FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22808
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x5628750f5e08 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5d88 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5d08 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x5628750e7938 size 56
| libevent_malloc: new ptr-libevent@0x5628750714c8 size 664
| libevent_malloc: new ptr-libevent@0x562875130408 size 24
| libevent_malloc: new ptr-libevent@0x562875130458 size 384
| libevent_malloc: new ptr-libevent@0x5628751303c8 size 16
| libevent_malloc: new ptr-libevent@0x5628750f5c88 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5c08 size 48
| libevent_realloc: new ptr-libevent@0x562875071d88 size 256
| libevent_malloc: new ptr-libevent@0x562875130608 size 16
| libevent_free: release ptr-libevent@0x5628750e7938
| libevent initialized
| libevent_realloc: new ptr-libevent@0x5628750e7938 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac
NULL IKEv1: ESP IKEv2: ESP []
CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Hash algorithms:
MD5 IKEv1: IKE IKEv2:
SHA1 IKEv1: IKE IKEv2: FIPS sha
SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
PRF algorithms:
HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc
Integrity algorithms:
HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512
HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384
HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96
AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
DH algorithms:
NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519
testing CAMELLIA_CBC:
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 256-bit key
Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
empty string
one block
two blocks
two blocks with associated data
testing AES_CTR:
Encrypting 16 octets using AES-CTR with 128-bit key
Encrypting 32 octets using AES-CTR with 128-bit key
Encrypting 36 octets using AES-CTR with 128-bit key
Encrypting 16 octets using AES-CTR with 192-bit key
Encrypting 32 octets using AES-CTR with 192-bit key
Encrypting 36 octets using AES-CTR with 192-bit key
Encrypting 16 octets using AES-CTR with 256-bit key
Encrypting 32 octets using AES-CTR with 256-bit key
Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
RFC 2104: MD5_HMAC test 1
RFC 2104: MD5_HMAC test 2
RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 1
| starting up helper thread 1
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
started thread for crypto helper 2
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 4
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
| checking IKEv1 state table
| MAIN_R0: category: half-open IKE SA flags: 0:
| -> MAIN_R1 EVENT_SO_DISCARD
| MAIN_I1: category: half-open IKE SA flags: 0:
| -> MAIN_I2 EVENT_RETRANSMIT
| MAIN_R1: category: open IKE SA flags: 200:
| -> MAIN_R2 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_I2: category: open IKE SA flags: 0:
| -> MAIN_I3 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_R2: category: open IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| -> MAIN_R3 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_I3: category: open IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| -> MAIN_I4 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_R3: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| MAIN_I4: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| AGGR_R0: category: half-open IKE SA flags: 0:
| -> AGGR_R1 EVENT_SO_DISCARD
| AGGR_I1: category: half-open IKE SA flags: 0:
| -> AGGR_I2 EVENT_SA_REPLACE
| -> AGGR_I2 EVENT_SA_REPLACE
| AGGR_R1: category: open IKE SA flags: 200:
| -> AGGR_R2 EVENT_SA_REPLACE
| -> AGGR_R2 EVENT_SA_REPLACE
| AGGR_I2: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| AGGR_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| QUICK_R0: category: established CHILD SA flags: 0:
| -> QUICK_R1 EVENT_RETRANSMIT
| QUICK_I1: category: established CHILD SA flags: 0:
| -> QUICK_I2 EVENT_SA_REPLACE
| QUICK_R1: category: established CHILD SA flags: 0:
| -> QUICK_R2 EVENT_SA_REPLACE
| QUICK_I2: category: established CHILD SA flags: 200:
| -> UNDEFINED EVENT_NULL
| QUICK_R2: category: established CHILD SA flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO_PROTECTED: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| XAUTH_R0: category: established IKE SA flags: 0:
| -> XAUTH_R1 EVENT_NULL
| XAUTH_R1: category: established IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| MODE_CFG_R0: category: informational flags: 0:
| -> MODE_CFG_R1 EVENT_SA_REPLACE
| MODE_CFG_R1: category: established IKE SA flags: 0:
| -> MODE_CFG_R2 EVENT_SA_REPLACE
| MODE_CFG_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| MODE_CFG_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| XAUTH_I0: category: established IKE SA flags: 0:
| -> XAUTH_I1 EVENT_RETRANSMIT
| XAUTH_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
| PARENT_I0: category: ignore flags: 0:
| -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
| PARENT_I1: category: half-open IKE SA flags: 0:
| -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
| -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
| PARENT_I2: category: open IKE SA flags: 0:
| -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
| -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
| -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
| PARENT_I3: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
| PARENT_R0: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
| PARENT_R1: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
| PARENT_R2: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
| V2_CREATE_I0: category: established IKE SA flags: 0:
| -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
| V2_CREATE_I: category: established IKE SA flags: 0:
| -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
| V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_IKE_I: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
| V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
| V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
| V2_CREATE_R: category: established IKE SA flags: 0:
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
| V2_REKEY_IKE_R: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
| V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
| V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
| IKESA_DEL: category: established IKE SA flags: 0:
| -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
| CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5628750efb28
| libevent_malloc: new ptr-libevent@0x56287512ea88 size 128
| libevent_malloc: new ptr-libevent@0x562875135c08 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x562875135b98
| libevent_malloc: new ptr-libevent@0x56287512eb38 size 128
| libevent_malloc: new ptr-libevent@0x562875135868 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x562875136038
| libevent_malloc: new ptr-libevent@0x562875141e98 size 128
| libevent_malloc: new ptr-libevent@0x56287514d188 size 16
| libevent_realloc: new ptr-libevent@0x56287507d768 size 256
| libevent_malloc: new ptr-libevent@0x56287514d1c8 size 8
| libevent_realloc: new ptr-libevent@0x56287514d208 size 144
| libevent_malloc: new ptr-libevent@0x5628750f40f8 size 152
| libevent_malloc: new ptr-libevent@0x56287514d2c8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x56287514d308 size 8
| libevent_malloc: new ptr-libevent@0x562875060ec8 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x56287514d348 size 8
| libevent_malloc: new ptr-libevent@0x562875076858 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x56287514d388 size 8
| libevent_realloc: release ptr-libevent@0x56287514d208
| libevent_realloc: new ptr-libevent@0x56287514d3c8 size 256
| libevent_malloc: new ptr-libevent@0x56287514d4f8 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:22957) using fork+execve
| forked child 22957
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.0.2.254
| Inspecting interface eth1
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x56287514da18
| libevent_malloc: new ptr-libevent@0x562875141de8 size 128
| libevent_malloc: new ptr-libevent@0x56287514da88 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x56287514dac8
| libevent_malloc: new ptr-libevent@0x5628750e8638 size 128
| libevent_malloc: new ptr-libevent@0x56287514db38 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x56287514db78
| libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128
| libevent_malloc: new ptr-libevent@0x56287514dbe8 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x56287514dc28
| libevent_malloc: new ptr-libevent@0x5628750e7658 size 128
| libevent_malloc: new ptr-libevent@0x56287514dc98 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x56287514dcd8
| libevent_malloc: new ptr-libevent@0x5628750ef968 size 128
| libevent_malloc: new ptr-libevent@0x56287514dd48 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x56287514dd88
| libevent_malloc: new ptr-libevent@0x5628750f0488 size 128
| libevent_malloc: new ptr-libevent@0x56287514ddf8 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1
| computed rsa CKAID 8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.08 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x56287514ec58
added connection description "clear"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| 192.1.2.23---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0988 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear-or-private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c88
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c38
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751518f8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751517f8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151d38
| unreference key: 0x562875154af8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear
added connection description "clear-or-private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.999 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158a38
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751589e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875159368
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751588d8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158928
| unreference key: 0x5628751551b8 192.1.2.23 cnt 1--
| unreference key: 0x562875156588 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875158ce8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear-or-private
added connection description "private-or-clear"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.619 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515abb8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515ab68
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b4e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aa58
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aaa8
| unreference key: 0x562875154af8 192.1.2.23 cnt 1--
| unreference key: 0x5628751551b8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156588 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private-or-clear
added connection description "private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.579 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private
added connection description "block"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| 192.1.2.23---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0712 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d0e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d098
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515da18
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cf88
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cfd8
| unreference key: 0x562875158ce8 192.1.2.23 cnt 1--
| unreference key: 0x562875154af8 east@testing.libreswan.org cnt 1--
| unreference key: 0x5628751551b8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875156588 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.721 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875156588 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bed8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b498
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bdc8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515be18
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515c148
| unreference key: 0x5628751574f8 192.1.2.23 cnt 1--
| unreference key: 0x562875158ce8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875154af8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x5628751551b8 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.602 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.0.2.254
| Inspecting interface eth1
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x562875141de8
| free_event_entry: release EVENT_NULL-pe@0x56287514da18
| add_fd_read_event_handler: new ethX-pe@0x56287514da18
| libevent_malloc: new ptr-libevent@0x562875151848 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x5628750e8638
| free_event_entry: release EVENT_NULL-pe@0x56287514dac8
| add_fd_read_event_handler: new ethX-pe@0x56287514dac8
