FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:13798 core dump dir: /var/tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x563aeeac6758 size 40 | libevent_malloc: new ptr-libevent@0x563aeeac66d8 size 40 | libevent_malloc: new ptr-libevent@0x563aeeac6658 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x563aeeab8288 size 56 | libevent_malloc: new ptr-libevent@0x563aeea41e18 size 664 | libevent_malloc: new ptr-libevent@0x563aeeb00d78 size 24 | libevent_malloc: new ptr-libevent@0x563aeeb00dc8 size 384 | libevent_malloc: new ptr-libevent@0x563aeeb00d38 size 16 | libevent_malloc: new ptr-libevent@0x563aeeac65d8 size 40 | libevent_malloc: new ptr-libevent@0x563aeeac6558 size 48 | libevent_realloc: new ptr-libevent@0x563aeea41aa8 size 256 | libevent_malloc: new ptr-libevent@0x563aeeb00f78 size 16 | libevent_free: release ptr-libevent@0x563aeeab8288 | libevent initialized | libevent_realloc: new ptr-libevent@0x563aeeab8288 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | starting up helper thread 2 | -> MAIN_R1 EVENT_SO_DISCARD | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none> | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none> | V2_IPSEC_I: category: established CHILD SA flags: 0: <none> | V2_IPSEC_R: category: established CHILD SA flags: 0: <none> | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: <none> Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563aeeac0478 | libevent_malloc: new ptr-libevent@0x563aeeaff4e8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb06578 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563aeeb06508 | libevent_malloc: new ptr-libevent@0x563aeeab8f38 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb061d8 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563aeeb069a8 | libevent_malloc: new ptr-libevent@0x563aeeb12888 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1db78 size 16 | libevent_realloc: new ptr-libevent@0x563aeeb1dbb8 size 256 | libevent_malloc: new ptr-libevent@0x563aeeb1dce8 size 8 | libevent_realloc: new ptr-libevent@0x563aeeb1dd28 size 144 | libevent_malloc: new ptr-libevent@0x563aeeac4a48 size 152 | libevent_malloc: new ptr-libevent@0x563aeeb1dde8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x563aeeb1de28 size 8 | libevent_malloc: new ptr-libevent@0x563aeea42788 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x563aeeb1de68 size 8 | libevent_malloc: new ptr-libevent@0x563aeeb1dea8 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x563aeeb1df78 size 8 | libevent_realloc: release ptr-libevent@0x563aeeb1dd28 | libevent_realloc: new ptr-libevent@0x563aeeb1dfb8 size 256 | libevent_malloc: new ptr-libevent@0x563aeeb1e0e8 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:13858) using fork+execve | forked child 13858 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e6c8 | libevent_malloc: new ptr-libevent@0x563aeeb127d8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1e738 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e778 | libevent_malloc: new ptr-libevent@0x563aeeab8fe8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1e7e8 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e828 | libevent_malloc: new ptr-libevent@0x563aeeab8908 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1e898 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e8d8 | libevent_malloc: new ptr-libevent@0x563aeeac01c8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1e948 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e988 | libevent_malloc: new ptr-libevent@0x563aeeac02c8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1e9f8 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1ea38 | libevent_malloc: new ptr-libevent@0x563aeeac03c8 size 128 | libevent_malloc: new ptr-libevent@0x563aeeb1eaa8 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.766 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x563aeeb127d8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e6c8 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e6c8 | libevent_malloc: new ptr-libevent@0x563aeeb127d8 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x563aeeab8fe8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e778 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e778 | libevent_malloc: new ptr-libevent@0x563aeeab8fe8 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x563aeeab8908 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e828 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e828 | libevent_malloc: new ptr-libevent@0x563aeeab8908 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x563aeeac01c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e8d8 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e8d8 | libevent_malloc: new ptr-libevent@0x563aeeac01c8 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x563aeeac02c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e988 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1e988 | libevent_malloc: new ptr-libevent@0x563aeeac02c8 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x563aeeac03c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1ea38 | add_fd_read_event_handler: new ethX-pe@0x563aeeb1ea38 | libevent_malloc: new ptr-libevent@0x563aeeac03c8 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.364 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 13858 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0169 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection main-east with policy RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | counting wild cards for %fromcert is 0 | ASCII to DN <= "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org" | ASCII to DN => 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | ASCII to DN => 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | ASCII to DN => 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | ASCII to DN => 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | ASCII to DN => 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | ASCII to DN => 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | ASCII to DN => 6e 74 31 23 30 21 06 03 55 04 03 13 1a 65 61 73 | ASCII to DN => 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | ASCII to DN => 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | ASCII to DN => 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb22198 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb22148 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb220f8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb21e48 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb21df8 | unreference key: 0x563aeeb221e8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x563aeeb220f8 added connection description "main-east" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...%any[%fromcert] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.08 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection main-north with policy RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | counting wild cards for %fromcert is 0 | ASCII to DN <= "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org" | ASCII to DN => 30 81 b6 31 0b 30 09 06 03 55 04 06 13 02 43 41 | ASCII to DN => 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | ASCII to DN => 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | ASCII to DN => 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | ASCII to DN => 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | ASCII to DN => 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | ASCII to DN => 6e 74 31 24 30 22 06 03 55 04 03 13 1b 6e 6f 72 | ASCII to DN => 74 68 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 | ASCII to DN => 73 77 61 6e 2e 6f 72 67 31 2f 30 2d 06 09 2a 86 | ASCII to DN => 48 86 f7 0d 01 09 01 16 20 75 73 65 72 2d 6e 6f | ASCII to DN => 72 74 68 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | ASCII to DN => 65 73 77 61 6e 2e 6f 72 67 | loading right certificate 'north' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb29638 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb29738 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563aeeb29888 | unreference key: 0x563aeeb29548 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org is 0 | based upon policy, the connection is a template. | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x563aeeb220f8: main-east added connection description "main-north" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org]...%any[%fromcert] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.47 milliseconds in whack | spent 0.0031 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 81 c5 7b ba b4 c0 dd 22 | 47 f6 f5 78 f8 05 0d 36 75 34 4e f4 c4 48 f1 c0 | bb 3b 4a 61 3b 95 31 78 6a fe a8 d7 dd 97 29 36 | a1 7f 1e e6 c5 13 90 f9 3d 8c 97 58 6d fb 28 ff | 0a 03 f3 b7 33 d0 f0 93 be 3c 91 fa 3a b1 e0 e6 | 8f a6 32 86 b2 0c a5 7f 6b b9 58 1e 30 c1 41 71 | ed 99 0d 49 f9 e7 d7 02 9e b0 74 8c b8 d2 c5 3e | 5b 60 dc 47 3a d0 13 fa c8 df 78 0d 2c 57 10 d0 | 29 77 1b 94 07 d5 99 a2 6b ba 84 93 36 34 04 65 | 59 46 9f 3b da 44 bf 22 02 b5 d7 ab fe 48 7e 2a | c9 57 26 87 e5 ba 15 79 05 28 9e 56 f6 24 83 92 | c1 d4 61 ef 57 46 ac 27 da aa 52 8b 8a a9 6e 81 | 3f 8e a6 df 39 23 fa 53 11 58 c1 07 38 74 f1 32 | 7d f8 69 bf ce e1 69 7e 3b f8 7f 63 fc 79 ed 3f | d4 9c 10 72 01 ab 1c 37 e9 9d 47 60 75 8e 41 8d | 14 63 0e 7f c3 81 14 46 95 e3 c5 6b 30 60 86 b1 | 8f 54 ed 81 7e d4 d6 22 29 00 00 24 7d bb ea 66 | 8c 12 e4 ab 78 2e bb 1d 5c 64 b8 43 91 51 47 fe | 15 83 da f1 6d d4 4d d3 84 5a d9 42 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 1b 29 96 cb | ce 6f 66 ff a7 39 96 a6 75 00 80 0b 28 08 03 06 | 00 00 00 1c 00 00 40 05 b1 28 92 f7 0c 3d 82 86 | e9 2c 55 fa bb 61 7b dc be e4 d0 3b | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 828 (0x33c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | DDOS disabled and no cookie sent, continuing | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main-north) | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main-east) | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main-north) | find_next_host_connection returns main-north | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (main-east) | find_next_host_connection returns main-east | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | rw_instantiate | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x563aeeb2dfb8 | rw_instantiate() instantiated "main-north"[1] 192.1.2.45 for 192.1.2.45 | found connection: main-north[1] 192.1.2.45 with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | creating state object #1 at 0x563aeeb2fcc8 | State DB: adding IKEv2 state #1 in UNDEFINED | pstats #1 ikev2.ike started | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 | #1 in state PARENT_R0: processing SA_INIT request | selected state microcode Respond to IKE_SA_INIT | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | constructing local IKE proposals for main-north (IKE SA responder matching remote proposals) | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 "main-north"[1] 192.1.2.45: constructed local IKE proposals for main-north (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 2 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 8 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 2 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 8 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 2 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 8 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 2 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 8 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 116 (0x74) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 116 (0x74) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "main-north"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x563aecdfd800(20) | natd_hash: icookie= 30 b8 78 88 f4 d6 0c 9b | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= b1 28 92 f7 0c 3d 82 86 e9 2c 55 fa bb 61 7b dc | natd_hash: hash= be e4 d0 3b | natd_hash: rcookie is zero | natd_hash: hasher=0x563aecdfd800(20) | natd_hash: icookie= 30 b8 78 88 f4 d6 0c 9b | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 1b 29 96 cb ce 6f 66 ff a7 39 96 a6 75 00 80 0b | natd_hash: hash= 28 08 03 06 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563aeeb21d48 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563aeeb2d608 size 128 | #1 spent 0.623 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) | crypto helper 0 resuming | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND | crypto helper 0 starting work-order 1 for state #1 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) | "main-north"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 1.04 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.05 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000992 seconds | (#1) spent 0.967 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f2940002888 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x563aecd28b50 | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x 09 42 36 9f cc e5 2d b3 22 aa f3 0b 7b 65 69 c9 | ikev2 g^x 1c 51 f2 3a 9c 30 b3 5e 33 d3 a2 fe 46 2a 3f 54 | ikev2 g^x 8f 92 c5 22 51 c5 a2 33 a0 c3 50 77 76 b5 ff 33 | ikev2 g^x d2 60 2a 9f 7e e7 c0 d8 b7 ac 02 16 c1 8b c8 a3 | ikev2 g^x e3 66 9c 12 83 8f 24 09 a3 6b 5a 98 0b 6d b1 f2 | ikev2 g^x 24 1d 91 a8 7a f0 26 22 e6 cb 51 19 8f 3a 31 4e | ikev2 g^x 29 e9 c7 4f 23 5f ec 0f db 36 61 e8 ea cb b7 80 | ikev2 g^x b6 3a 1c 15 9c da 3e bf cb 6c 57 4b 5e 34 0d 75 | ikev2 g^x e1 42 63 0c 1e c0 35 0a d5 db f6 ed df f9 4b 86 | ikev2 g^x 2d e4 c9 39 80 9e 0e 7a 15 48 9f 4e 6d 23 a6 1e | ikev2 g^x 0f 3f ad 6b 3e a5 42 98 fc d5 3b 65 0e 90 8a bc | ikev2 g^x 66 04 21 7d f5 51 55 ff 1b e2 01 64 b6 91 a6 14 | ikev2 g^x 3d 85 9d ec 7f 99 a4 bc d7 70 8f 1a 03 44 27 90 | ikev2 g^x 56 97 00 ed 58 e9 81 59 db 2c 84 4d 18 b3 95 48 | ikev2 g^x ac 50 fb cb 9b c6 d9 90 5d fa d4 5f 67 fc 83 27 | ikev2 g^x 0d d8 87 cc d0 51 80 e5 3d 9c 26 a1 50 cf 81 be | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 53 e3 cc c8 87 ed ba 62 17 68 6b c4 8e 50 2f 0a | IKEv2 nonce 5c 09 58 5c 07 d7 c6 f7 c7 b4 ec 39 73 eb 17 ea | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x563aecdfd800(20) | natd_hash: icookie= 30 b8 78 88 f4 d6 0c 9b | natd_hash: rcookie= 4a 17 81 4f d6 9f 44 e7 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 6a bb 96 df 5d a6 17 42 d5 13 a3 f4 63 3f 27 83 | natd_hash: hash= 1d 15 74 66 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 6a bb 96 df 5d a6 17 42 d5 13 a3 f4 63 3f 27 83 | Notify data 1d 15 74 66 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x563aecdfd800(20) | natd_hash: icookie= 30 b8 78 88 f4 d6 0c 9b | natd_hash: rcookie= 4a 17 81 4f d6 9f 44 e7 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 27 b9 db a8 ed c0 ac 26 1c 81 7f 6b 94 d7 b7 69 | natd_hash: hash= 8f 67 11 56 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 27 b9 db a8 ed c0 ac 26 1c 81 7f 6b 94 d7 b7 69 | Notify data 8f 67 11 56 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is not CK_PERMANENT (instance), so collect CAs | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | Not a roadwarrior instance, sending empty