FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:12144
core dump dir: /var/tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x55f15abc6768 size 40
| libevent_malloc: new ptr-libevent@0x55f15abc66e8 size 40
| libevent_malloc: new ptr-libevent@0x55f15abc6668 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x55f15abb8298 size 56
| libevent_malloc: new ptr-libevent@0x55f15ab41ee8 size 664
| libevent_malloc: new ptr-libevent@0x55f15ac00d88 size 24
| libevent_malloc: new ptr-libevent@0x55f15ac00dd8 size 384
| libevent_malloc: new ptr-libevent@0x55f15ac00d48 size 16
| libevent_malloc: new ptr-libevent@0x55f15abc65e8 size 40
| libevent_malloc: new ptr-libevent@0x55f15abc6568 size 48
| libevent_realloc: new ptr-libevent@0x55f15ab41b78 size 256
| libevent_malloc: new ptr-libevent@0x55f15ac00f88 size 16
| libevent_free: release ptr-libevent@0x55f15abb8298
| libevent initialized
| libevent_realloc: new ptr-libevent@0x55f15abb8298 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 1
| starting up helper thread 1
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
started thread for crypto helper 2
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 4
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| starting up helper thread 6
| checking IKEv1 state table
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55f15abc0488
| libevent_malloc: new ptr-libevent@0x55f15abff4f8 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac06588 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55f15ac06518
| libevent_malloc: new ptr-libevent@0x55f15abb8f48 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac061e8 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55f15ac069b8
| libevent_malloc: new ptr-libevent@0x55f15ac12818 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1da88 size 16
| libevent_realloc: new ptr-libevent@0x55f15ac1dac8 size 256
| libevent_malloc: new ptr-libevent@0x55f15ac1dbf8 size 8
| libevent_realloc: new ptr-libevent@0x55f15ac1dc38 size 144
| libevent_malloc: new ptr-libevent@0x55f15abc4a58 size 152
| libevent_malloc: new ptr-libevent@0x55f15ac1dcf8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x55f15ac1dd38 size 8
| libevent_malloc: new ptr-libevent@0x55f15ab428c8 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x55f15ac1dd78 size 8
| libevent_malloc: new ptr-libevent@0x55f15ac1ddb8 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x55f15ac1de88 size 8
| libevent_realloc: release ptr-libevent@0x55f15ac1dc38
| libevent_realloc: new ptr-libevent@0x55f15ac1dec8 size 256
| libevent_malloc: new ptr-libevent@0x55f15ac1dff8 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:12539) using fork+execve
| forked child 12539
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e5d8
| libevent_malloc: new ptr-libevent@0x55f15ac12768 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e648 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e688
| libevent_malloc: new ptr-libevent@0x55f15abb8ff8 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e6f8 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e738
| libevent_malloc: new ptr-libevent@0x55f15abb8918 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e7a8 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e7e8
| libevent_malloc: new ptr-libevent@0x55f15abc01d8 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e858 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e898
| libevent_malloc: new ptr-libevent@0x55f15abc02d8 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e908 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e948
| libevent_malloc: new ptr-libevent@0x55f15abc03d8 size 128
| libevent_malloc: new ptr-libevent@0x55f15ac1e9b8 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.37 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x55f15ac12768
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e5d8
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e5d8
| libevent_malloc: new ptr-libevent@0x55f15ac12768 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x55f15abb8ff8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e688
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e688
| libevent_malloc: new ptr-libevent@0x55f15abb8ff8 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x55f15abb8918
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e738
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e738
| libevent_malloc: new ptr-libevent@0x55f15abb8918 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x55f15abc01d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e7e8
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e7e8
| libevent_malloc: new ptr-libevent@0x55f15abc01d8 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x55f15abc02d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e898
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e898
| libevent_malloc: new ptr-libevent@0x55f15abc02d8 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x55f15abc03d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e948
| add_fd_read_event_handler: new ethX-pe@0x55f15ac1e948
| libevent_malloc: new ptr-libevent@0x55f15abc03d8 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.659 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 12539 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.015 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection main with policy RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| ASCII to DN <= "C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=*"
| ASCII to DN =>  30 60 31 0a  30 08 06 03  55 04 06 14  01 2a 31 0a
| ASCII to DN =>  30 08 06 03  55 04 08 14  01 2a 31 10  30 0e 06 03
| ASCII to DN =>  55 04 07 13  07 54 6f 72  6f 6e 74 6f  31 0a 30 08
| ASCII to DN =>  06 03 55 04  0a 14 01 2a  31 0a 30 08  06 03 55 04
| ASCII to DN =>  0b 14 01 2a  31 0a 30 08  06 03 55 04  03 14 01 2a
| ASCII to DN =>  31 10 30 0e  06 09 2a 86  48 86 f7 0d  01 09 01 16
| ASCII to DN =>  01 2a
| counting wild cards for C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=* is 6
| setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading right certificate 'east' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55f15ac220a8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55f15ac22058
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55f15ac21f18
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55f15ac21c68
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55f15ac21c18
| unreference key: 0x55f15ac220f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0
| based upon policy, the connection is a template.