| libevent_malloc: new ptr-libevent@0x5628750e8638 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x5628750e86e8
| free_event_entry: release EVENT_NULL-pe@0x56287514db78
| add_fd_read_event_handler: new ethX-pe@0x56287514db78
| libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x5628750e7658
| free_event_entry: release EVENT_NULL-pe@0x56287514dc28
| add_fd_read_event_handler: new ethX-pe@0x56287514dc28
| libevent_malloc: new ptr-libevent@0x5628750e7658 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x5628750ef968
| free_event_entry: release EVENT_NULL-pe@0x56287514dcd8
| add_fd_read_event_handler: new ethX-pe@0x56287514dcd8
| libevent_malloc: new ptr-libevent@0x5628750ef968 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x5628750f0488
| free_event_entry: release EVENT_NULL-pe@0x56287514dd88
| add_fd_read_event_handler: new ethX-pe@0x56287514dd88
| libevent_malloc: new ptr-libevent@0x5628750f0488 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1
| computed rsa CKAID 8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| no group file "/etc/ipsec.d/policies/private-or-clear-all" (pwd:/tmp)
loading group "/etc/ipsec.d/policies/block"
loading group "/etc/ipsec.d/policies/private"
loading group "/etc/ipsec.d/policies/private-or-clear"
loading group "/etc/ipsec.d/policies/clear-or-private"
loading group "/etc/ipsec.d/policies/clear"
| 192.1.2.23/32->192.1.2.254/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.254/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.253/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.2.253/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.0/24 0 sport 0 dport 0 private-or-clear
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.436 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/:
| cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/:
| cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3:
| cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/:
| cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/:
| cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 4.59 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| old debugging base+cpu-usage + none
| base debugging = base+cpu-usage
| old impairing none + suppress-retransmits
| base impairing = suppress-retransmits
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0322 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00428 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00268 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00279 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00264 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00276 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00241 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435)
| start processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:435)
| could_route called for private-or-clear#192.1.3.0/24 (kind=CK_TEMPLATE)
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: private-or-clear#192.1.3.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| IPsec Sa SPD priority set to 2088935
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC
| popen cmd is 1222 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd( 80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192:
| cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN:
| cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT:
| cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.:
| cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET:
| cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE:
| cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test:
| cmd( 640): Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STA:
| cmd( 720):CK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+:
| cmd( 800):PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW:
| cmd( 880):+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' :
| cmd( 960):XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_:
| cmd(1040):INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_:
| cmd(1120):CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=:
| cmd(1200):0x0 ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0
| popen cmd is 1220 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1:
| cmd( 80):92.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1:
| cmd( 160):.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_:
| cmd( 240):NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_:
| cmd( 320):MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0':
| cmd( 400): PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET=':
| cmd( 480):192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER:
| cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test D:
| cmd( 640):epartment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK:
| cmd( 720):='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PF:
| cmd( 800):S+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+E:
| cmd( 880):SN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XA:
| cmd( 960):UTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_IN:
| cmd(1040):FO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CO:
| cmd(1120):NFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x:
| cmd(1200):0 ipsec _updown 2>&1:
| suspend processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:439)
| start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.15 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00383 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0021 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0266 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0174 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0165 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0154 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 22957 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0235 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.15 milliseconds in whack
| spent 0.00265 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 851 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4
| 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08
| 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08
| 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08
| 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08
| 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08
| 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c
| 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07
| 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e
| 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10
| 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13
| 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15
| 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d
| 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08
| 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08
| 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08
| 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08
| 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08
| 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08
| 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74
| 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80
| 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05
| 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f
| 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12
| 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14
| 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f
| 28 00 01 08 00 0e 00 00 78 62 07 b9 43 93 c0 71
| 89 25 14 f6 40 f3 7c d9 c6 78 cc 64 f9 d9 cc c3
| 3d a6 c4 74 1f a0 a0 62 b5 56 92 7f 25 ee 76 81
| 05 70 21 34 ac 86 43 7d 76 fa c2 db 0d f7 d4 0f
| 6d 28 f6 d7 a0 06 9a 43 95 36 6a d1 5d 34 da 5a
| c5 74 de 44 bd 52 e8 32 c2 80 3e ab 72 f3 4d 29
| b3 99 3b a6 4c b3 aa 10 46 8c 53 99 09 63 dd d3
| 76 91 b0 0c e8 44 d8 54 d7 f4 13 50 a6 3c f6 6d
| 6b 67 45 dd 9f 25 d7 d1 27 ed e5 b3 19 e4 25 af
| d9 f1 56 53 80 2e f1 e7 41 b7 ba f6 de 47 c2 f6
| e4 5d e7 0e 0f f2 cd c6 f9 6c 6e 4e 22 22 2d dc
| 37 f7 6d e1 a1 7b b2 53 96 84 06 78 b2 bf 0e 00
| a6 57 5c 7b 5c bf eb 1a 11 35 bf b4 ed 14 e9 6a
| fd e2 57 c7 0b 5a d7 94 65 22 7e 0c 84 f3 e2 57
| a6 85 8f 38 0b 27 1b 2f 1b 61 07 27 5f 30 f6 a7
| 4e 01 64 d8 8d f2 87 35 10 6f 6b 0d fd 55 fa 49
| 24 2d b0 cc ab 48 ea 7b 29 00 00 24 55 fb 6b 4a
| dd e4 d3 ae 4e a1 67 4c 59 9e e1 08 fd 5d 47 2b
| 89 81 b2 a2 81 38 98 03 83 70 c1 c8 29 00 00 08
| 00 00 40 2e 29 00 00 1c 00 00 40 04 15 54 03 c2
| 38 b5 c2 c7 71 a3 42 60 e2 1d 8e b9 bc 61 91 92
| 2b 00 00 1c 00 00 40 05 03 82 c6 70 6c 42 81 cb
| 3a dc 6c 2a 14 80 f2 c9 4f 71 00 32 00 00 00 17
| 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50
| 73 65 63
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 0 (0x0)
| length: 851 (0x353)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request
| State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE (0x22)
| flags: none (0x0)
| length: 436 (0x1b4)
| processing payload: ISAKMP_NEXT_v2SA (len=432)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni (0x28)
| flags: none (0x0)
| length: 264 (0x108)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2V (0x2b)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2V)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 23 (0x17)
| processing payload: ISAKMP_NEXT_v2V (len=19)
| DDOS disabled and no cookie sent, continuing
| VID_OPPORTUNISTIC received
| Processing IKE request for Opportunistic IPsec
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all)
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all)
| find_next_host_connection returns private-or-clear-all
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| find_next_host_connection returns private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| find_next_host_connection returns private-or-clear
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| find_next_host_connection returns private-or-clear#192.1.3.0/24
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| find_next_host_connection returns clear-or-private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| find_next_host_connection returns private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| find_next_host_connection returns private-or-clear
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| find_next_host_connection returns private-or-clear#192.1.3.0/24
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| find_next_host_connection returns clear-or-private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| oppo_instantiate
| match_id a=(none)
| b=(none)
| results matched
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x5628751613a8
| oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24
| oppo_instantiate() instantiated "[1] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209
| found connection: private-or-clear#192.1.3.0/24[1] ...192.1.3.209 with policy RSASIG+IKEV2_ALLOW
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| creating state object #1 at 0x562875161828
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1
| Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0
| #1 in state PARENT_R0: processing SA_INIT request
| selected state microcode Respond to IKE_SA_INIT
| Now let's proceed with state specific processing
| calling processor Respond to IKE_SA_INIT
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| received Vendor ID payload [Opportunistic IPsec]
| constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE responder 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 100 (0x64)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 100 (0x64)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH
| remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| length: 116 (0x74)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| length: 116 (0x74)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
| accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048
| converting proposal to internal trans attrs
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= a2 30 4a 5b 65 74 84 ee
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= 03 82 c6 70 6c 42 81 cb 3a dc 6c 2a 14 80 f2 c9
| natd_hash: hash= 4f 71 00 32
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= a2 30 4a 5b 65 74 84 ee
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= 15 54 03 c2 38 b5 c2 c7 71 a3 42 60 e2 1d 8e b9
| natd_hash: hash= bc 61 91 92
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| adding ikev2_inI1outR1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x562875141de8 size 128
| #1 spent 0.527 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.985 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.993 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000585 seconds
| (#1) spent 0.592 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fd560002888 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x5628735d6b50
| ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1
| **emit ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| Emitting ikev2_proposal ...
