 18:38:35.131326: | end port: 65535 (0xffff) Aug 26 18:38:35.131329: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:35.131331: | TS low c0 00 03 00 Aug 26 18:38:35.131334: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:35.131336: | TS high c0 00 03 ff Aug 26 18:38:35.131339: | TSi: parsed 1 traffic selectors Aug 26 18:38:35.131342: | TSr: parsing 1 traffic selectors Aug 26 18:38:35.131344: | ***parse IKEv2 Traffic Selector: Aug 26 18:38:35.131347: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:35.131350: | IP Protocol ID: 0 (0x0) Aug 26 18:38:35.131352: | length: 16 (0x10) Aug 26 18:38:35.131355: | start port: 0 (0x0) Aug 26 18:38:35.131357: | end port: 65535 (0xffff) Aug 26 18:38:35.131360: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 18:38:35.131362: | TS low c0 00 02 00 Aug 26 18:38:35.131365: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 18:38:35.131367: | TS high c0 00 02 ff Aug 26 18:38:35.131370: | TSr: parsed 1 traffic selectors Aug 26 18:38:35.131372: | looking for best SPD in current connection Aug 26 18:38:35.131379: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:35.131385: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:35.131391: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:35.131395: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:35.131397: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:35.131400: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:35.131404: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:35.131408: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:35.131414: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:35.131417: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:35.131420: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:35.131423: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:35.131426: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:35.131428: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:35.131431: | found better spd route for TSi[0],TSr[0] Aug 26 18:38:35.131434: | looking for better host pair Aug 26 18:38:35.131439: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 18:38:35.131444: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 18:38:35.131446: | investigating connection "eastnet-northnet" as a better match Aug 26 18:38:35.131451: | match_id a=192.1.3.33 Aug 26 18:38:35.131453: | b=192.1.3.33 Aug 26 18:38:35.131456: | results matched Aug 26 18:38:35.131462: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 18:38:35.131466: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:35.131472: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 18:38:35.131477: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 18:38:35.131480: | TSi[0] port match: YES fitness 65536 Aug 26 18:38:35.131483: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 18:38:35.131486: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:35.131490: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 18:38:35.131496: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 18:38:35.131499: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 18:38:35.131502: | TSr[0] port match: YES fitness 65536 Aug 26 18:38:35.131505: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 18:38:35.131508: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 18:38:35.131510: | best fit so far: TSi[0] TSr[0] Aug 26 18:38:35.131525: | did not find a better connection using host pair Aug 26 18:38:35.131528: | printing contents struct traffic_selector Aug 26 18:38:35.131531: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:35.131533: | ipprotoid: 0 Aug 26 18:38:35.131535: | port range: 0-65535 Aug 26 18:38:35.131539: | ip range: 192.0.2.0-192.0.2.255 Aug 26 18:38:35.131542: | printing contents struct traffic_selector Aug 26 18:38:35.131544: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 18:38:35.131546: | ipprotoid: 0 Aug 26 18:38:35.131549: | port range: 0-65535 Aug 26 18:38:35.131552: | ip range: 192.0.3.0-192.0.3.255 Aug 26 18:38:35.131557: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 18:38:35.131561: | converting proposal AES_GCM_16-NONE to ikev2 ... Aug 26 18:38:35.131564: | forcing IKEv2 PROTO_v2_ESP aes_gcm_16 ENCRYPT transform low-to-high key lengths: 128 256 Aug 26 18:38:35.131570: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:38:35.131576: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 18:38:35.131579: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 18:38:35.131584: | local proposal 1 type ENCR has 2 transforms Aug 26 18:38:35.131587: | local proposal 1 type PRF has 0 transforms Aug 26 18:38:35.131590: | local proposal 1 type INTEG has 1 transforms Aug 26 18:38:35.131592: | local proposal 1 type DH has 1 transforms Aug 26 18:38:35.131595: | local proposal 1 type ESN has 1 transforms Aug 26 18:38:35.131598: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 18:38:35.131601: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.131604: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:35.131607: | length: 44 (0x2c) Aug 26 18:38:35.131609: | prop #: 1 (0x1) Aug 26 18:38:35.131612: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:35.131614: | spi size: 4 (0x4) Aug 26 18:38:35.131617: | # transforms: 3 (0x3) Aug 26 18:38:35.131620: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 18:38:35.131623: | remote SPI 78 5d a9 86 Aug 26 18:38:35.131626: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 18:38:35.131629: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.131631: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.131634: | length: 12 (0xc) Aug 26 18:38:35.131636: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.131639: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.131642: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.131645: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.131647: | length/value: 128 (0x80) Aug 26 18:38:35.131651: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 18:38:35.131656: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.131658: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.131661: | length: 12 (0xc) Aug 26 18:38:35.131663: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.131666: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.131668: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.131671: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.131673: | length/value: 256 (0x100) Aug 26 18:38:35.131676: | ****parse IKEv2 Transform Substructure Payload: Aug 26 18:38:35.131679: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.131681: | length: 8 (0x8) Aug 26 18:38:35.131684: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:35.131687: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:35.131690: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 18:38:35.131694: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 