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x55f15ac25218
added connection description "main"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| 192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...%any[C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=*]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.64 milliseconds in whack
| spent 0.00316 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 03 3c  22 00 01 b4
|   02 00 00 64  01 01 00 0b  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  03 00 00 08
|   02 00 00 05  03 00 00 08  04 00 00 0e  03 00 00 08
|   04 00 00 0f  03 00 00 08  04 00 00 10  03 00 00 08
|   04 00 00 12  03 00 00 08  04 00 00 13  03 00 00 08
|   04 00 00 14  03 00 00 08  04 00 00 15  00 00 00 08
|   04 00 00 1f  02 00 00 64  02 01 00 0b  03 00 00 0c
|   01 00 00 14  80 0e 00 80  03 00 00 08  02 00 00 07
|   03 00 00 08  02 00 00 05  03 00 00 08  04 00 00 0e
|   03 00 00 08  04 00 00 0f  03 00 00 08  04 00 00 10
|   03 00 00 08  04 00 00 12  03 00 00 08  04 00 00 13
|   03 00 00 08  04 00 00 14  03 00 00 08  04 00 00 15
|   00 00 00 08  04 00 00 1f  02 00 00 74  03 01 00 0d
|   03 00 00 0c  01 00 00 0c  80 0e 01 00  03 00 00 08
|   02 00 00 07  03 00 00 08  02 00 00 05  03 00 00 08
|   03 00 00 0e  03 00 00 08  03 00 00 0c  03 00 00 08
|   04 00 00 0e  03 00 00 08  04 00 00 0f  03 00 00 08
|   04 00 00 10  03 00 00 08  04 00 00 12  03 00 00 08
|   04 00 00 13  03 00 00 08  04 00 00 14  03 00 00 08
|   04 00 00 15  00 00 00 08  04 00 00 1f  00 00 00 74
|   04 01 00 0d  03 00 00 0c  01 00 00 0c  80 0e 00 80
|   03 00 00 08  02 00 00 07  03 00 00 08  02 00 00 05
|   03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
|   03 00 00 08  04 00 00 0e  03 00 00 08  04 00 00 0f
|   03 00 00 08  04 00 00 10  03 00 00 08  04 00 00 12
|   03 00 00 08  04 00 00 13  03 00 00 08  04 00 00 14
|   03 00 00 08  04 00 00 15  00 00 00 08  04 00 00 1f
|   28 00 01 08  00 0e 00 00  95 bc 75 aa  77 af 24 d7
|   80 2c de 30  54 35 67 e3  84 eb 7c 31  9e d0 2e 30
|   33 35 2f 3d  1a d4 9f ee  81 69 45 a9  bd 49 b9 32
|   87 ad 06 48  15 c9 54 b2  e0 54 16 3f  dd e1 60 75
|   75 73 22 04  24 db 97 ee  43 37 45 e6  58 77 c7 d7
|   bb 0b 49 f0  b5 2c b4 83  d5 fa 48 a7  93 9f db 64
|   9a cd 55 6d  77 be 40 06  a5 bf c8 58  f4 7b c2 2e
|   99 ae e6 6d  26 e9 0a a5  a5 68 41 2f  ec e8 e4 6d
|   e8 b0 7f bd  69 2e 31 7f  95 1b ce bd  2d 57 6f 3e
|   e5 76 9c 5c  91 5c 3a de  8c cc ed f2  83 3e 14 5c
|   1e 0d b6 93  d5 74 63 44  96 da 9f fe  6c 89 0d 9e
|   2c cb 14 76  7d f4 74 2b  29 f5 d7 34  f2 dd 87 71
|   00 b0 ef 69  8c 42 77 b1  10 c5 ab 93  42 86 26 a1
|   98 64 f1 aa  35 cb 0f a9  d0 62 42 7d  17 08 31 d2
|   fb 02 c2 c1  16 68 2d 83  02 7c c3 5a  9e eb 0b b3
|   57 4f fe 0b  95 bc be 0e  e5 ef d8 c7  c1 f7 39 40
|   e6 c6 8e 54  53 5d 59 7f  29 00 00 24  69 a2 4a 1d
|   83 cb 2b 96  d5 cc 80 dc  63 14 ec f2  8b 9b 04 31
|   aa d0 a4 f2  2b ae 83 b3  e0 7f ee 88  29 00 00 08
|   00 00 40 2e  29 00 00 1c  00 00 40 04  46 2e 4b 34
|   ec 3b 5f b5  ae 1c db b9  1c f0 70 99  5b a5 80 93
|   00 00 00 1c  00 00 40 05  bd 95 cf c9  c9 d2 da c9
|   7d 87 b8 9a  20 c4 ae 5c  79 a7 93 74
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 0 (0x0)
|    length: 828 (0x33c)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request 
| State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE (0x22)
|    flags: none (0x0)
|    length: 436 (0x1b4)
| processing payload: ISAKMP_NEXT_v2SA (len=432)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni (0x28)
|    flags: none (0x0)
|    length: 264 (0x108)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| DDOS disabled and no cookie sent, continuing
| find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main)
| find_next_host_connection returns empty
| initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW
| find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main)
| find_next_host_connection returns main
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| rw_instantiate
| connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none
| new hp@0x55f15ac26368
| rw_instantiate() instantiated "main"[1] 192.1.2.45 for 192.1.2.45
| found connection: main[1] 192.1.2.45 with policy RSASIG+IKEV2_ALLOW
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| creating state object #1 at 0x55f15ac29268
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1
| Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0
| #1 in state PARENT_R0: processing SA_INIT request
| selected state microcode Respond to IKE_SA_INIT
| Now let's proceed with state specific processing
| calling processor Respond to IKE_SA_INIT
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| constructing local IKE proposals for main (IKE SA responder matching remote proposals)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"main"[1] 192.1.2.45: constructed local IKE proposals for main (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE responder 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH
| remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 116 (0x74)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 116 (0x74)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
"main"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
| accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048
| converting proposal to internal trans attrs
| natd_hash: rcookie is zero
| natd_hash: hasher=0x55f1596dc800(20)
| natd_hash: icookie=  0e 84 75 86  e2 ad a8 ef
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  bd 95 cf c9  c9 d2 da c9  7d 87 b8 9a  20 c4 ae 5c
| natd_hash: hash=  79 a7 93 74
| natd_hash: rcookie is zero
| natd_hash: hasher=0x55f1596dc800(20)
| natd_hash: icookie=  0e 84 75 86  e2 ad a8 ef
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 2d
| natd_hash: port=500
| natd_hash: hash=  46 2e 4b 34  ec 3b 5f b5  ae 1c db b9  1c f0 70 99
| natd_hash: hash=  5b a5 80 93
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45
| adding ikev2_inI1outR1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f15ac27218
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x55f15ac21b68 size 128
|   #1 spent 0.75 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet()
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269)
| "main"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 1.16 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 1.17 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000979 seconds
| (#1) spent 0.966 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fe814002888 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x55f159607b50
| ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1
| **emit ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| Emitting ikev2_proposal ...