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 3 (0x3)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 36
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 40
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x f9 16 54 e1 6e c2 e4 65 37 60 d7 cd a5 a8 87 78
| ikev2 g^x 00 0c a0 12 fb 19 8c 6b a3 5f 5b 57 35 2d 99 1a
| ikev2 g^x e6 e6 a3 b0 aa a4 3e 23 d4 89 57 c6 50 50 31 9d
| ikev2 g^x 71 22 c7 40 2b 5f 1a 17 3d a8 14 9a 98 0b 7e 1b
| ikev2 g^x d7 09 b5 d9 28 15 cc 53 ab 1c 8b 30 7c 21 4f 42
| ikev2 g^x c8 e5 41 92 4f 48 be 10 e6 ee 77 e7 a7 d4 61 7d
| ikev2 g^x 10 5b dc 0a 18 ea 47 b9 72 5d 0d d0 89 64 86 74
| ikev2 g^x 17 e8 73 d4 23 bd 61 b5 76 7f e9 0d 1b ee 1b 81
| ikev2 g^x fa 20 91 e7 9c e5 de 2d 0b 43 26 da ce 88 69 a4
| ikev2 g^x b7 96 9c 5d 6e 8e 5c f0 f1 97 f4 41 f9 74 f9 82
| ikev2 g^x 31 7d ac 71 d1 aa f8 53 22 32 fb 16 cf 62 16 7a
| ikev2 g^x 98 59 1d 20 54 d3 f0 63 45 99 5e 11 85 b3 e7 43
| ikev2 g^x 8d 7e 28 18 9a 81 fd 18 d8 f4 92 07 c5 e0 1c c2
| ikev2 g^x 2d 23 6f 56 e1 25 a0 b0 d3 1b 0c d5 78 cd b9 46
| ikev2 g^x 84 1a 2d 51 f5 36 9e ed da fb 30 8a 56 13 d1 a5
| ikev2 g^x c7 1a 82 18 83 ef f9 81 b3 1e b0 48 b0 e5 95 53
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce f9 f4 58 44 f0 ea 84 c6 d2 7f bb 9b a8 bd 4c eb
| IKEv2 nonce 50 de f7 0f 5f b5 fe b4 01 70 2d 66 69 0d 7d 21
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
| NAT-Traversal support [enabled] add v2N payloads.
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= a2 30 4a 5b 65 74 84 ee
| natd_hash: rcookie= 2f a9 8f 22 d3 2d 1e 58
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b
| natd_hash: hash= 75 bf 43 c7
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b
| Notify data 75 bf 43 c7
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= a2 30 4a 5b 65 74 84 ee
| natd_hash: rcookie= 2f a9 8f 22 d3 2d 1e 58
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= e7 b2 78 60 2a ce 49 b5 08 0a c4 24 92 ea aa 58
| natd_hash: hash= 03 1e e7 12
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data e7 b2 78 60 2a ce 49 b5 08 0a c4 24 92 ea aa 58
| Notify data 03 1e e7 12
| emitting length of IKEv2 Notify Payload: 28
| going to send a certreq
| connection->kind is not CK_PERMANENT (instance), so collect CAs
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| Not a roadwarrior instance, sending empty CA in CERTREQ
| ***emit IKEv2 Certificate Request Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ)
| next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Certificate Request Payload: 5
| ***emit IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Certificate Request Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V)
| next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload
| Opportunistic IPsec 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50
| Opportunistic IPsec 73 65 63
| emitting length of IKEv2 Vendor ID Payload: 23
| emitting length of ISAKMP Message: 460
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1
| parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA)
| Message ID: updating counters for #1 to 0 after switching state
| Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1
| Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1
| STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 460 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 21 20 22 20 00 00 00 00 00 00 01 cc 22 00 00 28
| 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08
| 04 00 00 0e 28 00 01 08 00 0e 00 00 f9 16 54 e1
| 6e c2 e4 65 37 60 d7 cd a5 a8 87 78 00 0c a0 12
| fb 19 8c 6b a3 5f 5b 57 35 2d 99 1a e6 e6 a3 b0
| aa a4 3e 23 d4 89 57 c6 50 50 31 9d 71 22 c7 40
| 2b 5f 1a 17 3d a8 14 9a 98 0b 7e 1b d7 09 b5 d9
| 28 15 cc 53 ab 1c 8b 30 7c 21 4f 42 c8 e5 41 92
| 4f 48 be 10 e6 ee 77 e7 a7 d4 61 7d 10 5b dc 0a
| 18 ea 47 b9 72 5d 0d d0 89 64 86 74 17 e8 73 d4
| 23 bd 61 b5 76 7f e9 0d 1b ee 1b 81 fa 20 91 e7
| 9c e5 de 2d 0b 43 26 da ce 88 69 a4 b7 96 9c 5d
| 6e 8e 5c f0 f1 97 f4 41 f9 74 f9 82 31 7d ac 71
| d1 aa f8 53 22 32 fb 16 cf 62 16 7a 98 59 1d 20
| 54 d3 f0 63 45 99 5e 11 85 b3 e7 43 8d 7e 28 18
| 9a 81 fd 18 d8 f4 92 07 c5 e0 1c c2 2d 23 6f 56
| e1 25 a0 b0 d3 1b 0c d5 78 cd b9 46 84 1a 2d 51
| f5 36 9e ed da fb 30 8a 56 13 d1 a5 c7 1a 82 18
| 83 ef f9 81 b3 1e b0 48 b0 e5 95 53 29 00 00 24
| f9 f4 58 44 f0 ea 84 c6 d2 7f bb 9b a8 bd 4c eb
| 50 de f7 0f 5f b5 fe b4 01 70 2d 66 69 0d 7d 21
| 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04
| e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b
| 75 bf 43 c7 26 00 00 1c 00 00 40 05 e7 b2 78 60
| 2a ce 49 b5 08 0a c4 24 92 ea aa 58 03 1e e7 12
| 2b 00 00 05 04 00 00 00 17 4f 70 70 6f 72 74 75
| 6e 69 73 74 69 63 20 49 50 73 65 63
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x562875141de8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| event_schedule: new EVENT_SO_DISCARD-pe@0x5628751614d8
| inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1
| libevent_malloc: new ptr-libevent@0x5628751615f8 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 0.321 milliseconds in resume sending helper answer
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd560002888
| spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff
| 00 01 00 05 18 f1 c7 4b 12 8e ab a1 57 3e 80 a4
| ad 72 83 2f de f7 1c a7 34 62 0d 5d 76 54 8e 95
| ea e3 ce 9a d0 45 f6 8e 5f 66 bd 86 2f 4a 41 c5
| 1a e2 51 50 d7 37 f7 ed b9 4a ca 10 05 92 b6 bb
| c4 8e 66 2e e7 8f 8c 15 78 43 9f c9 37 17 01 97
| aa 6e 6c c6 82 49 f5 a3 e1 cc 21 93 f0 be b1 2a
| af b5 b5 0d 98 66 f4 72 41 8a 65 73 ef fa c4 88
| ca fc 31 98 3a a8 52 b8 eb 5c 55 80 c7 e3 a8 f5
| d7 4a 52 8e da b4 4d 95 25 64 23 7f 2c 61 d8 12
| 6c 56 2b d2 3f 49 7a d7 7f 79 7d 00 a1 8c 78 60
| 00 db 30 b8 be eb 2d f7 3f 58 b4 4a a5 fc 51 2c
| 8a 85 57 8f 26 bd ae 3c b4 dd 7b 93 30 68 80 36
| a5 ab dc e9 58 7e c2 ff c1 3b fa 39 db 56 3b 2b
| fb 2b 91 8d 0c 2a ad 68 ae 0a 2e 8f e7 9a 85 7d