18:38:35.131698: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 18:38:35.131701: | remote proposal 1 matches local proposal 1 Aug 26 18:38:35.131707: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=785da986;ENCR=AES_GCM_C_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] Aug 26 18:38:35.131712: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=785da986;ENCR=AES_GCM_C_128;ESN=DISABLED Aug 26 18:38:35.131714: | converting proposal to internal trans attrs Aug 26 18:38:35.131731: | netlink_get_spi: allocated 0x2d556a18 for esp.0@192.1.2.23 Aug 26 18:38:35.131734: | Emitting ikev2_proposal ... Aug 26 18:38:35.131737: | ****emit IKEv2 Security Association Payload: Aug 26 18:38:35.131740: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131742: | flags: none (0x0) Aug 26 18:38:35.131746: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 18:38:35.131749: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131752: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 18:38:35.131754: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 18:38:35.131757: | prop #: 1 (0x1) Aug 26 18:38:35.131759: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 18:38:35.131762: | spi size: 4 (0x4) Aug 26 18:38:35.131764: | # transforms: 2 (0x2) Aug 26 18:38:35.131767: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 18:38:35.131770: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 18:38:35.131773: | our spi 2d 55 6a 18 Aug 26 18:38:35.131775: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:35.131778: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.131780: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 18:38:35.131783: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 18:38:35.131786: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:35.131789: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 18:38:35.131791: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 18:38:35.131794: | length/value: 128 (0x80) Aug 26 18:38:35.131797: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 18:38:35.131799: | ******emit IKEv2 Transform Substructure Payload: Aug 26 18:38:35.131802: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 18:38:35.131805: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 18:38:35.131808: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 18:38:35.131812: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 18:38:35.131815: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 18:38:35.131817: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 18:38:35.131820: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 18:38:35.131823: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 18:38:35.131825: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 18:38:35.131828: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 18:38:35.131831: | received v2N_MOBIKE_SUPPORTED Aug 26 18:38:35.131834: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 18:38:35.131837: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131839: | flags: none (0x0) Aug 26 18:38:35.131842: | number of TS: 1 (0x1) Aug 26 18:38:35.131845: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 18:38:35.131848: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131850: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:35.131853: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:35.131856: | IP Protocol ID: 0 (0x0) Aug 26 18:38:35.131858: | start port: 0 (0x0) Aug 26 18:38:35.131860: | end port: 65535 (0xffff) Aug 26 18:38:35.131864: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:35.131866: | ipv4 start c0 00 03 00 Aug 26 18:38:35.131869: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:35.131871: | ipv4 end c0 00 03 ff Aug 26 18:38:35.131874: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:35.131876: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 18:38:35.131879: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 18:38:35.131881: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:35.131884: | flags: none (0x0) Aug 26 18:38:35.131886: | number of TS: 1 (0x1) Aug 26 18:38:35.131890: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 18:38:35.131892: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 18:38:35.131895: | *****emit IKEv2 Traffic Selector: Aug 26 18:38:35.131898: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 18:38:35.131900: | IP Protocol ID: 0 (0x0) Aug 26 18:38:35.131902: | start port: 0 (0x0) Aug 26 18:38:35.131905: | end port: 65535 (0xffff) Aug 26 18:38:35.131908: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 18:38:35.131910: | ipv4 start c0 00 02 00 Aug 26 18:38:35.131913: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 18:38:35.131915: | ipv4 end c0 00 02 ff Aug 26 18:38:35.131918: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 18:38:35.131920: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 18:38:35.131923: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 18:38:35.131927: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=16 .salt_size=4 keymat_len=20 Aug 26 18:38:35.132022: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 18:38:35.132029: | #1 spent 1.34 milliseconds Aug 26 18:38:35.132032: | install_ipsec_sa() for #2: inbound and outbound Aug 26 18:38:35.132035: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 18:38:35.132041: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:35.132045: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:35.132047: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:35.132050: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:35.132053: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:35.132058: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:35.132061: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Aug 26 18:38:35.132065: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Aug 26 18:38:35.132067: | AES_GCM_16 requires 4 salt bytes Aug 26 18:38:35.132070: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Aug 26 18:38:35.132074: | setting IPsec SA replay-window to 32 Aug 26 18:38:35.132077: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:35.132080: | netlink: enabling tunnel mode Aug 26 18:38:35.132083: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:35.132086: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:35.132163: | netlink response for Add SA esp.785da986@192.1.3.33 included non-error error Aug 26 18:38:35.132168: | set up outgoing SA, ref=0/0 Aug 26 18:38:35.132171: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Aug 26 18:38:35.132174: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Aug 26 18:38:35.132177: | AES_GCM_16 requires 4 salt bytes Aug 26 18:38:35.132180: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Aug 26 18:38:35.132183: | setting IPsec SA replay-window to 32 Aug 26 18:38:35.132186: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 18:38:35.132189: | netlink: enabling tunnel mode Aug 26 18:38:35.132191: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 18:38:35.132194: | netlink: esp-hw-offload not set for IPsec SA Aug 26 18:38:35.132227: | netlink response for Add SA esp.2d556a18@192.1.2.23 included non-error error Aug 26 18:38:35.132232: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:35.132238: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:35.132242: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:35.132266: | raw_eroute result=success Aug 26 18:38:35.132269: | set up incoming SA, ref=0/0 Aug 26 18:38:35.132272: | sr for #2: unrouted Aug 26 18:38:35.132275: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 18:38:35.132278: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:35.132281: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:35.132284: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:35.132286: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:35.132296: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:35.132301: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 18:38:35.132304: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 18:38:35.132308: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:35.132314: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 18:38:35.132317: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:35.132329: | raw_eroute result=success Aug 26 18:38:35.132332: | running updown command "ipsec _updown" for verb up Aug 26 18:38:35.132335: | command executing up-client Aug 26 18:38:35.132362: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 18:38:35.132369: | popen cmd is 1048 chars long Aug 26 18:38:35.132372: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 18:38:35.132375: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 18:38:35.132378: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 18:38:35.132380: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 18:38:35.132383: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 18:38:35.132386: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 18:38:35.132388: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 18:38:35.132391: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 18:38:35.132394: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 18:38:35.132397: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 18:38:35.132399: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 18:38:35.132402: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 18:38:35.132405: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x785da986 SPI_OUT=0x2d556a18 ipsec _upd: Aug 26 18:38:35.132407: | cmd(1040):own 2>&1: Aug 26 18:38:35.141670: | route_and_eroute: firewall_notified: true Aug 26 18:38:35.141693: | running updown command "ipsec _updown" for verb prepare Aug 26 18:38:35.141697: | command executing prepare-client Aug 26 18:38:35.141727: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 18:38:35.141732: | popen cmd is 1053 chars long Aug 26 18:38:35.141735: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:35.141737: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:35.141740: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:35.141745: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:35.141748: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 18:38:35.141750: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 18:38:35.141752: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 18:38:35.141755: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 18:38:35.141757: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 18:38:35.141759: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 18:38:35.141761: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 18:38:35.141764: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 18:38:35.141766: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x785da986 SPI_OUT=0x2d556a18 ipsec: Aug 26 18:38:35.141768: | cmd(1040): _updown 2>&1: Aug 26 18:38:35.152077: | running updown command "ipsec _updown" for verb route Aug 26 18:38:35.152098: | command executing route-client Aug 26 18:38:35.152132: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 18:38:35.152137: | popen cmd is 1051 chars long Aug 26 18:38:35.152140: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 18:38:35.152143: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 18:38:35.152146: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 18:38:35.152149: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 18:38:35.152151: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 18:38:35.152154: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 18:38:35.152157: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 18:38:35.152159: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 18:38:35.152162: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 18:38:35.152165: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 18:38:35.152167: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 18:38:35.152170: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 18:38:35.152172: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x785da986 SPI_OUT=0x2d556a18 ipsec _: Aug 26 18:38:35.152175: | cmd(1040):updown 2>&1: Aug 26 18:38:35.164852: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x561d8227de28,sr=0x561d8227de28} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 18:38:35.164955: | #1 spent 1.89 milliseconds in install_ipsec_sa() Aug 26 18:38:35.164964: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 18:38:35.164971: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:35.164976: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:35.164982: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:35.164985: | emitting length of IKEv2 Encryption Payload: 205 Aug 26 18:38:35.164988: | emitting length of ISAKMP Message: 233 Aug 26 18:38:35.165026: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 18:38:35.165034: | #1 spent 3.31 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 18:38:35.165044: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.165051: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:35.165056: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 18:38:35.165060: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 18:38:35.165064: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 18:38:35.165068: | Message ID: updating counters for #2 to 1 after switching state Aug 26 18:38:35.165074: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 18:38:35.165079: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 18:38:35.165082: | pstats #2 ikev2.child established Aug 26 18:38:35.165092: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 18:38:35.165098: | NAT-T: encaps is 'auto' Aug 26 18:38:35.165104: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x785da986 <0x2d556a18 