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 3 (0x3)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 36
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 40
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  cc ec 49 60  3a b2 37 a1  ae c5 67 bf  e6 c6 24 14
| ikev2 g^x  43 c1 62 55  65 c2 95 d8  16 3d 9e 92  73 22 b4 7d
| ikev2 g^x  b2 17 13 3b  a8 59 f5 03  29 73 e8 ed  5b 2f 84 94
| ikev2 g^x  94 c6 8c 55  6a a9 fb a7  2b 56 4d cd  8f 04 ea ac
| ikev2 g^x  09 71 26 10  6b e3 d5 6c  0c 54 39 38  22 78 f8 6c
| ikev2 g^x  4e 41 db da  e1 2d f8 39  78 ba 65 22  c5 6e bc bb
| ikev2 g^x  04 50 ec bc  fc c4 d6 56  f8 bc 44 92  d1 9c 77 57
| ikev2 g^x  9a eb db d1  c0 bb 1d 84  15 cf ea 1e  cb 5e e6 1c
| ikev2 g^x  b5 b5 34 c2  42 50 47 cd  f6 c9 43 f5  f8 37 52 ff
| ikev2 g^x  9f 27 cb 86  90 6a d2 ad  c3 05 f0 32  50 46 b7 3b
| ikev2 g^x  a2 08 68 98  64 ae ed 8f  a7 17 bc f6  5e da a3 8b
| ikev2 g^x  0b 26 52 de  df 31 71 27  f1 84 f6 79  ab 47 6c ee
| ikev2 g^x  7a ca 5a 58  b1 f1 c1 66  b7 d6 6c 36  dc 3a 51 5d
| ikev2 g^x  ff 22 fa d5  3f a0 eb 51  c5 77 db 11  00 81 e3 7e
| ikev2 g^x  b6 97 5a 36  28 d5 16 da  1c 22 a7 dd  1c 02 f1 2d
| ikev2 g^x  c0 d3 e1 b8  ea 3c 87 c5  dc 06 d7 01  09 8a a9 c3
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  bc 9d d2 fd  b8 d6 8d 14  3c 81 8d f0  3a 55 0e 8a
| IKEv2 nonce  c2 2e e8 9a  d7 51 08 15  e9 1e 9e 37  f5 d1 f1 ed
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
|  NAT-Traversal support  [enabled] add v2N payloads.
| natd_hash: hasher=0x55f1596dc800(20)
| natd_hash: icookie=  0e 84 75 86  e2 ad a8 ef
| natd_hash: rcookie=  df ff 06 37  f3 41 0f 17
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  ae 28 ab 04  20 99 57 2f  b4 87 60 06  c9 d9 c9 0e
| natd_hash: hash=  35 e1 e4 e3
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  ae 28 ab 04  20 99 57 2f  b4 87 60 06  c9 d9 c9 0e
| Notify data  35 e1 e4 e3
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: hasher=0x55f1596dc800(20)
| natd_hash: icookie=  0e 84 75 86  e2 ad a8 ef
| natd_hash: rcookie=  df ff 06 37  f3 41 0f 17
| natd_hash: ip=  c0 01 02 2d
| natd_hash: port=500
| natd_hash: hash=  2f 50 7c 94  81 26 b0 0b  42 2a 2a 48  38 83 7f 40
| natd_hash: hash=  f8 f5 b2 88
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  2f 50 7c 94  81 26 b0 0b  42 2a 2a 48  38 83 7f 40
| Notify data  f8 f5 b2 88
| emitting length of IKEv2 Notify Payload: 28
| going to send a certreq
| connection->kind is not CK_PERMANENT (instance), so collect CAs
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| Not a roadwarrior instance, sending empty CA in CERTREQ
| ***emit IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ)
| next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Certificate Request Payload: 5
| emitting length of ISAKMP Message: 437
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1
| parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA)
| Message ID: updating counters for #1 to 0 after switching state
| Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1
| Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1
"main"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500)
| sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   21 20 22 20  00 00 00 00  00 00 01 b5  22 00 00 28
|   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  00 00 00 08
|   04 00 00 0e  28 00 01 08  00 0e 00 00  cc ec 49 60
|   3a b2 37 a1  ae c5 67 bf  e6 c6 24 14  43 c1 62 55
|   65 c2 95 d8  16 3d 9e 92  73 22 b4 7d  b2 17 13 3b
|   a8 59 f5 03  29 73 e8 ed  5b 2f 84 94  94 c6 8c 55
|   6a a9 fb a7  2b 56 4d cd  8f 04 ea ac  09 71 26 10
|   6b e3 d5 6c  0c 54 39 38  22 78 f8 6c  4e 41 db da
|   e1 2d f8 39  78 ba 65 22  c5 6e bc bb  04 50 ec bc
|   fc c4 d6 56  f8 bc 44 92  d1 9c 77 57  9a eb db d1
|   c0 bb 1d 84  15 cf ea 1e  cb 5e e6 1c  b5 b5 34 c2
|   42 50 47 cd  f6 c9 43 f5  f8 37 52 ff  9f 27 cb 86
|   90 6a d2 ad  c3 05 f0 32  50 46 b7 3b  a2 08 68 98
|   64 ae ed 8f  a7 17 bc f6  5e da a3 8b  0b 26 52 de
|   df 31 71 27  f1 84 f6 79  ab 47 6c ee  7a ca 5a 58
|   b1 f1 c1 66  b7 d6 6c 36  dc 3a 51 5d  ff 22 fa d5
|   3f a0 eb 51  c5 77 db 11  00 81 e3 7e  b6 97 5a 36
|   28 d5 16 da  1c 22 a7 dd  1c 02 f1 2d  c0 d3 e1 b8
|   ea 3c 87 c5  dc 06 d7 01  09 8a a9 c3  29 00 00 24
|   bc 9d d2 fd  b8 d6 8d 14  3c 81 8d f0  3a 55 0e 8a
|   c2 2e e8 9a  d7 51 08 15  e9 1e 9e 37  f5 d1 f1 ed
|   29 00 00 08  00 00 40 2e  29 00 00 1c  00 00 40 04
|   ae 28 ab 04  20 99 57 2f  b4 87 60 06  c9 d9 c9 0e
|   35 e1 e4 e3  26 00 00 1c  00 00 40 05  2f 50 7c 94
|   81 26 b0 0b  42 2a 2a 48  38 83 7f 40  f8 f5 b2 88
|   00 00 00 05  04
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x55f15ac21b68
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f15ac27218
| event_schedule: new EVENT_SO_DISCARD-pe@0x55f15ac27218
| inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1
| libevent_malloc: new ptr-libevent@0x55f15ac26598 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 0.467 milliseconds in resume sending helper answer
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fe814002888
| spent 0.00242 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   35 20 23 08  00 00 00 01  00 00 02 1b  23 00 01 ff
|   00 01 00 05  30 a9 fb 9b  ef 7e 30 52  cf 2d 6f d2
|   50 9b 80 ca  f6 9c cc 55  b1 62 d8 e4  64 c0 89 79
|   af 95 f2 96  10 2e a2 9d  d1 63 c0 18  3c e6 df 42
|   d9 2e b2 10  c6 51 ed d9  02 71 75 41  1d 5c 49 6f
|   99 30 49 da  5d 6a 1b 6d  4f a3 1c 75  f7 10 f5 bd
|   a8 4e dc c9  19 c3 c0 d3  13 d8 1d 74  c1 6e ab a8
|   30 c0 95 b5  d7 5b 85 59  06 21 e8 c6  ec bd 8c 7c
|   f3 b9 7d 1d  db fd 41 25  92 13 0a 86  d7 dc a2 21
|   86 50 e7 6f  95 51 b0 92  38 af 32 15  ec 61 91 b8
|   76 2a 25 8f  7e ec d1 f1  97 ac b1 70  74 a3 8d d7
|   6f f7 c1 78  4f 2b 4d 6d  52 5a 0c 6c  87 c4 5d e0
|   a1 3b ab da  80 8b 9e c6  9e 59 1c 80  ad 0a 7d 2f
|   02 07 ec fc  e4 e3 ed b2  81 dd f6 4e  f7 69 dd 56
|   aa 55 ae 1e  ff 9d 4a f4  62 d6 48 16  ed 63 e2 58
|   84 42 61 47  20 3a 18 5e  3a 52 37 05  23 81 2a 04
|   c5 94 0b 5c  37 15 24 a8  d3 a6 9e 92  02 57 1d 37
|   5a 57 fa b8  11 35 5c 37  08 72 3b 4c  5d 5d 3e a0
|   2d a0 34 c0  94 2a d5 66  a9 a2 0e fd  6a d7 6d 95
|   a5 35 93 b2  bd df 05 88  1f 77 b5 91  0c 39 af 57
|   d2 0d 33 40  e1 bd 91 54  8a 4a fd fc  e8 d3 64 f0
|   2f 7e 44 c4  35 d4 02 73  2c f2 25 b5  bc a0 73 63
|   d0 29 ac 63  b0 ef 9d 7b  f7 5a 51 5d  18 6b ec 8b
|   c2 62 b3 4c  23 44 27 90  2b ce 8c 14  01 26 ec d7
|   ea 6a 15 9e  77 a8 2f c2  38 0d 21 5e  a6 cd d1 5a
|   9b f0 e8 05  c8 13 7a b3  5c ac 4e 1d  49 40 48 c1
|   68 60 11 5c  3b 11 94 92  ee 4b a7 08  0e f0 03 12
|   c7 23 23 72  a9 56 da 1e  69 ec 41 43  8a 48 ed 78
|   03 f6 5b eb  60 1d da 7d  1d 1a 44 53  b6 35 58 2f
|   c1 7c 85 de  f4 82 7a 8c  24 17 c3 5b  1f 23 86 16
|   3b fe 5f b6  95 48 42 a0  a0 56 54 d9  80 1b ec db
|   d0 1c c6 15  1b 46 a2 85  0f f0 c3 2f  06 3e 8b a8
|   a0 d1 70 04  78 74 6d 7c  75 bc af
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 1 (0x1)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '1', total number '5', next payload '35'
|  updated IKE fragment state to respond using fragments without waiting for re-transmits
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.112 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.12 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00114 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 02 00 05  f3 51 c6 00  6d c9 01 a7  4a 5c e1 9f
|   82 34 ac 45  e3 c3 ba 78  76 d6 8d b2  20 4b 16 c6
|   49 44 78 7e  f0 4c a6 f0  47 1e dd de  de d3 d8 20
|   52 46 61 e0  12 25 75 5f  48 ce 4d 5d  2b 6e 1d a7
|   2f 55 f3 c2  8c 13 9b 55  4f 29 35 96  c6 ed 26 6f
|   1d 80 ae 1b  41 bf 40 3a  b7 eb 39 05  38 58 f9 39
|   44 7f 36 c8  eb 6d f1 31  37 21 40 6a  1b 8c c1 20
|   9c 47 bb d0  bc 1b 67 3a  bf 7d 3a a0  1d f9 01 44
|   a7 6e 38 f3  1e 1d 2e eb  ff 74 49 85  11 f6 29 2c
|   63 bf f6 d8  41 ef 60 1e  b1 f7 1b b3  26 31 84 1e
|   9f ce 7d 55  f7 d3 02 be  a9 ab 62 ab  b6 26 e7 24
|   f7 e9 e3 c4  b8 c5 17 9d  b3 b7 7f 3e  97 4d 55 2f
|   ee 90 cc c3  52 4a 95 51  a2 98 80 6f  83 46 98 9c
|   b0 0e 07 40  44 2d 3c a9  1b e9 6f cf  fc 70 e4 21
|   5e 5e e5 cd  18 d3 57 75  68 90 ea 35  b3 52 b8 6e
|   a5 ec ec d2  41 53 1e 56  98 58 20 b9  a9 a2 8a bf
|   23 63 81 8a  d4 ab 49 24  e6 62 6d 97  cb 6b 4b c0
|   aa c1 87 54  1c bd d8 09  a9 36 89 46  38 4e b7 61
|   5b c6 e1 f3  9d a4 77 78  2e 8e f7 fd  91 68 d5 06
|   cc 0b f0 6c  9b 9f 91 73  5a 92 55 95  19 08 36 6d
|   2e 0c 18 f6  49 49 b5 ce  60 76 43 a4  79 7e cc 5e
|   45 f9 bf 21  35 7d 7c 2e  01 02 0c 8a  81 3d 7b 7a
|   b1 30 2b df  ac 39 94 90  e4 17 08 2c  1d 2e 2c 80
|   02 2e 11 8c  29 c4 33 ea  4d 9e 1b 40  45 47 e0 a2
|   10 a0 40 37  3d 09 33 e3  6b 5c c4 c7  a6 ed d2 0a
|   bb 3c 2e 76  51 a6 7e 33  fa 8c 46 1c  d9 2b f6 5a
|   6e eb 1d 47  81 af 02 66  c3 95 53 c4  d1 62 ec 07
|   db 0a e9 82  4e 85 93 7c  78 10 9d e5  0a 33 46 99
|   d6 87 7a 4f  01 84 cf 07  8a a5 1f 8a  a7 22 5d eb
|   27 13 4d 2c  30 41 be 5b  06 8f f6 e9  df 5f e9 5e
|   ea 8a 74 22  ac 24 0e 93  a3 11 7f e8  06 bb 77 40
|   87 e3 da 1b  86 74 ea 44  2b fd 22
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 2 (0x2)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '2', total number '5', next payload '0'
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.0918 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.0988 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00105 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 03 00 05  cc bb 6d 68  2d 52 00 45  58 78 cc a7
|   52 c4 09 bd  eb 04 59 38  c0 40 da 36  8a 01 fb 0c