| c0 71 40 5c 22 39 de 03 88 c3 bc 61 61 f5 1b d5
| 84 17 85 94 8d 7e 55 3e 9a dc a4 d2 d1 5c 23 98
| 81 91 3a 8f 81 98 1c 62 6c a7 7d 9e f0 03 42 9b
| 55 89 36 44 7e 67 e4 8a 85 d7 dd 31 70 38 cf 2a
| 0d a9 60 4c 5a db a3 6c c3 18 14 20 52 e5 5a 32
| 28 b7 72 4a 9f 1b 9a c4 c0 ab 0d 01 ca 0e a2 12
| 3a a7 5d 1f 77 92 83 f2 c7 96 af 48 b9 78 4f a6
| 4c 82 c1 0f f9 3b 7c e3 60 3f b2 e7 61 af 86 55
| ba df 1a 13 8a a7 30 09 16 fa 1e 58 c3 76 d8 da
| 41 e4 6c 86 60 5b fc fa 68 7d ea 4e 45 81 e2 ee
| 5e 93 66 8d 2f 39 0d cb 18 86 fd 3f 89 a3 53 0a
| 8c fc c7 4e 35 2f 45 7b a1 a0 73 d1 a6 b2 6d 82
| ee 5b 05 ca c6 70 02 a1 f3 f7 c3 a8 64 45 5b 25
| 46 6e 95 c5 28 76 26 85 fa 58 41 28 46 b0 92 c4
| 38 0b 98 cf 06 ac 3d 34 0c fd 0e a0 b3 e0 d0 cb
| 3a 69 f5 00 d2 d2 43 3b 49 73 25 32 09 b8 30 a8
| 03 1f d6 91 fd 44 c8 20 b9 68 88 1c af 32 b5 b0
| d8 2d ec de d1 fa 24 25 9a 7a 86
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 539 (0x21b)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| length: 511 (0x1ff)
| fragment number: 1 (0x1)
| total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '1', total number '5', next payload '35'
| updated IKE fragment state to respond using fragments without waiting for re-transmits
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.157 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.171 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00161 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 02 00 05 f3 29 d3 a0 59 77 23 49 57 b2 22 e3
| 45 a8 e9 ad 43 0f aa 3b f2 a5 15 5d db 24 a3 cc
| 5b 42 c4 ac d7 a0 c0 4e 7e 9d 54 fa 94 d7 0c 30
| 68 a0 24 8a bc 79 a0 3b ca 1c 59 00 5c 88 aa 65
| 1a 56 e2 84 f7 bb 0e 51 31 ff d8 de b4 84 63 9b
| f2 cb 14 55 59 6f e4 cd 64 f0 48 95 ae f3 d3 5d
| 04 05 08 ea e1 d6 f9 68 65 e7 fb ba fb 41 cf 78
| a1 34 0d d9 ee f0 7a de 00 5f 3a 85 15 ae c0 9c
| 14 46 bc 3f b8 94 d9 2e f2 49 8f 6a 71 e7 b1 75
| 6b f5 33 aa 76 8c 9a 1f 29 87 ae df d4 f5 36 c2
| 63 e5 f4 f6 e8 4c 67 05 a7 a0 39 e3 95 64 92 7e
| af 78 f7 37 e9 3d e7 65 39 94 01 96 71 68 12 e7
| 5a 70 54 65 2e 7b 62 95 f6 36 ef 81 5b db 69 3f
| 88 25 6b 5e 00 c2 67 ad 14 98 bd 4e 79 53 fa e4
| 92 7e 19 14 9b 2c ef bf 3a d2 c5 d5 69 21 51 f9
| e3 4f 09 c6 74 b0 48 e4 77 b6 da 82 a4 8e 61 9c
| e1 94 0e 2b 42 b1 8b 1b 64 d5 20 6e 78 f6 e7 ef
| a4 7f ca 4e 12 ad 51 98 d9 40 28 08 4e e3 c4 18
| 13 d4 4e 64 53 ae 98 72 b0 78 46 59 ed 11 8c b1
| 90 30 e1 5d fd 73 26 82 29 34 b5 8d 55 a4 c3 42
| a8 be 2d db b3 6a 6f 42 c4 37 70 2f c7 43 85 91
| 17 31 a2 91 5d ef d4 8e 8d 5f bb 7d 34 d5 28 9f
| 7d cd 04 a6 1f bd 5e c3 42 76 b1 eb 5a 6e a3 84
| a4 9d b7 a9 dd 00 6b 42 a0 41 2e 4b e4 45 09 2b
| 05 ad f9 5e c5 96 90 fc ba 5e b4 6b fc 4a b2 95
| 6d 66 d6 fd 76 bd ee 17 d9 a6 db 76 e9 f2 40 b7
| 7e 39 ff e1 07 4e 5c 55 11 0f 57 3f 16 ea 6d 5d
| 6f 04 83 32 71 4f e3 f1 f7 43 6e f9 7b 0f 76 67
| 89 95 f6 11 dc 80 2a d8 eb 76 f1 ec ff bb d7 e7
| 3a bf 1f a3 d7 5d ff e9 83 ab 1a 33 7e 05 6b ff
| 74 a1 b2 8d 2b f4 18 bb 96 99 0a 41 53 86 b1 6b
| f7 1f cf 32 ff c2 b7 5d 1a 6d 4a
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 539 (0x21b)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 511 (0x1ff)
| fragment number: 2 (0x2)
| total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '2', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.118 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.126 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00113 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 03 00 05 dc 13 df 3a ad 21 77 e5 ad fe aa 40
| ed eb d6 94 29 bd 3f b0 02 82 2a cb f1 13 02 7e
| 91 38 b3 d5 06 bc 96 e1 18 38 d9 2b 6d 3d f5 36
| 5f b5 83 df 64 0e cc 1c ae 81 55 27 41 74 b3 59
| 79 81 31 59 14 46 de 96 16 e3 d8 b0 0e a9 4a 4a
| aa 22 6a da e9 44 61 ef 73 b1 36 27 c4 85 10 e6
| 8c 89 f5 de be 6c 79 2e 47 10 17 f1 c8 cb 81 ee
| 81 7e d3 d6 e4 e1 cb 4a e5 e9 41 49 67 04 13 66
| af e9 eb 6f 8b 05 de 74 c2 64 17 da 45 e5 ec 35
| 04 c4 2e 6e 69 a7 c1 fd 0c 23 6a de e1 62 b8 19
| 2c 53 29 b1 c0 6e 75 04 ba 91 59 31 b9 90 45 b1
| 05 9c 24 f6 59 04 5d 21 f0 e1 6d 05 c1 ec e4 62
| 42 dc 34 44 b9 b6 67 b4 c8 ae 19 b5 20 1f 40 0c
| fe 69 03 c6 a6 b0 15 45 62 b8 d2 92 14 a1 3e ce
| 5a fa 0d a3 63 dd 61 71 25 ff f8 5d 22 de 38 28
| d2 bf 40 11 0a d6 10 13 51 90 7a e7 69 80 9b 68
| 2e 22 d8 a9 33 ca 02 6c a3 5e 5e 25 05 ae de f8
| 53 df 78 f2 fd 53 5a 3a 08 38 27 5c 06 47 e4 6e
| 13 10 12 09 de 7d 44 2c d9 30 53 c2 17 f3 cf 6a
| 5a fc 12 75 95 99 53 6d 94 e0 bc 71 d1 13 fd e1
| 56 85 ac e9 60 18 ef 72 f2 9e 59 26 17 78 e0 61
| ea bf ee c3 db dd 1c ab 01 56 73 18 3f 27 6c ca
| 27 90 12 12 30 3e 99 91 df 6d 9d a5 7c b4 65 06
| 20 ae 78 04 e4 dd b4 56 c1 85 df 3b be 69 10 2f
| 09 b5 2c 76 91 2b a9 5a ee a7 18 49 d5 fa c3 9d
| f2 cd 25 4c 1b 2b 0a e9 62 3b 11 a5 23 0c 58 0b
| 76 75 c0 33 a8 47 c1 ee 56 69 8a 9b 18 e7 47 02
| 1e bd 78 51 a4 d1 a5 a4 22 2c f7 3b af 09 5e d9
| 9f d4 0a f4 40 a8 35 20 c0 ef c6 62 4c c4 f0 df
| cb ff 4c 42 1e 9b cb 17 15 af 86 c7 d0 ef db ef
| df 4e 5d d1 0b 76 32 64 73 af 5c eb ea 80 da e6
| 08 64 49 be 7f 43 03 d6 a3 3d c3
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 539 (0x21b)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 511 (0x1ff)
| fragment number: 3 (0x3)
| total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '3', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.118 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.125 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00102 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 04 00 05 83 71 a1 63 26 08 8b d5 30 4f 8c f3
| f9 12 8b a3 3a f2 f3 0a 59 b9 84 84 d6 1f 15 7b
| 02 e2 e6 8d 12 0f 01 f1 81 e5 17 38 39 4e 3e c0
| 7d 55 0c 9c fc 23 44 95 45 ac 77 dd cb 2d b8 a2
| cd 37 f7 21 0f de a1 d3 b3 f9 13 22 b7 a2 1c 1f
| e2 db 85 fe 11 a5 b6 74 cf 13 a9 09 6e b1 d6 5b
| ec e7 6c 86 67 b2 97 48 9e 86 8d a3 6e ad 4e bc
| 0b 6d 2a b6 ec b3 62 44 5d 92 0a 47 2d 48 d0 9d
| db 30 68 a9 ac 89 27 05 52 5c b8 87 75 89 ab 6e