xfrm=AES_GCM_16_128-NONE NATOA=none NATD=none DPD=passive} Aug 26 18:38:35.165111: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 18:38:35.165120: | sending 233 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 18:38:35.165124: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:35.165127: | 2e 20 23 20 00 00 00 01 00 00 00 e9 29 00 00 cd Aug 26 18:38:35.165130: | e5 23 e5 c0 30 23 1e 86 7d 69 43 90 fd ad be d1 Aug 26 18:38:35.165133: | cd ac 1d a0 0d 3e 32 32 62 ee d8 6b c3 7c a9 aa Aug 26 18:38:35.165136: | fb 9f fc 0d a4 32 ce 16 39 dd 91 bc 05 92 67 e0 Aug 26 18:38:35.165138: | 2c 3e c2 17 fd 67 95 9b ed 15 3f 15 35 31 80 bf Aug 26 18:38:35.165141: | c3 ee 15 c2 28 75 8e 68 6c 33 ca 6e 1d 03 17 d7 Aug 26 18:38:35.165144: | 28 75 e8 fe 13 26 d7 d6 fe 29 ac 39 80 8a 13 3c Aug 26 18:38:35.165146: | 85 c7 f9 c5 eb 97 f5 14 a2 fb d1 74 80 aa 7e 04 Aug 26 18:38:35.165148: | 18 c4 c2 37 97 31 34 b4 1c 8d 19 29 9b cc 95 61 Aug 26 18:38:35.165151: | 42 43 6f 47 07 10 c3 01 c1 58 84 0f d0 7e 42 62 Aug 26 18:38:35.165154: | 13 ee 3c e5 5c 83 35 00 34 88 ff af 23 ff 97 f8 Aug 26 18:38:35.165156: | e6 7a a7 78 c5 94 63 a5 1d 08 ec e8 de 31 6c 04 Aug 26 18:38:35.165159: | 04 e5 f8 12 f5 fa 9d b3 15 15 c5 32 42 5f 49 a7 Aug 26 18:38:35.165161: | 90 0e 63 a8 b8 7e bc 1f 0f Aug 26 18:38:35.165224: | releasing whack for #2 (sock=fd@-1) Aug 26 18:38:35.165234: | releasing whack and unpending for parent #1 Aug 26 18:38:35.165240: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 18:38:35.165246: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 18:38:35.165251: | event_schedule: new EVENT_SA_REKEY-pe@0x7f4c5c002b78 Aug 26 18:38:35.165255: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 18:38:35.165259: | libevent_malloc: new ptr-libevent@0x561d822814e8 size 128 Aug 26 18:38:35.165275: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 18:38:35.165284: | #1 spent 3.68 milliseconds in resume sending helper answer Aug 26 18:38:35.165305: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 18:38:35.165316: | libevent_free: release ptr-libevent@0x7f4c54000f48 Aug 26 18:38:35.165333: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.165339: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.165344: | spent 0.00522 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:35.165347: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.165351: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.165354: | spent 0.00362 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:35.165357: | processing signal PLUTO_SIGCHLD Aug 26 18:38:35.165360: | waitpid returned ECHILD (no child processes left) Aug 26 18:38:35.165364: | spent 0.00346 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 18:38:41.823703: | spent 0.00282 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 18:38:41.823726: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 18:38:41.823729: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.823731: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 18:38:41.823733: | f4 bf 0f 10 56 2f 15 2c 1b f5 cf a0 70 d6 b6 21 Aug 26 18:38:41.823734: | 60 57 16 2e 58 a6 e5 03 2d 8c 26 bf 57 02 5c f9 Aug 26 18:38:41.823736: | 5e da 49 93 2f 6c 86 e5 74 04 fa 7c f8 f6 7d 87 Aug 26 18:38:41.823737: | fe 1a 06 80 ca b1 2d 18 d7 d1 d1 bd 72 d6 64 f9 Aug 26 18:38:41.823739: | 4f 84 97 52 9d c6 0c 7e 3d 08 49 c8 68 48 9a e9 Aug 26 18:38:41.823741: | be 84 ec 90 b5 96 5f 18 e1 Aug 26 18:38:41.823744: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 18:38:41.823747: | **parse ISAKMP Message: Aug 26 18:38:41.823749: | initiator cookie: Aug 26 18:38:41.823751: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:41.823752: | responder cookie: Aug 26 18:38:41.823754: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.823756: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 18:38:41.823758: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:41.823760: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:41.823764: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 18:38:41.823766: | Message ID: 2 (0x2) Aug 26 18:38:41.823768: | length: 121 (0x79) Aug 26 18:38:41.823770: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 18:38:41.823773: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 18:38:41.823776: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 18:38:41.823781: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 18:38:41.823784: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 18:38:41.823787: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 18:38:41.823789: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 18:38:41.823793: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 18:38:41.823796: | unpacking clear payload Aug 26 18:38:41.823798: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 18:38:41.823801: | ***parse IKEv2 Encryption Payload: Aug 26 18:38:41.823803: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:41.823804: | flags: none (0x0) Aug 26 18:38:41.823806: | length: 93 (0x5d) Aug 26 18:38:41.823808: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 18:38:41.823811: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 18:38:41.823814: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:41.823829: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 18:38:41.823831: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:41.823833: | **parse IKEv2 Notify Payload: Aug 26 18:38:41.823835: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:41.823837: | flags: none (0x0) Aug 26 18:38:41.823839: | length: 8 (0x8) Aug 26 18:38:41.823840: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:41.823842: | SPI size: 0 (0x0) Aug 26 18:38:41.823844: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 18:38:41.823846: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 18:38:41.823848: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:41.823850: | **parse IKEv2 Notify Payload: Aug 26 18:38:41.823851: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 18:38:41.823853: | flags: none (0x0) Aug 26 18:38:41.823855: | length: 28 (0x1c) Aug 26 18:38:41.823856: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:41.823858: | SPI size: 0 (0x0) Aug 26 18:38:41.823860: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:41.823861: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:41.823863: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 18:38:41.823865: | **parse IKEv2 Notify Payload: Aug 26 18:38:41.823867: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:41.823868: | flags: none (0x0) Aug 26 18:38:41.823870: | length: 28 (0x1c) Aug 26 18:38:41.823871: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:41.823873: | SPI size: 0 (0x0) Aug 26 18:38:41.823875: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:41.823877: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 18:38:41.823878: | selected state microcode