CA in CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #1 to 0 after switching state | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 "main-north"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 09 42 36 9f | cc e5 2d b3 22 aa f3 0b 7b 65 69 c9 1c 51 f2 3a | 9c 30 b3 5e 33 d3 a2 fe 46 2a 3f 54 8f 92 c5 22 | 51 c5 a2 33 a0 c3 50 77 76 b5 ff 33 d2 60 2a 9f | 7e e7 c0 d8 b7 ac 02 16 c1 8b c8 a3 e3 66 9c 12 | 83 8f 24 09 a3 6b 5a 98 0b 6d b1 f2 24 1d 91 a8 | 7a f0 26 22 e6 cb 51 19 8f 3a 31 4e 29 e9 c7 4f | 23 5f ec 0f db 36 61 e8 ea cb b7 80 b6 3a 1c 15 | 9c da 3e bf cb 6c 57 4b 5e 34 0d 75 e1 42 63 0c | 1e c0 35 0a d5 db f6 ed df f9 4b 86 2d e4 c9 39 | 80 9e 0e 7a 15 48 9f 4e 6d 23 a6 1e 0f 3f ad 6b | 3e a5 42 98 fc d5 3b 65 0e 90 8a bc 66 04 21 7d | f5 51 55 ff 1b e2 01 64 b6 91 a6 14 3d 85 9d ec | 7f 99 a4 bc d7 70 8f 1a 03 44 27 90 56 97 00 ed | 58 e9 81 59 db 2c 84 4d 18 b3 95 48 ac 50 fb cb | 9b c6 d9 90 5d fa d4 5f 67 fc 83 27 0d d8 87 cc | d0 51 80 e5 3d 9c 26 a1 50 cf 81 be 29 00 00 24 | 53 e3 cc c8 87 ed ba 62 17 68 6b c4 8e 50 2f 0a | 5c 09 58 5c 07 d7 c6 f7 c7 b4 ec 39 73 eb 17 ea | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 6a bb 96 df 5d a6 17 42 d5 13 a3 f4 63 3f 27 83 | 1d 15 74 66 26 00 00 1c 00 00 40 05 27 b9 db a8 | ed c0 ac 26 1c 81 7f 6b 94 d7 b7 69 8f 67 11 56 | 00 00 00 05 04 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563aeeb2d608 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563aeeb21d48 | event_schedule: new EVENT_SO_DISCARD-pe@0x563aeeb21d48 | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 | libevent_malloc: new ptr-libevent@0x563aeeb2ccb8 size 128 | resume sending helper answer for #1 suppresed complete_v2_state_transition() | #1 spent 0.36 milliseconds in resume sending helper answer | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f2940002888 | spent 0.00261 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 2b 66 66 d8 3b 0e 92 4f d6 c3 b5 f2 | cd fc 45 a6 d5 5e bf 1b 23 d2 45 1c 5f c2 65 36 | 12 e9 14 6b fe af 03 e7 f4 55 a0 bd ad f5 2a 65 | 48 c8 0b b4 41 2f 20 9c b7 a5 1c 5f 44 d9 8d bd | d2 e9 cd 3a d7 66 91 6a 70 6c 94 29 68 61 21 3f | 89 d6 3d 45 3a ed d4 ec 66 54 82 6c d5 5b 8d 36 | 6b 85 ea 00 ac 09 b9 13 88 17 f7 ff 4a 3e 69 4a | ef aa a8 13 a1 ce 91 4a 85 25 15 89 38 c8 1b 74 | 5d 97 88 e5 cd be 0c 1e 39 f6 12 51 44 0b d5 9c | 49 fc 62 50 ff bf 38 14 2a ef de 89 26 89 9f c0 | a1 75 42 7e 9a 98 61 08 a6 f3 70 c8 7d fe 63 c3 | d0 97 0f 4c 73 ab 6f 27 63 44 ce 89 a3 08 90 b1 | 29 94 42 16 67 f8 07 63 30 67 b4 21 93 fb 22 13 | a8 21 20 5f f2 28 f3 4d f8 a8 01 ba d6 69 9e 86 | 7d 6f 22 ec 9d af 10 10 17 37 ee 60 b6 79 1e fc | 6e 6b 43 1b 63 bc 36 23 cd c2 5a 42 02 d2 23 1c | 91 72 05 9b ab 35 15 ab 46 e1 bb f9 47 36 62 93 | 3c c1 26 24 b8 fd 0e 1b 67 91 68 6a 2e 7d 15 e6 | e4 18 be 2e 40 a8 e4 43 51 d6 2d 87 a6 08 48 49 | 58 df f8 6b db 4c ed d9 83 34 21 f6 ec 59 79 60 | 24 57 0c 97 d0 86 64 31 01 7a 16 20 b5 a4 c7 fb | ec be 06 3c 51 8f 4e 7d 78 0b 20 25 17 69 97 63 | 8f 7b 24 e3 7a c8 f0 cb ee d7 92 6b 92 bc 12 d2 | ca 83 56 71 38 b3 fb a9 6f 2d 64 a1 c6 73 43 aa | 3b d4 19 20 1e 0b 96 cd f1 05 c9 17 43 74 40 b3 | eb 8d 31 2d 0a bc 07 2b 02 c2 e6 11 ed 77 07 09 | 76 b2 ff 28 9e 71 7d 7c 04 a1 20 0d 19 ab b0 b0 | 5a e0 dd 00 2e f0 f2 3c 26 8d 87 cb 9d 99 d6 7d | 36 21 f2 db 6f 70 36 a2 74 63 f9 84 d5 e8 43 7a | 59 4b 0b 04 38 d5 f8 92 93 08 71 bd c9 e6 70 06 | 22 4f ee 9f c0 c4 da e0 e4 24 84 89 b0 0d a7 fd | b0 22 3b 25 0c f2 82 6e 04 13 3b | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.117 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.125 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00116 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 45 a8 05 17 18 f2 4b 1c cf e4 62 96 | 3d 50 30 bc ea 11 00 bc ba 94 dc 31 9c 9f f8 33 | 91 9f 2c 32 00 f8 bd 8e 5d f1 68 58 f0 7e 68 5e | 84 bf 27 1a 34 bf a4 f4 50 3b 56 df ff 27 33 85 | 84 77 52 17 27 d7 ed e4 e0 36 b2 a8 08 38 a4 fd | fa 7d 25 d3 c1 b4 0e 3c d9 74 29 06 dc ee 85 76 | 75 43 e5 c0 3c 28 fa e4 26 35 01 fa a2 4d bb 2c | c9 dd 9f 5e 3c 79 58 dc 87 98 1c 66 bf ef 2f b5 | 4e 7c f5 b8 34 a3 be 52 6f ad 20 4e a1 e8 25 f3 | f8 6a 01 fb 74 9d f0 a4 6d 93 c1 ac fa 4a 59 d0 | 63 e0 0c b3 62 59 2a 8d 95 c6 65 8e c2 d8 e6 24 | d3 f8 5d 9c 8c b2 a1 76 2b d8 ac 6c 9e 24 20 73 | ad 22 ed de 77 52 9e 9f 74 30 ac 48 2e ff d6 02 | 40 2f 55 7e 8c 5d bd cb c4 24 1a 33 98 73 06 0b | 83 9d 2a 93 76 16 46 9e 43 83 9d b2 de 03 2a c8 | b0 24 05 41 11 3b ca 57 5d 7f 6f 92 43 d5 41 fe | 23 81 93 ed 32 5c fa 4d 5c 2d 2a 16 e4 66 12 30 | 9f 1e 27 80 c5 04 c8 42 2d 8c 32 ab 32 bc 63 d4 | d8 b9 58 4c 5f 03 ce 9b 27 e9 37 3f 4f 12 0b a0 | 97 ce 27 d8 c0 10 a7 2a b2 7a 61 84 eb d4 81 8b | 8e 3b 30 2f b0 0d 52 0a 95 75 b3 6e 88 e4 a2 82 | 5f ea 74 39 d2 fa db 58 39 0b 33 1e e6 fd 56 98 | 6a fd 6f ef e1 d8 3e 4a 95 cd 7b a9 3e 46 98 c5 | e8 c4 96 38 d9 bf a7 47 bb 66 4a 82 8d 0c d6 97 | 9a 63 60 27 15 c0 9e 61 32 0a 78 e3 e9 4b 96 73 | 2d f5 0e 83 60 c9 0c 7b 3b 20 09 61 e2 4d f2 79 | c5 99 0c f4 b8 23 be ae 98 08 5a d2 d9 37 75 42 | ba cc f4 c6 2d 6e df f2 48 a2 