| 83 41 f2 ae 9a cd 56 a5 81 9a b2 e5 1b 0d c9 db
| 82 2d 5a eb ea af 56 13 a2 aa c0 77 e7 b1 45 7d
| be 6b 23 8a d3 fc e1 13 8f 7c f5 bc e5 53 34 78
| 74 93 de 03 3e bb a7 a7 3b d6 af ea 88 96 d0 f5
| 0a 4d 69 b2 cc de 24 17 0c 06 09 83 3f 66 a6 f3
| 45 b7 c2 ae eb 58 c8 03 4a f8 46 b6 3c f9 a1 cb
| 91 31 16 da c0 b9 bb 2a 03 89 a1 1a 00 f0 26 35
| 30 81 6d 87 fe 1d dc 0f 3f 51 65 21 82 3b 84 2c
| 14 d9 7f e5 a5 f2 29 74 c7 3b 38 a0 e4 b6 69 e5
| a9 89 47 d1 c9 2c 7c c7 38 89 fd 64 e7 b3 9d 7b
| c4 3d 95 c5 aa 57 3f 0e 87 59 f2 95 34 cf f4 8e
| 6e 04 98 5c f7 ec a1 1b 7a 95 91 b3 4c 66 53 27
| 0f a6 80 af 5a 2a 47 37 60 1b 4e 3a 45 eb 1f fa
| d7 25 04 0e 2a a2 be e4 7a b6 70 77 c3 85 58 db
| 1d f5 3f 8c fc a4 97 fe 30 64 eb 0f 62 87 5b e2
| 80 85 1d dc 0a 5b bc 5c 86 7d 8d 40 12 e1 2c 31
| 9e 46 05 45 0f 19 d4 49 06 85 ec 7c 09 20 5b 96
| 06 e8 1d da c4 24 27 e9 a3 3d 49 27 0a 97 c4 f5
| 80 5d fa 5c f1 f3 3b d3 25 19 56 8c 61 59 21 a7
| 15 f9 d2 1c 22 ef b0 0e e3 f0 2f 31 7e 85 04 c0
| 42 10 3b 2a 67 d8 2e 92 77 bc d3 3d 21 c8 ee 9c
| 86 19 9e 5c fb dd 55 c1 cc be f4 89 a9 2f 62 50
| 5d 8c bc 67 6a 87 d3 70 e2 b7 26
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 539 (0x21b)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 511 (0x1ff)
| fragment number: 4 (0x4)
| total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '4', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.113 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.124 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00126 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 66 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 35 20 23 08 00 00 00 01 00 00 00 42 00 00 00 26
| 00 05 00 05 77 81 c0 f9 d3 89 b7 f4 a9 c9 f0 fc
| 83 82 d8 f4 0a 17 30 05 89 b2 db c7 48 31 45 84
| 3f fb
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_v2SKF (0x35)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 66 (0x42)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 38 (0x26)
| fragment number: 5 (0x5)
| total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=30)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '5', total number '5', next payload '0'
| selected state microcode Responder: process IKE_AUTH request (no SKEYSEED)
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request (no SKEYSEED)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inI2outR2 KE work-order 2 for state #1
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x5628751615f8
| free_event_entry: release EVENT_SO_DISCARD-pe@0x5628751614d8
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7fd560002888 size 128
| #1 spent 0.0273 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet()
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND
| crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.155 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.165 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000879 seconds
| (#1) spent 0.873 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fd558000f48 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x5628735d6b50
| ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2
| #1 in state PARENT_R1: received v2I1, sent v2R1
| already have all fragments, skipping fragment collection
| already have all fragments, skipping fragment collection
| #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2IDi)
| **parse IKEv2 Identification - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2CERT (0x25)
| flags: none (0x0)
| length: 12 (0xc)
| ID type: ID_IPV4_ADDR (0x1)
| processing payload: ISAKMP_NEXT_v2IDi (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERT)
| **parse IKEv2 Certificate Payload:
| next payload type: ISAKMP_NEXT_v2AUTH (0x27)
| flags: none (0x0)
| length: 1229 (0x4cd)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERT (len=1224)
| Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
| **parse IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| flags: none (0x0)
| length: 392 (0x188)
| auth method: IKEv2_AUTH_RSA (0x1)
| processing payload: ISAKMP_NEXT_v2AUTH (len=384)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| **parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2TSi (0x2c)
| flags: none (0x0)
| length: 164 (0xa4)
| processing payload: ISAKMP_NEXT_v2SA (len=160)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSi)
| **parse IKEv2 Traffic Selector - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2TSr (0x2d)
| flags: none (0x0)
| length: 24 (0x18)
| number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSi (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSr)
| **parse IKEv2 Traffic Selector - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 24 (0x18)
| number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSr (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 72 (0x48)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NULL_AUTH (0xa000)
| processing payload: ISAKMP_NEXT_v2N (len=64)
| selected state microcode Responder: process IKE_AUTH request
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,SA,TSi,TSr,N}
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds
loading root certificate cache
| spent 2.63 milliseconds in get_root_certs() calling PK11_ListCertsInSlot()
| spent 0.0154 milliseconds in get_root_certs() filtering CAs
| #1 spent 2.67 milliseconds in find_and_verify_certs() calling get_root_certs()
| checking for known CERT payloads
| saving certificate of type 'X509_SIGNATURE'
| decoded cert: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| #1 spent 0.18 milliseconds in find_and_verify_certs() calling decode_cert_payloads()
| cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| #1 spent 0.0295 milliseconds in find_and_verify_certs() calling crl_update_check()
| missing or expired CRL
| crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0
| verify_end_cert trying profile IPsec
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure.