R2: process Informational Request Aug 26 18:38:41.823880: | Now let's proceed with state specific processing Aug 26 18:38:41.823882: | calling processor R2: process Informational Request Aug 26 18:38:41.823885: | an informational request should send a response Aug 26 18:38:41.823887: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 18:38:41.823888: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:41.823890: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 18:38:41.823894: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:41.823899: | responder migrate kernel SA esp.785da986@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 18:38:41.824213: | responder migrate kernel SA esp.2d556a18@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 18:38:41.824238: | responder migrate kernel SA esp.2d556a18@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 18:38:41.824248: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 18:38:41.824253: | free hp@0x561d8227e3d8 Aug 26 18:38:41.824257: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 18:38:41.824259: | new hp@0x561d8227e3d8 Aug 26 18:38:41.824264: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 18:38:41.824266: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 18:38:41.824293: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 18:38:41.824299: | **emit ISAKMP Message: Aug 26 18:38:41.824301: | initiator cookie: Aug 26 18:38:41.824302: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:41.824304: | responder cookie: Aug 26 18:38:41.824306: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.824308: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:41.824310: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:41.824311: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:41.824313: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 18:38:41.824315: | Message ID: 2 (0x2) Aug 26 18:38:41.824317: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:41.824319: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:41.824321: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:41.824323: | flags: none (0x0) Aug 26 18:38:41.824325: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:41.824327: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:41.824330: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:41.824341: | adding NATD payloads to MOBIKE response Aug 26 18:38:41.824343: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 18:38:41.824353: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:41.824355: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:41.824357: | natd_hash: rcookie= f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.824358: | natd_hash: ip= c0 01 02 17 Aug 26 18:38:41.824360: | natd_hash: port=500 Aug 26 18:38:41.824362: | natd_hash: hash= a7 75 b3 2c 1f 59 ab f0 05 48 c2 36 66 55 5e 5f Aug 26 18:38:41.824363: | natd_hash: hash= 6a f4 8f 12 Aug 26 18:38:41.824365: | Adding a v2N Payload Aug 26 18:38:41.824367: | ****emit IKEv2 Notify Payload: Aug 26 18:38:41.824369: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:41.824370: | flags: none (0x0) Aug 26 18:38:41.824372: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:41.824374: | SPI size: 0 (0x0) Aug 26 18:38:41.824376: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 18:38:41.824378: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:41.824380: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:41.824382: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:41.824384: | Notify data a7 75 b3 2c 1f 59 ab f0 05 48 c2 36 66 55 5e 5f Aug 26 18:38:41.824386: | Notify data 6a f4 8f 12 Aug 26 18:38:41.824388: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:41.824392: | natd_hash: hasher=0x561d81e30800(20) Aug 26 18:38:41.824394: | natd_hash: icookie= 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:41.824395: | natd_hash: rcookie= f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.824397: | natd_hash: ip= c0 01 08 16 Aug 26 18:38:41.824399: | natd_hash: port=500 Aug 26 18:38:41.824400: | natd_hash: hash= ae 01 ea 37 41 03 0d dc 9c 61 ef d3 23 a7 fd 17 Aug 26 18:38:41.824402: | natd_hash: hash= ea 84 08 da Aug 26 18:38:41.824404: | Adding a v2N Payload Aug 26 18:38:41.824405: | ****emit IKEv2 Notify Payload: Aug 26 18:38:41.824407: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:41.824409: | flags: none (0x0) Aug 26 18:38:41.824410: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 18:38:41.824412: | SPI size: 0 (0x0) Aug 26 18:38:41.824414: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 18:38:41.824416: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 18:38:41.824418: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 18:38:41.824421: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 18:38:41.824423: | Notify data ae 01 ea 37 41 03 0d dc 9c 61 ef d3 23 a7 fd 17 Aug 26 18:38:41.824425: | Notify data ea 84 08 da Aug 26 18:38:41.824427: | emitting length of IKEv2 Notify Payload: 28 Aug 26 18:38:41.824428: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:41.824431: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:41.824433: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:41.824435: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 18:38:41.824437: | emitting length of ISAKMP Message: 113 Aug 26 18:38:41.824446: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:41.824448: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:41.824450: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 18:38:41.824452: | 01 09 91 2b 47 ca 0f f3 ff 06 82 0d 81 bb 0f 1f Aug 26 18:38:41.824453: | 88 00 53 97 8c 1c 61 9b 4d df af b8 a7 45 33 f0 Aug 26 18:38:41.824455: | a6 a4 45 23 4e 9c 80 34 3c 42 f4 14 c1 33 2b 2e Aug 26 18:38:41.824456: | 45 20 f0 50 71 9f d6 8f 8e fc 05 32 8d 89 d0 95 Aug 26 18:38:41.824458: | 5d ab ef 5b 46 e6 dd 1c af 7e eb 50 52 20 3e 59 Aug 26 18:38:41.824459: | 5e Aug 26 18:38:41.824488: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:41.824494: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 18:38:41.824499: | #1 spent 0.595 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 18:38:41.824504: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 18:38:41.824506: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 18:38:41.824509: | Message ID: updating counters for #1 to 2 after switching state Aug 26 18:38:41.824512: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 18:38:41.824515: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 18:38:41.824517: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 18:38:41.824520: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 18:38:41.824524: | #1 spent 0.789 milliseconds in ikev2_process_packet() Aug 26 18:38:41.824526: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 18:38:41.824529: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 