|   14 42 66 dc  44 dc 0b c5  70 a0 0e 80  53 a2 df 95
|   41 40 d1 bd  99 ef 32 6e  44 7e 57 20  b1 f6 58 43
|   60 18 3d 4a  16 d4 e5 69  e6 c4 58 0a  f6 14 d8 18
|   ca 52 ec 00  35 4c ee a4  3e 64 68 a0  99 00 a9 3b
|   3c 07 7b 04  cd d9 68 4f  9f 30 d0 62  04 22 32 08
|   25 1c cb 2f  58 5b 43 37  4a 5d 03 be  09 ef 70 b8
|   db 44 78 ed  00 2a 68 b0  d4 39 c0 46  c6 83 7e af
|   bf f1 93 6d  31 70 2a 4c  07 10 20 46  d4 a4 4a 56
|   b0 32 3a f4  65 f4 62 08  b8 66 74 06  3a 5d 4c 08
|   92 92 da bf  8b f3 df 46  a1 82 6e 75  c4 2e fa 20
|   a8 d5 dc 67  f2 bc 0a 12  07 de 81 e7  4f 3b 0a 04
|   e2 31 a7 b2  c3 bd 44 d6  d6 7d 23 64  ef 55 13 c9
|   dc 88 6a ed  3e 9b 0f 25  39 83 d3 15  0c 9d 3f 23
|   8e cc 3a 75  f0 0e 26 e3  79 76 65 22  99 5f ef af
|   b4 b2 b6 18  24 e7 70 5b  39 56 0e b1  93 4c 4b 8b
|   c0 b3 07 84  69 c0 30 df  d3 99 c4 2b  11 4e 89 fa
|   19 ec 17 13  e6 77 19 a3  d8 7c a2 13  eb 79 fa bb
|   b6 f4 a5 7d  2e fd f5 de  71 7e 2a c8  86 64 38 95
|   d4 a3 ab 17  b7 d6 ff 24  e9 be cf ea  78 fd 39 55
|   f6 76 47 a2  a9 f5 66 88  f1 24 a1 da  00 71 1e d0
|   c3 50 55 a0  dd 54 f4 44  6c 46 7b 14  62 b0 92 84
|   e1 7a 35 2a  f8 43 e8 9a  8f 01 77 24  a4 89 7c f0
|   59 1a 13 01  ec 6b 07 87  55 5b 15 4e  44 43 8f da
|   59 02 1c 70  2a 81 76 35  17 99 de 64  68 27 3c 43
|   ca 05 d4 b1  7e 70 01 e6  38 a0 9f 7b  83 12 0c ee
|   a8 54 bb b5  18 76 14 c1  f7 ad 2e 5c  2f 14 37 cb
|   84 be 70 c1  82 3b e1 0b  32 cc ba 1a  27 5f 89 4e
|   77 ba 2b 25  61 39 80 db  77 82 4b 6f  86 cc ed ce
|   c8 10 c7 a0  f0 47 31 f1  1d b2 60 24  66 b4 d8 39
|   fc a5 dd bb  5e 86 e7 64  80 91 93
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 3 (0x3)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '3', total number '5', next payload '0'
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.0953 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.102 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00111 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 04 00 05  66 51 4f 43  38 21 4b 18  76 90 34 a6
|   e0 e4 2b d2  b4 a0 06 8b  e4 f0 f1 75  06 98 82 5d
|   5f a6 cf 68  f4 f4 1c 68  1a 99 f6 1f  53 41 e5 35
|   7e 58 64 54  11 78 01 27  d3 ec 30 93  d4 f1 7f f4
|   e1 f4 23 de  c2 62 b1 e9  af 71 b7 c8  f9 82 a7 39
|   9c 52 c8 84  0b a4 f1 0c  9a cf 8b c4  88 cc 07 e1
|   29 8a 19 2a  41 7d 12 37  56 11 07 ca  24 d8 79 c3
|   91 19 4b f1  f3 a6 2d 09  dd 22 96 8c  de 05 70 41
|   1b e0 a1 7f  a8 d3 47 00  95 47 2b 9b  5b cf 49 16
|   a5 33 8f 6b  28 7e 6a bd  b9 61 a8 eb  3d e0 f5 43
|   f3 7e 12 fe  39 e7 cc 00  3e da 90 b3  94 16 31 ed
|   55 49 57 e7  8f 83 05 48  92 2e 35 27  16 ec 35 d9
|   4d 0d ed a4  c9 b5 5f 1d  ac 75 b3 7b  a7 bc 59 a2
|   cb 08 81 0d  c8 cf ce 03  0d be f0 d8  b0 b7 52 77
|   f3 78 ac 2c  e8 77 1e d5  45 56 0a 01  68 08 3e 0a
|   86 17 77 40  5f 78 99 2d  ee 67 a9 3d  67 b9 44 86
|   73 e2 09 40  5b ab b5 4f  7d c2 3e f7  db 25 b5 3e
|   24 4d c2 95  33 e5 41 8f  9f 86 20 9c  94 34 4e 11
|   d9 6e 96 3c  2a 36 7d 0e  49 f5 0c 47  ac ca 85 95
|   a7 98 27 9b  88 f0 72 74  9e 2c d0 12  eb 81 ad 30
|   4a 85 d9 56  d1 1d f9 6f  ff 87 82 c6  39 70 ca df
|   29 20 ee 14  62 6f 48 ef  a6 72 a4 57  df 9a 85 a4
|   df 50 e3 b3  6e a2 9a d7  58 3f 4b 16  7a 26 7f 71
|   aa 7b d5 48  28 6b fd f0  03 82 24 28  05 25 3f 8e
|   2d 0e 9b 6b  3a 92 30 41  ab e2 35 b2  da 7a 8f bc
|   83 79 77 b3  88 75 ba 04  73 2a 8b 59  54 7a 99 0d
|   8b df 27 b1  ea 03 46 b5  8b 7c b9 99  47 35 2e 2f
|   0a 46 56 c2  f3 36 a2 78  23 68 c1 73  82 f5 32 86
|   9a 8b d0 31  df 21 b4 cf  a5 d8 15 ca  1c 5b 3e ab
|   14 dc 95 ab  2e a2 92 60  45 8c ce 17  52 51 e2 7c
|   dc 1b 50 44  e4 1e 5d fd  1a 11 c2 04  bd 11 bf 29
|   af b0 96 85  7d f0 9b c4  cd 28 6e
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 4 (0x4)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '4', total number '5', next payload '0'
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.104 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.114 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00163 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 234 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   35 20 23 08  00 00 00 01  00 00 00 ea  00 00 00 ce
|   00 05 00 05  ea 7b 43 7d  80 70 67 be  51 21 a4 5f
|   e3 7f 29 b9  7e 93 f6 d5  4b d2 b5 d1  5c 12 36 8f
|   56 20 61 d7  25 01 65 af  ed 77 d4 93  e1 2d 88 ba
|   37 de d8 bf  2c 3a fd 26  ba 6b f3 21  33 bc ad 07
|   4b d5 30 38  25 7c 5f f1  ca cf 5c 54  71 c5 5b 10
|   85 72 37 19  1e c5 fb 63  26 05 a3 25  1f 44 55 dd
|   8c 5d 0f 4b  c3 e0 6a 5d  31 f0 a3 eb  53 b2 47 56
|   e7 11 bd bd  bc 28 d9 0c  03 b8 c4 6b  85 d4 a8 b9
|   ac b3 b3 b8  02 76 df 6d  9f 2d b6 ed  14 c0 89 a3
|   f1 2c 72 24  fe b2 55 4a  61 fd 21 0a  26 31 04 70
|   c0 95 e4 58  aa af 02 4f  0e 0c 23 ba  6b 83 3f 5b