| #1 spent 0.312 milliseconds in find_and_verify_certs() calling verify_end_cert()
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: Certificate rejected for this connection
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: CERT payload bogus or revoked
| parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID
| peer ID c0 01 03 d1
| refine_host_connection for IKEv2: starting with "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209
| match_id a=192.1.3.209
| b=192.1.3.209
| results matched
| refine_host_connection: checking "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 against "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| No IDr payload received from peer
| refine_host_connection: checked private-or-clear#192.1.3.0/24[1] ...192.1.3.209 against private-or-clear#192.1.3.0/24[1] ...192.1.3.209, now for see if best
| started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA
| searching for certificate PKK_RSA:AQO9bJbr3 vs PKK_RSA:AwEAAbEef
| private key for cert east not found in local cache; loading from NSS DB
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
| returning because exact peer id match
| offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.209'
| received v2N_NULL_AUTH
| parsing 64 raw bytes of IKEv2 Notify Payload into NULL_AUTH extract
| NULL_AUTH extract be 93 fe 5a f9 7e 2f a3 ec 4e ed 84 12 8c f9 b8
| NULL_AUTH extract 38 fc c2 5c 2f ad 30 da 51 89 07 00 6d 88 16 ec
| NULL_AUTH extract a4 1d 22 5d 8e 55 12 18 3f c9 cc ef 9a db b1 a6
| NULL_AUTH extract 75 09 f7 6d cf fd d2 fe 4d 8a 0a fc 30 ec 2e 56
| verifying AUTH payload
| required RSA CA is '%any'
| checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid 'user-east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid '@east.testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid 'east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid '192.1.2.23' for match with '192.1.3.209'
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: no RSA public key known for '192.1.3.209'
| #1 spent 0.028 milliseconds in ikev2_verify_rsa_hash()
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: RSA authentication of I2 Auth Payload failed
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: responding to IKE_AUTH message (ID 1) from 192.1.3.209:500 with encrypted notification AUTHENTICATION_FAILED
| Opening output PBS encrypted notification
| **emit ISAKMP Message:
| initiator cookie:
| a2 30 4a 5b 65 74 84 ee
| responder cookie:
| 2f a9 8f 22 d3 2d 1e 58
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'encrypted notification'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| Adding a v2N Payload
| ****emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'encrypted notification'
| emitting length of IKEv2 Notify Payload: 8
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 37
| emitting length of ISAKMP Message: 65
| sending 65 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
| a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58
| 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25
| 90 7c fc 3b 7f 6e dc 3d 35 aa 25 8f bc 69 83 77
| b2 e3 83 14 a8 be b4 28 90 00 fa ff 35 9f 33 35
| ae
| pstats #1 ikev2.ike failed auth-failed
| ikev2_parent_inI2outR2_continue_tail returned STF_FATAL
| #1 spent 3.65 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R1->V2_IPSEC_R with status STF_FATAL
| release_pending_whacks: state #1 has no whack fd
| pstats #1 ikev2.ike deleted auth-failed
| #1 spent 3.43 milliseconds in total
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: deleting state (STATE_PARENT_R1) aged 0.017s and NOT sending notification
| parent state #1: PARENT_R1(half-open IKE SA) => delete
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7fd560002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| connection is instance
| not in pending use
| State DB: state not found (connection_discard)
| no states use this connection instance, deleting
| start processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| free hp@0x5628751613a8
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in discard_connection() at connections.c:249)
| State DB: deleting IKEv2 state #1 in PARENT_R1
| parent state #1: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| in statetime_stop() and could not find #1
| processing: STOP state #0 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd558000f48
| processing global timer EVENT_SHUNT_SCAN
| expiring aged bare shunts from shunt table
| spent 0.00347 milliseconds in global timer EVENT_SHUNT_SCAN
| kernel_process_msg_cb process netlink message
| netlink_get: XFRM_MSG_ACQUIRE message
| xfrm netlink msg len 376
| xfrm acquire rtattribute type 5
| xfrm acquire rtattribute type 16
| add bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0 %acquire-netlink
initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire
| find_connection: looking for policy for connection: 192.1.2.23:1/0 -> 192.1.3.209:1/0
| FOR_EACH_CONNECTION_... in find_connection_for_clients
| find_connection: conn "private-or-clear#192.1.3.0/24" has compatible peers: 192.1.2.23/32 -> 192.1.3.0/24 [pri: 33554444]
| find_connection: first OK "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} (child none)
| find_connection: concluding with "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#192.1.3.0/24"
| shunt widened for protoports since conn does not limit protocols
| going to initiate opportunistic, first installing pass negotiationshunt
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| oe-negotiating eroute 192.1.2.23/32:0 --0-> 192.1.3.209/32:0 => %pass (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 2088935
| raw_eroute result=success
| added bare (possibly wided) passthrough negotiationshunt succeeded (violating API)
| add bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0 oe-negotiating
| fiddle_bare_shunt called
| fiddle_bare_shunt with transport_proto 1
| removing specific host-to-host bare shunt
| delete bare kernel shunt - was replaced with negotiationshunt eroute 192.1.2.23/32:0 --1-> 192.1.3.209/32:0 => %hold (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| raw_eroute result=success
| raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded
| delete bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0 %acquire-netlink
| success taking down narrow bare shunt
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.3.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.3.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x5628751613a8
| oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24
| oppo_instantiate() instantiated "[2] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209
| assigning negotiation_shunt to connection
| assign hold, routing was unrouted, needs to be unrouted HOLD
| assign_holdpass() removing bare shunt
| delete bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0 oe-negotiating
| assign_holdpass() done - returning success
| assign_holdpass succeeded
| initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire
| FOR_EACH_STATE_... in find_phase1_state
| creating state object #2 at 0x562875174638
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.ike started
| Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #2: UNDEFINED(ignore) => PARENT_I0(ignore)
| Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:535)
| dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551)
| Queuing pending IPsec SA negotiating with 192.1.3.209 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 IKE SA #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209
| constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| adding ikev2_outI1 KE work-order 3 for state #2
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x56287517bb58 size 128
| #2 spent 0.339 milliseconds in ikev2_parent_outI1()
| crypto helper 2 resuming
| crypto helper 2 starting work-order 3 for state #2
| crypto helper 2 doing build KE and nonce (ikev2_outI1 KE); request ID 3
| crypto helper 2 finished build KE and nonce (ikev2_outI1 KE); request ID 3 time elapsed 0.001001 seconds
| (#2) spent 0.996 milliseconds in crypto helper computing work-order 3: ikev2_outI1 KE (pcr)
| crypto helper 2 sending results from work-order 3 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
| crypto helper 2 waiting (nothing to do)
| RESET processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:610)
| initiate on demand using AUTH_NULL from 192.1.2.23 to 192.1.3.209
| spent 0.388 milliseconds in kernel message
| processing resume sending helper answer for #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797)
| crypto helper 2 replies to request ID 3
| calling continuation function 0x5628735d6b50
| ikev2_parent_outI1_continue for #2
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Emitting ikev2_proposals ...
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 436
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x eb 1e 10 d3 ea 20 4d c3 02 15 82 50 12 8c 49 7c
| ikev2 g^x 69 f5 73 cf e3 30 9b 18 36 ca 56 70 91 94 62 02
| ikev2 g^x e3 b9 14 16 23 0a 87 ed c7 fb b6 66 bb ec 74 bc
| ikev2 g^x 8b ec ea 58 27 64 cd ac 7d 2d 6f 9f 13 2d 24 97
| ikev2 g^x a0 86 00 0d a5 98 78 4c 7f 3b 02 46 bb 19 3b 4f
| ikev2 g^x 25 46 9f 7a 2b ad 7e 91 58 b9 44 a4 85 a2 6f 42
| ikev2 g^x cd f8 56 f2 7d 26 1a 8f cd c2 bd 83 8c 96 59 26
| ikev2 g^x 15 23 84 cb b7 71 87 0a 31 60 53 48 64 90 bf 00
| ikev2 g^x c7 bf a8 7b b5 cb 68 65 9a e6 9d 09 10 d8 4d 7f
| ikev2 g^x 70 14 1d 5c f5 38 19 34 55 18 7a 5f 76 a9 a8 0a
| ikev2 g^x 16 3b 86 2b 90 53 19 8a fa b5 aa ed f6 e1 47 6f
| ikev2 g^x 04 b0 08 b9 a9 17 59 6b 28 3d 93 32 a0 5a 99 fd
| ikev2 g^x 2f bd d0 d5 4c d6 2d e8 77 e8 61 02 61 7e a2 6b
| ikev2 g^x 52 33 0e 4d 19 c9 4b 8a 0e 0a 7a 29 88 41 e3 59
| ikev2 g^x 95 8b f6 2f 21 0a 8b 4e 24 a0 9f 0e 1b 68 c5 3b
| ikev2 g^x 79 c7 cb 4b e9 34 72 fa d0 53 13 f5 27 8f fe a8
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce 0e ee 5e fb 18 2e 44 cc a5 f8 16 85 08 88 83 57
| IKEv2 nonce c3 ca c4 37 37 31 51 47 ce e6 66 ae 5c 5e c7 7a
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
| NAT-Traversal support [enabled] add v2N payloads.