18:38:41.824531: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 18:38:41.824534: | spent 0.8 milliseconds in comm_handle_cb() reading and processing packet Aug 26 18:38:53.032316: | processing global timer EVENT_SHUNT_SCAN Aug 26 18:38:53.032340: | expiring aged bare shunts from shunt table Aug 26 18:38:53.032351: | spent 0.00802 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 18:38:55.298194: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:55.298228: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 18:38:55.298234: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:55.298248: | get_sa_info esp.2d556a18@192.1.2.23 Aug 26 18:38:55.298268: | get_sa_info esp.785da986@192.1.8.22 Aug 26 18:38:55.298296: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:55.298308: | spent 0.12 milliseconds in whack Aug 26 18:38:55.513255: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:55.513778: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:55.513787: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 18:38:55.513882: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 18:38:55.513886: | FOR_EACH_STATE_... in sort_states Aug 26 18:38:55.513896: | get_sa_info esp.2d556a18@192.1.2.23 Aug 26 18:38:55.513911: | get_sa_info esp.785da986@192.1.8.22 Aug 26 18:38:55.513928: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 18:38:55.513933: | spent 0.684 milliseconds in whack Aug 26 18:38:56.867924: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 18:38:56.867942: shutting down Aug 26 18:38:56.867948: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 18:38:56.867951: | certs and keys locked by 'free_preshared_secrets' Aug 26 18:38:56.867952: forgetting secrets Aug 26 18:38:56.867959: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 18:38:56.867963: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 18:38:56.867967: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 18:38:56.867969: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:56.867971: | pass 0 Aug 26 18:38:56.867972: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:56.867974: | state #2 Aug 26 18:38:56.867978: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:56.867982: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:56.867984: | pstats #2 ikev2.child deleted completed Aug 26 18:38:56.867987: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:56.867991: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 21.736s and sending notification Aug 26 18:38:56.867993: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 18:38:56.867996: | get_sa_info esp.785da986@192.1.8.22 Aug 26 18:38:56.868007: | get_sa_info esp.2d556a18@192.1.2.23 Aug 26 18:38:56.868012: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Aug 26 18:38:56.868015: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 18:38:56.868017: | Opening output PBS informational exchange delete request Aug 26 18:38:56.868020: | **emit ISAKMP Message: Aug 26 18:38:56.868022: | initiator cookie: Aug 26 18:38:56.868023: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:56.868025: | responder cookie: Aug 26 18:38:56.868026: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:56.868028: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:56.868030: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:56.868032: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:56.868034: | flags: none (0x0) Aug 26 18:38:56.868035: | Message ID: 0 (0x0) Aug 26 18:38:56.868037: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:56.868039: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:56.868041: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:56.868043: | flags: none (0x0) Aug 26 18:38:56.868045: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:56.868049: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:56.868051: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:56.868059: | ****emit IKEv2 Delete Payload: Aug 26 18:38:56.868061: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:56.868063: | flags: none (0x0) Aug 26 18:38:56.868064: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 18:38:56.868066: | SPI size: 4 (0x4) Aug 26 18:38:56.868067: | number of SPIs: 1 (0x1) Aug 26 18:38:56.868069: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:56.868071: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:56.868073: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 18:38:56.868075: | local spis 2d 55 6a 18 Aug 26 18:38:56.868076: | emitting length of IKEv2 Delete Payload: 12 Aug 26 18:38:56.868078: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:56.868080: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:56.868082: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:56.868084: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 18:38:56.868086: | emitting length of ISAKMP Message: 69 Aug 26 18:38:56.868105: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 18:38:56.868107: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:56.868109: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 18:38:56.868110: | 7e 32 a2 e5 c2 d2 7a 71 89 ef 9c 90 e8 2e 1c d5 Aug 26 18:38:56.868112: | 1b 2b 27 b2 f6 25 2b e0 3d 08 22 dc fc b9 88 7f Aug 26 18:38:56.868113: | 7e f8 e0 72 fa Aug 26 18:38:56.868153: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 18:38:56.868156: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 18:38:56.868159: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 18:38:56.868162: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:56.868165: | libevent_free: release ptr-libevent@0x561d822814e8 Aug 26 18:38:56.868167: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f4c5c002b78 Aug 26 18:38:56.868204: | running updown command "ipsec _updown" for verb down Aug 26 18:38:56.868207: | command executing down-client Aug 26 18:38:56.868226: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844715' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 18:38:56.868229: | popen cmd is 1061 chars long Aug 26 18:38:56.868231: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 18:38:56.868234: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 18:38:56.868236: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 18:38:56.868237: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 18:38:56.868239: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 18:38:56.868241: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 18:38:56.868242: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 18:38:56.868244: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844715' PLUTO_CONN_P: Aug 26 18:38:56.868246: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 18:38:56.868247: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 18:38:56.868249: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 18:38:56.868251: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 