21 59 b4 eb 74 04 | d9 3f 5e bc fc e8 cc b2 1d 34 c1 ac cf d7 49 c2 | 99 f8 be 40 c1 cb 25 7b 14 fe f0 3b 5a a3 05 7d | 39 92 0d 02 07 60 92 03 34 e7 d6 5b 8b 2a 14 82 | 9e 29 81 14 80 80 fe 70 98 3b fb | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '2', total number '5', next payload '0' | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.102 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.11 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00112 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 0a 28 5a 8e fc c5 a6 59 32 c0 66 b6 | 66 8c 50 fc 20 43 63 3c 69 6e 09 92 5f 29 4b a4 | 7a 30 da 08 e7 3f b8 8b 04 9c 32 e1 41 72 17 58 | ca 35 52 cc 54 08 e2 5b 8f b3 e4 59 65 b7 6d 2b | 94 f3 64 15 bf 31 f5 c6 26 dc 55 c6 d8 8f 4f eb | 39 c4 93 da e4 bb 48 02 ea 07 91 22 3b 8f 85 6d | 4c 50 15 cb 02 af da 0a ba 97 ae 39 fc b6 9e cf | 78 92 46 fc 7d 5b 10 2a 6d b9 80 e8 00 81 29 44 | da c0 89 8a 98 84 4d 7e d4 fd 3c af cd fd 82 37 | c2 69 8e 9b 33 5c 7a a9 7e ca 80 29 4a c2 eb 10 | 62 a1 9f 7d 28 39 9a 22 a3 10 73 f1 b3 e5 51 64 | 79 14 00 a1 99 e9 34 3d d9 5f fc f7 a9 b8 e2 bf | 68 11 14 47 63 65 75 a7 62 01 f9 79 50 62 9c a7 | 6f d4 50 58 eb a9 cb 6c 01 c9 da 1b f5 d4 da 3e | bf d1 86 e9 fd 01 4a e1 12 73 78 b5 78 46 54 31 | 70 0c af b7 8c 95 d5 d6 4d 23 6d 09 be 76 5f 67 | 10 6e 7a 65 42 3b 65 40 06 b8 79 2b 44 b0 9f f3 | 5d fd 0c 8b 70 ad 8b 47 12 80 7a 36 2f 89 9c 00 | 3f db 07 3d 4e 13 18 05 e5 68 36 6a b5 f0 2a 65 | d8 b0 a5 dd 26 fe 47 04 3c 5e e4 02 a1 2a 0e b8 | b8 e8 53 ff d9 67 b8 6c 21 fb 2f d8 98 04 81 cf | 01 bd 07 9e 75 0b 8a 4d 6f bf 1d bc aa 95 c4 f3 | a7 b0 00 91 c6 be e4 d6 87 7f 4e 12 6d a4 d8 d9 | 00 d3 33 c9 70 a4 fd dd 6b 73 1c b0 f3 8f 40 2c | 66 a7 13 b3 55 c1 d4 86 b9 fc 0d 50 b9 cc 9d a5 | 26 a7 c0 e7 18 b9 26 22 88 f9 0b 42 7d cf b8 a3 | df 38 f2 5d 50 ca 18 84 ef ae e7 98 a9 4d 3c 47 | f8 fb 73 6a ce 88 2e a7 e8 8c e3 43 7a ea 08 59 | 52 c7 07 f0 16 e6 d7 26 b3 dd a3 79 51 e4 47 3f | 09 84 7d cf bf 0e ee eb d9 f2 05 fe fa 81 11 e7 | e2 26 d0 bc f9 d3 14 cc 5c 73 41 9e b1 83 4c 16 | cf 73 3f 16 3b cf 64 29 24 15 5d | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '3', total number '5', next payload '0' | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.0903 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.0971 milliseconds in comm_handle_cb() reading and processing packet | spent 0.001 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 07 fb c5 4c 01 02 ad 5e 6f f0 ef 47 | a4 82 df e3 59 b5 45 9f 12 98 4a b8 bb 72 72 33 | 3b f7 cc ff 17 81 bd 12 60 62 a9 3d 33 56 fa 5b | 66 40 68 65 cd b9 5e 59 4b a2 b8 68 21 a0 38 0e | 7a de 67 9a 65 1e 52 21 ea 08 3e 92 4c e9 bf 25 | 77 0e 2b 08 0c 61 90 b1 a2 62 ec 02 3d 05 3e b1 | 4e a0 a6 5e 95 7d dd c1 f9 a8 64 5b 30 42 d6 47 | 7d 35 d9 c7 3f fd c1 ae 99 ad 5b 9e 11 43 48 8f | 3c 84 a0 bb a5 08 3a 2c b1 5c 45 dd c8 c1 17 89 | 29 f2 0a 66 49 ec cc db 95 b9 e3 3f 32 ac c2 53 | ac b9 fc a6 41 57 58 25 6c 99 77 9b 21 43 43 eb | 31 25 6d 8b cb d1 f7 fc 17 39 f7 db f9 b5 5e 89 | ae 4c 62 67 e3 95 8b d9 5e 21 2d 89 de ba 58 67 | d8 63 3c 03 d0 4e 15 39 8c 45 82 9a 32 65 ed f5 | c5 0e 7c 80 00 b0 de eb 1c 42 fb 95 4b c7 4b 10 | 2f 31 ee 6e e9 a0 2a 80 6d 91 29 6d 58 bb d2 1f | 47 32 41 a8 a6 69 73 22 81 f8 04 f8 2b 77 8c fc | 6d b9 d3 73 11 c2 a4 dd 3f 2f 40 a7 fa 96 8a c2 | 55 c2 57 8f 61 2e 15 40 4e 5e 06 ea 48 b7 84 69 | 84 af 52 a6 27 18 c6 07 1b ff 3a 8a f2 8b e8 0a | 3d eb 88 22 a3 be 2e 94 bb 0a 92 7f de f7 03 84 | 15 86 f7 d3 89 4d 6c 2a 3d 53 77 91 35 5d fe b8 | 2a ee f5 c8 58 cc bb 78 c5 cb 3a 75 ef 9c 70 76 | 6d 56 65 39 3c 46 f4 c5 d5 70 51 df 1d 64 fa f3 | a7 f5 61 64 cc 5d 0f d9 79 e7 6c 52 a8 4a 5c 8b | 35 2f b4 30 f9 56 62 d2 bf 7b ef 55 a9 60 be 5a | b8 ba 55 d9 7d b9 9b df b5 b3 be 1b 92 f6 1f 61 | e5 be 99 11 4d 59 7d 46 d8 02 fd d9 38 f2 7f 51 | 5e f5 7e 61 4c 0a 6a ef 4a f1 74 23 0c 2e 6c 42 | 07 68 8c c0 c0 54 59 80 66 93 7c dd 57 8f 7a af | 4a 41 91 78 24 e3 f2 26 14 48 d3 0f 0d 55 30 61 | 9a 75 ae 09 fb 49 8c ff f6 43 9a | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '4', total number '5', next payload '0' | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.127 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.138 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00149 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 425 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 35 20 23 08 00 00 00 01 00 00 01 a9 00 00 01 8d | 00 05 00 05 39 21 df f6 82 92 e2 4a 2c a9 3b 77 | 18 a2 6e fd 8a 90 ab e0 09 e7 7f 2f d9 35 21 8b | 8f 80 28 cc e9 79 78 82 a0 85 7b b4 fc 36 84 7f | f0 b5 77 d2 3e a2 38 ff a5 a7 c0 6c 5a 0a 97 ad | 64 c0 f4 b9 0f d1 ee 3b 15 82 9c ee 0d 96 da 45 | cd 93 44 a8 c3 4d 2d dc 6e 17 eb 96 0b 64 21 ae | 39 c2 06 81 f0 a9 b4 e4 63 56 06 75 b6 37 e7 cb | cd 0c 5b 58 3a b4 93 7d 36 f7 63 50 db 7d 66 ab | 31 af 4b 1e e7 0c 83 47 dc fa e9 f4 5d 44 d5 f5 | 22 9a a2 7b e4 86 62 2d f8 99 ca 8f eb b5 08 99 | 58 e1 7a a3 9b 4b e9 a5 b1 86 b3 fc 1f 2e 88 f9 | de 30 a9 10 de d4 04 87 48 33 5f 43 ef 86 9b 0e | 76 4e 04 0d 2d cc 07 cb 19 1d c1 ba c7 ea 89 87 | 7b ea 7a 30 60 59 b1 c2 10 74 d9 9d c3 a7 2f e6 | f9 39 80 2b 53 11 3f 0f a9 7f b7 0b 85 a5 38 ed | 84 a1 82 38 bc 1b 2f 33 aa a5 96 14 3e 96 a6 4f | 1a f3 ba 5c a5 43 59 ee 6c 38 d2 c8 6b f2 ac c8 | e7 03 9c 3e 7a b6 c4 93 f3 c8 d5 c4 f0 ac 92 81 | 46 d6 67 de 57 f2 49 5b fc 77 ed f3 03 76 62 cf | df c2 6c 86 73 0c 86 d2 1c 07 cd 79 33 2f 2e 9c | df 37 84 d1 70 ef d3 90 8f 77 24 4a 6f a3 98 f3 | 83 d5 dc d9 37 52 9e 8d af 2d 97 30 f4 33 d1 35 | dc f8 21 5e 79 d5 9c 1b 03 9a 08 1f 03 53 cf 82 | ed 02 49 6c fa 05 4f e0 7a 98 d0 f8 d2 19 79 70 | 3a 12 cf 00 67 09 52 15 c6 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 425 (0x1a9) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 397 (0x18d) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=389) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 2 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x563aeeb2ccb8 | free_event_entry: release EVENT_SO_DISCARD-pe@0x563aeeb21d48 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563aeeb21d48 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f2940002888 size 128 | #1 spent 0.0302 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() | crypto helper 3 resuming | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND | crypto helper 3 starting work-order 2 for state #1 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 | [RE]START processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) | "main-north"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 | stop processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.201 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.208 milliseconds in comm_handle_cb() reading and processing packet | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001223 seconds | (#1) spent 1.23 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) | crypto helper 3 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f2938000f48 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "main-north"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 2 | calling continuation function 0x563aecd28b50 | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 | #1 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2CERTREQ (0x26) | flags: none (0x0) | length: 1265 (0x4f1) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1260) | Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ) | **parse IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 25 (0x19) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERTREQ (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 164 (0xa4) | processing payload: ISAKMP_NEXT_v2SA (len=160) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request "main-north"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,IDr,AUTH,SA,TSi,TSr} | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 2.76 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0241 milliseconds in get_root_certs() filtering CAs | #1 spent 2.81 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.232 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0418 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "main-north"[1] 192.1.2.45 #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "main-north"[1] 192.1.2.45 #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.457 milliseconds in find_and_verify_certs() calling verify_end_cert() "main-north"[1] 192.1.2.45 #1: X509: Certificate rejected for this connection "main-north"[1] 192.1.2.45 #1: X509: CERT payload bogus or revoked | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 13 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | CERT_X509_SIGNATURE CR: | 58 13 71 57 9d ee 1a 15 74 03 12 80 12 4d c1 85 | 2b 92 25 e9 | cert blob content is not binary ASN.1 | refine_host_connection for IKEv2: starting with "main-north"[1] 192.1.2.45 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=%fromcert | results fail | refine_host_connection: checking "main-north"[1] 192.1.2.45 against "main-north"[1] 192.1.2.45, best=(none) with match=0(id=0(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org (ID_DER_ASN1_DN) "main-north"[1] 192.1.2.45 #1: No matching subjectAltName found for '=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | Peer IDr payload does not match our expected ID, this connection will not do | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=%fromcert | results fail | refine_host_connection: checking "main-north"[1] 192.1.2.45 against "main-north", best=(none) with match=0(id=0(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org (ID_DER_ASN1_DN) "main-north"[1] 192.1.2.45 #1: No matching subjectAltName found for '=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | Peer IDr payload does not match our expected ID, this connection will not do | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=%fromcert | results fail | refine_host_connection: checking "main-north"[1] 192.1.2.45 against "main-east", best=(none) with match=0(id=0(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "main-north"[1] 192.1.2.45 #1: No matching subjectAltName found for '=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked main-north[1] 192.1.2.45 against main-east, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->%fromcert of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAcBZv vs PKK_RSA:AwEAAbEef | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | refine_host_connection: picking new best "main-east" (wild=0, peer_pathlen=0/our=0) | returning since no better match than original best_found "main-north"[1] 192.1.2.45 #1: switched from "main-north"[1] 192.1.2.45 to "main-east" | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x563aeeb2dfb8: main-north | rw_instantiate() instantiated "main-east"[1] 192.1.2.45 for 192.1.2.45 | in connection_discard for connection main-north | connection is instance | not in pending use | State DB: state not found (connection_discard) | no states use this connection instance, deleting | start processing: connection "main-north"[1] 192.1.2.45 (BACKGROUND) (in delete_connection() at connections.c:189) "main-east"[1] 192.1.2.45 #1: deleting connection "main-north"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#0/ipsec=#0} | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | flush revival: connection 'main-north' wasn't on the list | stop processing: connection "main-north"[1] 192.1.2.45 (BACKGROUND) (in discard_connection() at connections.c:249) | retrying ikev2_decode_peer_id_and_certs() with new conn | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 13 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | CERT_X509_SIGNATURE CR: | 58 13 71 57 9d ee 1a 15 74 03 12 80 12 4d c1 85 | 2b 92 25 e9 | cert blob content is not binary ASN.1 | refine_host_connection for IKEv2: starting with "main-east"[1] 192.1.2.45 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | refine_host_connection: checking "main-east"[1] 192.1.2.45 against "main-east"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "main-east"[1] 192.1.2.45 #1: No matching subjectAltName found for '=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked main-east[1] 192.1.2.45 against main-east[1] 192.1.2.45, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAcBZv vs PKK_RSA:AwEAAbEef | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | returning because exact peer id match | offered CA: '%none' "main-east"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | received CERTREQ payload; going to decode it | CERT_X509_SIGNATURE CR: | 58 13 71 57 9d ee 1a 15 74 03 12 80 12 4d c1 85 | 2b 92 25 e9 | cert blob content is not binary ASN.1 | verifying AUTH payload | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'user-north@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '@north.testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '@east.testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '192.1.2.23' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' "main-east"[1] 192.1.2.45 #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | #1 spent 0.0647 milliseconds in ikev2_verify_rsa_hash() "main-east"[1] 192.1.2.45 #1: RSA authentication of I2 Auth Payload failed "main-east"[1] 192.1.2.45 #1: responding to IKE_AUTH message (ID 1) from 192.1.2.45:500 with encrypted notification AUTHENTICATION_FAILED | Opening output PBS encrypted notification | **emit ISAKMP Message: | initiator cookie: | 30 b8 78 88 f4 d6 0c 9b | responder cookie: | 4a 17 81 4f d6 9f 44 e7 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'encrypted notification' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | Adding a v2N Payload | ****emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'encrypted notification' | emitting length of IKEv2 Notify Payload: 8 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 37 | emitting length of ISAKMP Message: 65 | sending 65 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 30 b8 78 88 f4 d6 0c 9b 4a 17 81 4f d6 9f 44 e7 | 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25 | f5 1f 54 fa ee d0 2f 28 ff 38 60 01 74 2e 5b 05 | e5 18 5f 8a 85 a0 4d 69 db b9 4e 12 c4 72 da c5 | 84 | pstats #1 ikev2.ike failed auth-failed | ikev2_parent_inI2outR2_continue_tail returned STF_FATAL | #1 spent 4.32 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() | [RE]START processing: state #1 connection "main-east"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R1->V2_IPSEC_R with status STF_FATAL | release_pending_whacks: state #1 has no whack fd | pstats #1 ikev2.ike deleted auth-failed | #1 spent 4.23 milliseconds in total | [RE]START processing: state #1 connection "main-east"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) "main-east"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R1) aged 0.020s and NOT sending notification | parent state #1: PARENT_R1(half-open IKE SA) => delete | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f2940002888 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563aeeb21d48 | State DB: IKEv2 state not found (flush_incomplete_children) | in connection_discard for connection main-east | connection is instance | not in pending use | State DB: state not found (connection_discard) | no