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= ac ee 88 87 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2
| natd_hash: hash= 39 e4 45 a2
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data ac ee 88 87 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2
| Notify data 39 e4 45 a2
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= 5f a7 95 a7 73 e6 21 8f 2e 56 f5 e1 db f0 5a 81
| natd_hash: hash= 46 71 d4 8a
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data 5f a7 95 a7 73 e6 21 8f 2e 56 f5 e1 db f0 5a 81
| Notify data 46 71 d4 8a
| emitting length of IKEv2 Notify Payload: 28
| ***emit IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V)
| next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload
| Opportunistic IPsec 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50
| Opportunistic IPsec 73 65 63
| emitting length of IKEv2 Vendor ID Payload: 23
| emitting length of ISAKMP Message: 851
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1_common() at ikev2_parent.c:817)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1
| parent state #2: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA)
| Message ID: updating counters for #2 to 4294967295 after switching state
| Message ID: IKE #2 skipping update_recv as MD is fake
| Message ID: sent #2 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1
| STATE_PARENT_I1: sent v2I1, expected v2R1
| sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 851 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4
| 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08
| 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08
| 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08
| 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08
| 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08
| 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c
| 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07
| 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e
| 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10
| 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13
| 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15
| 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d
| 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08
| 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08
| 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08
| 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08
| 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08
| 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08
| 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74
| 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80
| 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05
| 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f
| 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12
| 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14
| 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f
| 28 00 01 08 00 0e 00 00 eb 1e 10 d3 ea 20 4d c3
| 02 15 82 50 12 8c 49 7c 69 f5 73 cf e3 30 9b 18
| 36 ca 56 70 91 94 62 02 e3 b9 14 16 23 0a 87 ed
| c7 fb b6 66 bb ec 74 bc 8b ec ea 58 27 64 cd ac
| 7d 2d 6f 9f 13 2d 24 97 a0 86 00 0d a5 98 78 4c
| 7f 3b 02 46 bb 19 3b 4f 25 46 9f 7a 2b ad 7e 91
| 58 b9 44 a4 85 a2 6f 42 cd f8 56 f2 7d 26 1a 8f
| cd c2 bd 83 8c 96 59 26 15 23 84 cb b7 71 87 0a
| 31 60 53 48 64 90 bf 00 c7 bf a8 7b b5 cb 68 65
| 9a e6 9d 09 10 d8 4d 7f 70 14 1d 5c f5 38 19 34
| 55 18 7a 5f 76 a9 a8 0a 16 3b 86 2b 90 53 19 8a
| fa b5 aa ed f6 e1 47 6f 04 b0 08 b9 a9 17 59 6b
| 28 3d 93 32 a0 5a 99 fd 2f bd d0 d5 4c d6 2d e8
| 77 e8 61 02 61 7e a2 6b 52 33 0e 4d 19 c9 4b 8a
| 0e 0a 7a 29 88 41 e3 59 95 8b f6 2f 21 0a 8b 4e
| 24 a0 9f 0e 1b 68 c5 3b 79 c7 cb 4b e9 34 72 fa
| d0 53 13 f5 27 8f fe a8 29 00 00 24 0e ee 5e fb
| 18 2e 44 cc a5 f8 16 85 08 88 83 57 c3 ca c4 37
| 37 31 51 47 ce e6 66 ae 5c 5e c7 7a 29 00 00 08
| 00 00 40 2e 29 00 00 1c 00 00 40 04 ac ee 88 87
| 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2 39 e4 45 a2
| 2b 00 00 1c 00 00 40 05 5f a7 95 a7 73 e6 21 8f
| 2e 56 f5 e1 db f0 5a 81 46 71 d4 8a 00 00 00 17
| 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50
| 73 65 63
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x56287517bb58
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd558001f18
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x562875172718 size 128
| #2 STATE_PARENT_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.146101
| resume sending helper answer for #2 suppresed complete_v2_state_transition() and stole MD
| #2 spent 1.25 milliseconds in resume sending helper answer
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd55c002888
| spent 0.00196 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 460 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 21 20 22 20 00 00 00 00 00 00 01 cc 22 00 00 28
| 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08
| 04 00 00 0e 28 00 01 08 00 0e 00 00 90 2b e0 aa
| 81 e4 e1 bb bd e7 37 a1 3f bd 53 08 58 6f 40 c5
| 95 ee cd 47 97 8d 98 1c 8f 98 20 cf 89 50 06 e3
| a6 f5 08 2f 08 cf 51 78 4e 74 33 f4 25 12 35 9e
| 10 c4 9b d4 a3 d8 25 f8 a7 d9 a4 8a 8f dc b0 ee
| 7b 01 ec 3d 5d 53 d9 64 f3 9c eb 80 3f 53 cd ec
| 66 7c 7a b6 d3 01 6e 98 a9 28 fb a1 b6 b0 c9 5a
| 77 47 7d c4 31 54 d8 2e bd 41 d9 6d 69 b2 e2 be
| a1 4b 1a e5 e9 59 87 29 08 17 6f 5a 0c 53 be 51
| 65 75 0d 4d e8 cd 29 ba 64 ae b4 ee c1 49 16 64
| 11 db fd fd 33 fc 76 0d 23 80 b3 26 c8 86 31 46
| 62 56 09 71 80 71 c1 bf b9 d0 25 b0 4f a1 c5 0e
| e9 68 76 4e 42 04 b1 54 64 e4 7a 94 67 ee d4 5d
| 72 e0 ce f6 85 43 5e fa 0c 62 ed 03 15 e0 57 e6
| 7f 6c a3 1b a4 41 f9 8a 73 9f 4b c8 bf 07 31 1c
| 10 d4 2f f5 f1 cf c5 c0 13 85 74 35 ad 93 2a ba
| 1b 90 e1 eb 4a 47 e3 9a 10 56 44 82 29 00 00 24
| e3 9f a3 0c bd 28 70 94 b3 21 4e 6b 5b 6f be 5c
| 15 55 1e 31 b8 42 74 ec 7f cb 90 3d 1e dd 70 dd
| 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04
| 2c c8 62 a9 0e e7 b8 59 45 3c 1d 09 56 90 2c 19
| eb a7 82 48 26 00 00 1c 00 00 40 05 a4 02 ab 2f
| 84 be 38 bc aa b4 de 69 5c 05 d5 e3 6f 7b 7d 25
| 2b 00 00 05 04 00 00 00 17 4f 70 70 6f 72 74 75
| 6e 69 73 74 69 63 20 49 50 73 65 63
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 0 (0x0)
| length: 460 (0x1cc)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response
| State DB: found IKEv2 state #2 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| #2 is idle
| #2 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE (0x22)
| flags: none (0x0)
| length: 40 (0x28)
| processing payload: ISAKMP_NEXT_v2SA (len=36)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni (0x28)
| flags: none (0x0)
| length: 264 (0x108)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2CERTREQ (0x26)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)
| ***parse IKEv2 Certificate Request Payload:
| next payload type: ISAKMP_NEXT_v2V (0x2b)
| flags: none (0x0)
| length: 5 (0x5)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERTREQ (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2V)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 23 (0x17)
| processing payload: ISAKMP_NEXT_v2V (len=19)
| State DB: re-hashing IKEv2 state #2 IKE SPIi and SPI[ir]
| #2 in state PARENT_I1: sent v2I1, expected v2R1
| selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| Now let's proceed with state specific processing
| calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| ikev2 parent inR1: calculating g^{xy} in order to send I2
| using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE initiator (accepting) 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| length: 36 (0x24)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 3 (0x3)
| Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match]
| converting proposal to internal trans attrs
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69
| natd_hash: rcookie= 09 8a aa 72 c2 0f 6a aa
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= a4 02 ab 2f 84 be 38 bc aa b4 de 69 5c 05 d5 e3
| natd_hash: hash= 6f 7b 7d 25
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69
| natd_hash: rcookie= 09 8a aa 72 c2 0f 6a aa
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= 2c c8 62 a9 0e e7 b8 59 45 3c 1d 09 56 90 2c 19
| natd_hash: hash= eb a7 82 48
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inR1outI2 KE work-order 4 for state #2
| state #2 requesting EVENT_RETRANSMIT to be deleted
| #2 STATE_PARENT_I1: retransmits: cleared
| libevent_free: release ptr-libevent@0x562875172718
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd558001f18
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
| #2 spent 0.205 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet()
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND
| suspending state #2 and saving MD
| crypto helper 3 resuming
| #2 is busy; has a suspended MD
| crypto helper 3 starting work-order 4 for state #2
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| crypto helper 3 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 4
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018)
| #2 spent 0.468 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.479 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 3 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 time elapsed 0.001337 seconds
| (#2) spent 1.33 milliseconds in crypto helper computing work-order 4: ikev2_inR1outI2 KE (pcr)
| crypto helper 3 sending results from work-order 4 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128
| crypto helper 3 waiting (nothing to do)