18:38:56.868252: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x785da986 SPI_OUT=0x2d556a: Aug 26 18:38:56.868254: | cmd(1040):18 ipsec _updown 2>&1: Aug 26 18:38:56.876175: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 18:38:56.876189: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:56.876192: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:56.876196: | IPsec Sa SPD priority set to 1042407 Aug 26 18:38:56.876230: | delete esp.785da986@192.1.8.22 Aug 26 18:38:56.876266: | netlink response for Del SA esp.785da986@192.1.8.22 included non-error error Aug 26 18:38:56.876271: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:56.876279: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 18:38:56.876307: | raw_eroute result=success Aug 26 18:38:56.876315: | delete esp.2d556a18@192.1.2.23 Aug 26 18:38:56.876339: | netlink response for Del SA esp.2d556a18@192.1.2.23 included non-error error Aug 26 18:38:56.876370: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 18:38:56.876376: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 18:38:56.876379: | in connection_discard for connection eastnet-northnet Aug 26 18:38:56.876383: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 18:38:56.876392: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 18:38:56.876402: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:56.876418: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:56.876421: | state #1 Aug 26 18:38:56.876424: | pass 1 Aug 26 18:38:56.876428: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:56.876430: | state #1 Aug 26 18:38:56.876438: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 18:38:56.876442: | pstats #1 ikev2.ike deleted completed Aug 26 18:38:56.876451: | #1 spent 8.2 milliseconds in total Aug 26 18:38:56.876458: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 18:38:56.876464: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 21.752s and sending notification Aug 26 18:38:56.876468: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 18:38:56.876517: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 18:38:56.876523: | Opening output PBS informational exchange delete request Aug 26 18:38:56.876527: | **emit ISAKMP Message: Aug 26 18:38:56.876531: | initiator cookie: Aug 26 18:38:56.876533: | 8d 28 fa 2f 37 b2 de 6b Aug 26 18:38:56.876537: | responder cookie: Aug 26 18:38:56.876540: | f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:56.876543: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 18:38:56.876547: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 18:38:56.876551: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 18:38:56.876555: | flags: none (0x0) Aug 26 18:38:56.876559: | Message ID: 1 (0x1) Aug 26 18:38:56.876563: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 18:38:56.876567: | ***emit IKEv2 Encryption Payload: Aug 26 18:38:56.876570: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:56.876573: | flags: none (0x0) Aug 26 18:38:56.876577: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 18:38:56.876582: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:56.876586: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 18:38:56.876601: | ****emit IKEv2 Delete Payload: Aug 26 18:38:56.876605: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 18:38:56.876608: | flags: none (0x0) Aug 26 18:38:56.876611: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 18:38:56.876614: | SPI size: 0 (0x0) Aug 26 18:38:56.876617: | number of SPIs: 0 (0x0) Aug 26 18:38:56.876622: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 18:38:56.876626: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 18:38:56.876629: | emitting length of IKEv2 Delete Payload: 8 Aug 26 18:38:56.876632: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 18:38:56.876635: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 18:38:56.876637: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 18:38:56.876638: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 18:38:56.876640: | emitting length of ISAKMP Message: 65 Aug 26 18:38:56.876662: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 18:38:56.876665: | 8d 28 fa 2f 37 b2 de 6b f1 aa 63 66 93 7e d2 d8 Aug 26 18:38:56.876666: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 18:38:56.876668: | e2 44 7f de 2b 93 cf c2 d2 32 a4 67 94 67 58 88 Aug 26 18:38:56.876669: | db 9f 4f 20 d0 87 97 b8 87 99 9f a0 f7 ac 90 f1 Aug 26 18:38:56.876671: | 90 Aug 26 18:38:56.876711: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 18:38:56.876714: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 18:38:56.876717: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 18:38:56.876722: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 18:38:56.876724: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 18:38:56.876731: | libevent_free: release ptr-libevent@0x561d82280e98 Aug 26 18:38:56.876734: | free_event_entry: release EVENT_SA_REKEY-pe@0x561d8227e508 Aug 26 18:38:56.876737: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 18:38:56.876740: | in connection_discard for connection eastnet-northnet Aug 26 18:38:56.876743: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 18:38:56.876746: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 18:38:56.876773: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 18:38:56.876796: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 18:38:56.876798: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 18:38:56.876801: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 18:38:56.876803: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:56.876817: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 18:38:56.876828: | FOR_EACH_CONNECTION_... in route_owner Aug 26 18:38:56.876832: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:56.876836: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:56.876839: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 18:38:56.876842: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 18:38:56.876846: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 18:38:56.876850: | running updown command "ipsec _updown" for verb unroute Aug 26 18:38:56.876853: | command executing unroute-client Aug 26 18:38:56.876881: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 18:38:56.876884: | popen cmd is 1042 chars long Aug 26 18:38:56.876886: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 18:38:56.876888: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 18:38:56.876890: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 18:38:56.876892: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 18:38:56.876893: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 18:38:56.876895: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 18:38:56.876897: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 18:38:56.876898: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 