states use this connection instance, deleting | start processing: connection "main-east"[1] 192.1.2.45 (BACKGROUND) (in delete_connection() at connections.c:189) deleting connection "main-east"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#0/ipsec=#0} | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | free hp@0x563aeeb2dfb8 | flush revival: connection 'main-east' wasn't on the list | stop processing: connection "main-east"[1] 192.1.2.45 (BACKGROUND) (in discard_connection() at connections.c:249) | State DB: deleting IKEv2 state #1 in PARENT_R1 | parent state #1: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore) | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | resume sending helper answer for #1 suppresed complete_v2_state_transition() | in statetime_stop() and could not find #1 | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f2938000f48 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_STATE_... in show_traffic_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0392 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.347 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) destroying root certificate cache | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x563aeeb2dc38 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb2d428 user-north@testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb2d208 @north.testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb279a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb27528 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb26fc8 @east.testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb25888 east@testing.libreswan.org cnt 1-- | unreference key: 0x563aeeb25668 192.1.2.23 cnt 1-- | start processing: connection "main-north" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | flush revival: connection 'main-north' wasn't on the list | stop processing: connection "main-north" (in discard_connection() at connections.c:249) | start processing: connection "main-east" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | free hp@0x563aeeb220f8 | flush revival: connection 'main-east' wasn't on the list | stop processing: connection "main-east" (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x563aeeb127d8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e6c8 | libevent_free: release ptr-libevent@0x563aeeab8fe8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e778 | libevent_free: release ptr-libevent@0x563aeeab8908 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e828 | libevent_free: release ptr-libevent@0x563aeeac01c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e8d8 | libevent_free: release ptr-libevent@0x563aeeac02c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1e988 | libevent_free: release ptr-libevent@0x563aeeac03c8 | free_event_entry: release EVENT_NULL-pe@0x563aeeb1ea38 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x563aeeb12888 | free_event_entry: release EVENT_NULL-pe@0x563aeeb069a8 | libevent_free: release ptr-libevent@0x563aeeab8f38 | free_event_entry: release EVENT_NULL-pe@0x563aeeb06508 | libevent_free: release ptr-libevent@0x563aeeaff4e8 | free_event_entry: release EVENT_NULL-pe@0x563aeeac0478 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x563aeeac4a48 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x563aeea42788 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x563aeeb1dea8 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x563aeeb1e0e8 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x563aeeb1dfb8 | libevent_free: release ptr-libevent@0x563aeeb00dc8 | libevent_free: release ptr-libevent@0x563aeeb00d78 | libevent_free: release ptr-libevent@0x563aeeab8288 | libevent_free: release ptr-libevent@0x563aeeb00d38 | libevent_free: release ptr-libevent@0x563aeeb1db78 | libevent_free: release ptr-libevent@0x563aeeb1dde8 | libevent_free: release ptr-libevent@0x563aeeb00f78 | libevent_free: release ptr-libevent@0x563aeeb06578 | libevent_free: release ptr-libevent@0x563aeeb061d8 | libevent_free: release ptr-libevent@0x563aeeb1eaa8 | libevent_free: release ptr-libevent@0x563aeeb1e9f8 | libevent_free: release ptr-libevent@0x563aeeb1e948 | libevent_free: release ptr-libevent@0x563aeeb1e898 | libevent_free: release ptr-libevent@0x563aeeb1e7e8 | libevent_free: release ptr-libevent@0x563aeeb1e738 | libevent_free: release ptr-libevent@0x563aeea41aa8 | libevent_free: release ptr-libevent@0x563aeeb1de68 | libevent_free: release ptr-libevent@0x563aeeb1de28 | libevent_free: release ptr-libevent@0x563aeeb1dce8 | libevent_free: release ptr-libevent@0x563aeeb1df78 | libevent_free: release ptr-libevent@0x563aeeb1dbb8 | libevent_free: release ptr-libevent@0x563aeeac65d8 | libevent_free: release ptr-libevent@0x563aeeac6558 | libevent_free: release ptr-libevent@0x563aeea41e18 | releasing global libevent data | libevent_free: release ptr-libevent@0x563aeeac6758 | libevent_free: release ptr-libevent@0x563aeeac66d8 | libevent_free: release ptr-libevent@0x563aeeac6658 leak: 2 * issuer ca, item size: 175 leak detective found 2 leaks, total size 175