|   b5 aa ea 64  0e d2 0d 81  6c c3 5e 20  2a d1 34 53
|   7a 86 0d 38  03 20 6b 3d  bc 5d
| start processing: from 192.1.2.45:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 234 (0xea)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 206 (0xce)
|    fragment number: 5 (0x5)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=198)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '5', total number '5', next payload '0'
| selected state microcode Responder: process IKE_AUTH request (no SKEYSEED)
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request (no SKEYSEED)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inI2outR2 KE work-order 2 for state #1
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x55f15ac26598
| free_event_entry: release EVENT_SO_DISCARD-pe@0x55f15ac27218
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f15ac27218
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7fe814002888 size 128
|   #1 spent 0.0295 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379)
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND
| crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269)
| "main"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.164 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.175 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001315 seconds
| (#1) spent 1.31 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fe80c000f48 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x55f159607b50
| ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2
| #1 in state PARENT_R1: received v2I1, sent v2R1
| already have all fragments, skipping fragment collection
| already have all fragments, skipping fragment collection
| #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2IDi)
| **parse IKEv2 Identification - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2CERT (0x25)
|    flags: none (0x0)
|    length: 191 (0xbf)
|    ID type: ID_DER_ASN1_DN (0x9)
| processing payload: ISAKMP_NEXT_v2IDi (len=183)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERT)
| **parse IKEv2 Certificate Payload:
|    next payload type: ISAKMP_NEXT_v2CERTREQ (0x26)
|    flags: none (0x0)
|    length: 1265 (0x4f1)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERT (len=1260)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)
| **parse IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2AUTH (0x27)
|    flags: none (0x0)
|    length: 25 (0x19)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERTREQ (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
| **parse IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    flags: none (0x0)
|    length: 392 (0x188)
|    auth method: IKEv2_AUTH_RSA (0x1)
| processing payload: ISAKMP_NEXT_v2AUTH (len=384)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| **parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2TSi (0x2c)
|    flags: none (0x0)
|    length: 164 (0xa4)
| processing payload: ISAKMP_NEXT_v2SA (len=160)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSi)
| **parse IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2TSr (0x2d)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSi (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSr)
| **parse IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSr (len=16)
| selected state microcode Responder: process IKE_AUTH request
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request
"main"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,SA,TSi,TSr}
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds
loading root certificate cache
| spent 3.19 milliseconds in get_root_certs() calling PK11_ListCertsInSlot()
| spent 0.0241 milliseconds in get_root_certs() filtering CAs
|       #1 spent 3.25 milliseconds in find_and_verify_certs() calling get_root_certs()
| checking for known CERT payloads
| saving certificate of type 'X509_SIGNATURE'
| decoded cert: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
|       #1 spent 0.139 milliseconds in find_and_verify_certs() calling decode_cert_payloads()
| cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
|       #1 spent 0.0285 milliseconds in find_and_verify_certs() calling crl_update_check()
| missing or expired CRL
| crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0
| verify_end_cert trying profile IPsec
"main"[1] 192.1.2.45 #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification
"main"[1] 192.1.2.45 #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure.
|       #1 spent 0.301 milliseconds in find_and_verify_certs() calling verify_end_cert()
"main"[1] 192.1.2.45 #1: X509: Certificate rejected for this connection
"main"[1] 192.1.2.45 #1: X509: CERT payload bogus or revoked
| DER ASN1 DN:  30 81 b4 31  0b 30 09 06  03 55 04 06  13 02 43 41
| DER ASN1 DN:  31 10 30 0e  06 03 55 04  08 0c 07 4f  6e 74 61 72