18:38:56.876900: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 18:38:56.876902: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 18:38:56.876904: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 18:38:56.876905: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 18:38:56.876907: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 18:38:56.876910: | cmd(1040):&1: Aug 26 18:38:56.885581: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:56.885601: unroute-client output: Error: Peer netns reference is invalid. Aug 26 18:38:56.890032: | free hp@0x561d8227e3d8 Aug 26 18:38:56.890046: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:56.890049: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 18:38:56.890059: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 18:38:56.890061: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 18:38:56.890063: | pass 0 Aug 26 18:38:56.890065: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:56.890066: | pass 1 Aug 26 18:38:56.890068: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 18:38:56.890070: | free hp@0x561d8227c478 Aug 26 18:38:56.890071: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 18:38:56.890073: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 18:38:56.890083: | crl fetch request list locked by 'free_crl_fetch' Aug 26 18:38:56.890085: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 18:38:56.890092: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 18:38:56.890094: shutting down interface lo/lo 127.0.0.1:500 Aug 26 18:38:56.890096: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 18:38:56.890098: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 18:38:56.890100: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 18:38:56.890102: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 18:38:56.890105: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 18:38:56.890114: | libevent_free: release ptr-libevent@0x561d8226e468 Aug 26 18:38:56.890117: | free_event_entry: release EVENT_NULL-pe@0x561d8227a148 Aug 26 18:38:56.890125: | libevent_free: release ptr-libevent@0x561d8220a2b8 Aug 26 18:38:56.890127: | free_event_entry: release EVENT_NULL-pe@0x561d8227a1f8 Aug 26 18:38:56.890133: | libevent_free: release ptr-libevent@0x561d8220c158 Aug 26 18:38:56.890135: | free_event_entry: release EVENT_NULL-pe@0x561d8227a2a8 Aug 26 18:38:56.890140: | libevent_free: release ptr-libevent@0x561d822092a8 Aug 26 18:38:56.890142: | free_event_entry: release EVENT_NULL-pe@0x561d8227a358 Aug 26 18:38:56.890146: | libevent_free: release ptr-libevent@0x561d821da4e8 Aug 26 18:38:56.890148: | free_event_entry: release EVENT_NULL-pe@0x561d8227a408 Aug 26 18:38:56.890152: | libevent_free: release ptr-libevent@0x561d821da1d8 Aug 26 18:38:56.890154: | free_event_entry: release EVENT_NULL-pe@0x561d8227a4b8 Aug 26 18:38:56.890158: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 18:38:56.890588: | libevent_free: release ptr-libevent@0x561d8226e518 Aug 26 18:38:56.890595: | free_event_entry: release EVENT_NULL-pe@0x561d82262258 Aug 26 18:38:56.890600: | libevent_free: release ptr-libevent@0x561d8220c058 Aug 26 18:38:56.890602: | free_event_entry: release EVENT_NULL-pe@0x561d82261718 Aug 26 18:38:56.890606: | libevent_free: release ptr-libevent@0x561d82245b18 Aug 26 18:38:56.890607: | free_event_entry: release EVENT_NULL-pe@0x561d822622c8 Aug 26 18:38:56.890610: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 18:38:56.890612: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 18:38:56.890614: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 18:38:56.890615: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 18:38:56.890617: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 18:38:56.890618: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 18:38:56.890620: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 18:38:56.890621: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 18:38:56.890623: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 18:38:56.890627: | libevent_free: release ptr-libevent@0x561d82209808 Aug 26 18:38:56.890631: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 18:38:56.890633: | libevent_free: release ptr-libevent@0x561d82279928 Aug 26 18:38:56.890635: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 18:38:56.890637: | libevent_free: release ptr-libevent@0x561d82279a38 Aug 26 18:38:56.890638: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 18:38:56.890640: | libevent_free: release ptr-libevent@0x561d82279c78 Aug 26 18:38:56.890642: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 18:38:56.890643: | releasing event base Aug 26 18:38:56.890652: | libevent_free: release ptr-libevent@0x561d82279b48 Aug 26 18:38:56.890654: | libevent_free: release ptr-libevent@0x561d8225cb08 Aug 26 18:38:56.890657: | libevent_free: release ptr-libevent@0x561d8225cab8 Aug 26 18:38:56.890658: | libevent_free: release ptr-libevent@0x561d8225ca48 Aug 26 18:38:56.890660: | libevent_free: release ptr-libevent@0x561d8225ca08 Aug 26 18:38:56.890662: | libevent_free: release ptr-libevent@0x561d82279828 Aug 26 18:38:56.890663: | libevent_free: release ptr-libevent@0x561d822798a8 Aug 26 18:38:56.890665: | libevent_free: release ptr-libevent@0x561d8225ccb8 Aug 26 18:38:56.890667: | libevent_free: release ptr-libevent@0x561d82261828 Aug 26 18:38:56.890668: | libevent_free: release ptr-libevent@0x561d82262218 Aug 26 18:38:56.890670: | libevent_free: release ptr-libevent@0x561d8227a528 Aug 26 18:38:56.890672: | libevent_free: release ptr-libevent@0x561d8227a478 Aug 26 18:38:56.890673: | libevent_free: release ptr-libevent@0x561d8227a3c8 Aug 26 18:38:56.890675: | libevent_free: release ptr-libevent@0x561d8227a318 Aug 26 18:38:56.890676: | libevent_free: release ptr-libevent@0x561d8227a268 Aug 26 18:38:56.890678: | libevent_free: release ptr-libevent@0x561d8227a1b8 Aug 26 18:38:56.890679: | libevent_free: release ptr-libevent@0x561d82209968 Aug 26 18:38:56.890681: | libevent_free: release ptr-libevent@0x561d822799f8 Aug 26 18:38:56.890682: | libevent_free: release ptr-libevent@0x561d822798e8 Aug 26 18:38:56.890684: | libevent_free: release ptr-libevent@0x561d82279868 Aug 26 18:38:56.890685: | libevent_free: release ptr-libevent@0x561d82279b08 Aug 26 18:38:56.890687: | libevent_free: release ptr-libevent@0x561d82208af8 Aug 26 18:38:56.890689: | libevent_free: release ptr-libevent@0x561d821d9908 Aug 26 18:38:56.890690: | libevent_free: release ptr-libevent@0x561d821d9d38 Aug 26 18:38:56.890692: | libevent_free: release ptr-libevent@0x561d82208e68 Aug 26 18:38:56.890693: | releasing global libevent data Aug 26 18:38:56.890695: | libevent_free: release ptr-libevent@0x561d821d5178 Aug 26 18:38:56.890697: | libevent_free: release ptr-libevent@0x561d821d9cd8 Aug 26 18:38:56.890699: | libevent_free: release ptr-libevent@0x561d821d9dd8 Aug 26 18:38:56.890727: leak detective found no leaks