| DER ASN1 DN:  69 6f 31 10  30 0e 06 03  55 04 07 0c  07 54 6f 72
| DER ASN1 DN:  6f 6e 74 6f  31 12 30 10  06 03 55 04  0a 0c 09 4c
| DER ASN1 DN:  69 62 72 65  73 77 61 6e  31 18 30 16  06 03 55 04
| DER ASN1 DN:  0b 0c 0f 54  65 73 74 20  44 65 70 61  72 74 6d 65
| DER ASN1 DN:  6e 74 31 23  30 21 06 03  55 04 03 0c  1a 77 65 73
| DER ASN1 DN:  74 2e 74 65  73 74 69 6e  67 2e 6c 69  62 72 65 73
| DER ASN1 DN:  77 61 6e 2e  6f 72 67 31  2e 30 2c 06  09 2a 86 48
| DER ASN1 DN:  86 f7 0d 01  09 01 16 1f  75 73 65 72  2d 77 65 73
| DER ASN1 DN:  74 40 74 65  73 74 69 6e  67 2e 6c 69  62 72 65 73
| DER ASN1 DN:  77 61 6e 2e  6f 72 67
| CERT_X509_SIGNATURE CR:
|   58 13 71 57  9d ee 1a 15  74 03 12 80  12 4d c1 85
|   2b 92 25 e9
|   cert blob content is not binary ASN.1
| refine_host_connection for IKEv2: starting with "main"[1] 192.1.2.45
|    match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org
|             b=C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=*
|    results  matched
| refine_host_connection: checking "main"[1] 192.1.2.45 against "main"[1] 192.1.2.45, best=(none) with match=1(id=1(6)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| No IDr payload received from peer
| refine_host_connection: checked main[1] 192.1.2.45 against main[1] 192.1.2.45, now for see if best
| started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=* of kind PKK_RSA
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
| refine_host_connection: picking new best "main"[1] 192.1.2.45 (wild=6, peer_pathlen=0/our=0)
| refine going into 2nd loop allowing instantiated conns as well
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
|    match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org
|             b=C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=*
|    results  matched
| refine_host_connection: checking "main"[1] 192.1.2.45 against "main", best=main with match=1(id=1(6)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| No IDr payload received from peer
| refine_host_connection: checked main[1] 192.1.2.45 against main, now for see if best
| started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=*, ST=*, L=Toronto, O=*, OU=*, CN=*, E=* of kind PKK_RSA
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
| returning since no better match than original best_found
| offered CA: '%none'
"main"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
| received CERTREQ payload; going to decode it
| CERT_X509_SIGNATURE CR:
|   58 13 71 57  9d ee 1a 15  74 03 12 80  12 4d c1 85
|   2b 92 25 e9
|   cert blob content is not binary ASN.1
| verifying AUTH payload
| required RSA CA is '%any'
| checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
| checking RSA keyid 'user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
| checking RSA keyid '@east.testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
| checking RSA keyid 'east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
| checking RSA keyid '192.1.2.23' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
"main"[1] 192.1.2.45 #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org'
|       #1 spent 0.0322 milliseconds in ikev2_verify_rsa_hash()
"main"[1] 192.1.2.45 #1: RSA authentication of I2 Auth Payload failed
"main"[1] 192.1.2.45 #1: responding to IKE_AUTH message (ID 1) from 192.1.2.45:500 with encrypted notification AUTHENTICATION_FAILED
| Opening output PBS encrypted notification
| **emit ISAKMP Message:
|    initiator cookie:
|   0e 84 75 86  e2 ad a8 ef
|    responder cookie:
|   df ff 06 37  f3 41 0f 17
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'encrypted notification'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| Adding a v2N Payload
| ****emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'encrypted notification'
| emitting length of IKEv2 Notify Payload: 8
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 37
| emitting length of ISAKMP Message: 65
| sending 65 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1)
|   0e 84 75 86  e2 ad a8 ef  df ff 06 37  f3 41 0f 17
|   2e 20 23 20  00 00 00 01  00 00 00 41  29 00 00 25
|   8d 2c 5b 70  57 49 76 cf  23 2e 5c 0f  b2 4a 70 c9
|   3d b1 6f 8b  56 5b c0 03  e0 42 92 82  9c cd d8 25
|   3f
| pstats #1 ikev2.ike failed auth-failed
| ikev2_parent_inI2outR2_continue_tail returned STF_FATAL
|   #1 spent 4.12 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R1->V2_IPSEC_R with status STF_FATAL
| release_pending_whacks: state #1 has no whack fd
| pstats #1 ikev2.ike deleted auth-failed
| #1 spent 4.46 milliseconds in total
| [RE]START processing: state #1 connection "main"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879)
"main"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R1) aged 0.019s and NOT sending notification
| parent state #1: PARENT_R1(half-open IKE SA) => delete
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7fe814002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f15ac27218
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection main
| connection is instance
| not in pending use
| State DB: state not found (connection_discard)
| no states use this connection instance, deleting
| start processing: connection "main"[1] 192.1.2.45 (BACKGROUND) (in delete_connection() at connections.c:189)
deleting connection "main"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#0/ipsec=#0}
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| free hp@0x55f15ac26368
| flush revival: connection 'main' wasn't on the list
| stop processing: connection "main"[1] 192.1.2.45 (BACKGROUND) (in discard_connection() at connections.c:249)
| State DB: deleting IKEv2 state #1 in PARENT_R1
| parent state #1: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143)
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| in statetime_stop() and could not find #1
| processing: STOP state #0 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fe80c000f48
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_STATE_... in show_traffic_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.288 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.537 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
destroying root certificate cache
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x55f15ac27938 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| unreference key: 0x55f15ac27498 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x55f15ac26f78 @east.testing.libreswan.org cnt 1--
| unreference key: 0x55f15ac26a28 east@testing.libreswan.org cnt 1--
| unreference key: 0x55f15ac25618 192.1.2.23 cnt 1--
| start processing: connection "main" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x55f15ac25218
| flush revival: connection 'main' wasn't on the list
| stop processing: connection "main" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x55f15ac12768
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e5d8
| libevent_free: release ptr-libevent@0x55f15abb8ff8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e688
| libevent_free: release ptr-libevent@0x55f15abb8918
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e738
| libevent_free: release ptr-libevent@0x55f15abc01d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e7e8
| libevent_free: release ptr-libevent@0x55f15abc02d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e898
| libevent_free: release ptr-libevent@0x55f15abc03d8
| free_event_entry: release EVENT_NULL-pe@0x55f15ac1e948
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x55f15ac12818
| free_event_entry: release EVENT_NULL-pe@0x55f15ac069b8
| libevent_free: release ptr-libevent@0x55f15abb8f48
| free_event_entry: release EVENT_NULL-pe@0x55f15ac06518
| libevent_free: release ptr-libevent@0x55f15abff4f8
| free_event_entry: release EVENT_NULL-pe@0x55f15abc0488
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x55f15abc4a58
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x55f15ab428c8
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x55f15ac1ddb8
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x55f15ac1dff8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x55f15ac1dec8
| libevent_free: release ptr-libevent@0x55f15ac00dd8
| libevent_free: release ptr-libevent@0x55f15ac00d88
| libevent_free: release ptr-libevent@0x55f15abb8298
| libevent_free: release ptr-libevent@0x55f15ac00d48
| libevent_free: release ptr-libevent@0x55f15ac1da88
| libevent_free: release ptr-libevent@0x55f15ac1dcf8
| libevent_free: release ptr-libevent@0x55f15ac00f88
| libevent_free: release ptr-libevent@0x55f15ac06588
| libevent_free: release ptr-libevent@0x55f15ac061e8
| libevent_free: release ptr-libevent@0x55f15ac1e9b8
| libevent_free: release ptr-libevent@0x55f15ac1e908
| libevent_free: release ptr-libevent@0x55f15ac1e858
| libevent_free: release ptr-libevent@0x55f15ac1e7a8
| libevent_free: release ptr-libevent@0x55f15ac1e6f8
| libevent_free: release ptr-libevent@0x55f15ac1e648
| libevent_free: release ptr-libevent@0x55f15ab41b78
| libevent_free: release ptr-libevent@0x55f15ac1dd78
| libevent_free: release ptr-libevent@0x55f15ac1dd38
| libevent_free: release ptr-libevent@0x55f15ac1dbf8
| libevent_free: release ptr-libevent@0x55f15ac1de88
| libevent_free: release ptr-libevent@0x55f15ac1dac8
| libevent_free: release ptr-libevent@0x55f15abc65e8
| libevent_free: release ptr-libevent@0x55f15abc6568
| libevent_free: release ptr-libevent@0x55f15ab41ee8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x55f15abc6768
| libevent_free: release ptr-libevent@0x55f15abc66e8
| libevent_free: release ptr-libevent@0x55f15abc6668
leak: issuer ca, item size: 175
leak detective found 1 leaks, total size 175