| processing resume sending helper answer for #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797)
| crypto helper 3 replies to request ID 4
| calling continuation function 0x5628735d6b50
| ikev2_parent_inR1outI2_continue for #2: calculating g^{xy}, sending I2
| creating state object #3 at 0x562875176218
| State DB: adding IKEv2 state #3 in UNDEFINED
| pstats #3 ikev2.child started
| duplicating state object #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 as #3 for IPSEC SA
| #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #2.#3; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1
| Message ID: switch-to #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7fd55c002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| event_schedule: new EVENT_SA_REPLACE-pe@0x7fd558001f18
| inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
| parent state #2: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA)
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: OK to send a certificate (always)
| IDr payload will NOT be sent
| ****emit IKEv2 Identification - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ID type: ID_IPV4_ADDR (0x1)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi)
| next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of my identity into IKEv2 Identification - Initiator - Payload
| my identity c0 01 02 17
| emitting length of IKEv2 Identification - Initiator - Payload: 12
| Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| ****emit IKEv2 Certificate Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT)
| next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet'
| emitting 1260 raw bytes of CERT into IKEv2 Certificate Payload
| CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03
| CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
| CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31
| CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69
| CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f
| CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69
| CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b
| CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e
| CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72
| CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f
| CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86
| CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67
| CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22
| CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33
| CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35
| CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02
| CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74
| CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54
| CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c
| CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03
| CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74
| CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65
| CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a
| CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65
| CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06
| CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f
| CERT 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c b3 bf 11
| CERT 96 94 23 ca 97 5e c7 66 36 55 71 49 95 8d 0c 2a
| CERT 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46 a6 04 63
| CERT 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a a8 e2 da
| CERT 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a 7f 6e 3a
| CERT 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26 52 f5 57
| CERT 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7 95 41 a7
| CERT a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b 4e 04 57
| CERT c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb 0f f0 63
| CERT c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6 2d 00 22
| CERT fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4 e5 2d 46
| CERT 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0 5f e0 8d
| CERT 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6 9d 6b 9f
| CERT fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0 a6 1c 85
| CERT 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99 17 2d b1
| CERT bc e5 7b bd af 0e 28 aa a5 74 ea 69 74 5e fa 2c
| CERT c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa f9 f7 30
| CERT 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83 17 58 24
| CERT 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a 02 ce 27
| CERT 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64 59 4e 6c
| CERT 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d fa 4a d7
| CERT f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8 32 cd bf
| CERT a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d 32 fc 0f
| CERT 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67 84 ae b4
| CERT 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01 00 01 a3
| CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02
| CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65
| CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40
| CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61
| CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55
| CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04
| CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b
| CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05
| CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05
| CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e
| CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61
| CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d
| CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74
| CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e
| CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65
| CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48
| CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 3a 56 a3 7d
| CERT b1 4e 62 2f 82 0d e3 fe 74 40 ef cb eb 93 ea ad
| CERT e4 74 8b 80 6f ae 8b 65 87 12 a6 24 0d 21 9c 5f
| CERT 70 5c 6f d9 66 8d 98 8b ea 59 f8 96 52 6a 6c 86
| CERT d6 7d ba 37 a9 8c 33 8c 77 18 23 0b 1b 2a 66 47
| CERT e7 95 94 e6 75 84 30 d4 db b8 23 eb 89 82 a9 fd
| CERT ed 46 8b ce 46 7f f9 19 8f 49 da 29 2e 1e 97 cd
| CERT 12 42 86 c7 57 fc 4f 0a 19 26 8a a1 0d 26 81 4d
| CERT 53 f4 5c 92 a1 03 03 8d 6c 51 33 cc
| emitting length of IKEv2 Certificate Payload: 1265
| IKEv2 CERTREQ: send a cert request?
| IKEv2 CERTREQ: no CA DN known to send
| not sending INITIAL_CONTACT
| ****emit IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
| #2 spent 9.77 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature 44 0b 80 72 6d 24 55 e5 08 6e d0 98 dc d6 1d 62
| rsa signature 5b cd e7 b2 9e 12 ad b0 b4 a9 94 31 38 84 90 99
| rsa signature 3f 86 44 a8 07 81 80 d2 e6 7f 7b 82 80 ac ec d8
| rsa signature d7 02 1b bd 51 80 7a 8a 2e 83 81 fe 53 d9 43 46
| rsa signature 88 88 ba 81 9e 31 34 7c 54 12 40 01 0e b7 a9 17
| rsa signature 42 e1 9b 05 28 f5 e4 7e a3 78 b5 0d 28 cd ee 1f
| rsa signature 28 4a 87 92 13 c1 da 71 35 ec 08 82 56 1b 72 c8
| rsa signature 42 0c 76 e9 1b b3 44 dc 37 89 0d 38 3f fa 6c 6a
| rsa signature 8b 12 eb 51 3b 32 af b8 89 d2 34 71 f9 97 04 ed
| rsa signature 8d 52 17 cf fc e9 a0 80 2f 87 dc c9 86 4c 0a 14
| rsa signature 59 d6 42 48 47 82 30 6e 2f 60 c3 15 69 d2 cf 69
| rsa signature 69 5a ee 54 e0 9d 2b 20 6d 6b 61 b5 bd ea 49 d4
| rsa signature ea 00 8a 9f 83 e6 e2 72 0f 57 94 96 33 f9 5f 37
| rsa signature c7 3d a9 e6 de db 45 b0 04 bf 42 3c a1 fa 06 38
| rsa signature 26 47 ff f9 cd 86 c5 15 89 8b fb da 07 ce 09 27
| rsa signature 75 7e 91 46 86 a8 04 08 1c ec 07 51 13 d4 6f 58
| rsa signature c9 05 72 d8 7f 7a 64 68 46 da 55 61 dc c0 99 62
| rsa signature bf 14 01 ba 5c 50 7f 50 85 66 e1 58 80 65 c7 9f
| rsa signature 0f 91 36 bf 8f 38 f2 11 a7 aa 18 5f 31 f9 3c 72
| rsa signature 2f fa 31 30 06 91 10 46 df bf c2 a1 21 b9 08 07
| rsa signature ee ef b3 12 5f 12 cb 9c ae d8 6b ff 4a 7d 09 da
| rsa signature 51 0d 12 56 5d 45 ad 38 e9 92 b1 8a af 78 87 71
| rsa signature 75 3e 42 c7 87 51 03 cd 7c b4 98 d2 44 fb a8 e5
| rsa signature 45 c8 02 0d 2a fe 80 be aa 1f d8 c8 36 7d d6 05
| #2 spent 9.94 milliseconds in ikev2_calculate_rsa_hash()
| ikev2_calculate_psk_sighash() called from STATE_PARENT_I2 to create PSK with authby=null
| emitting length of IKEv2 Authentication Payload: 392
| getting first pending from state #2
| netlink_get_spi: allocated 0x3dd28668 for esp.0@192.1.2.23
| constructing ESP/AH proposals with all DH removed for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local ESP/AH proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Emitting ikev2_proposals ...
| ****emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi 3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi 3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi 3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi 3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 164
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 01 02 17
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 01 02 17
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 01 03 d1
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 01 03 d1
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| Adding a v2N Payload
| ****emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NULL_AUTH (0xa000)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 64 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data 25 f9 35 a4 3e 3f 85 55 e2 83 e7 29 b6 7a 43 50
| Notify data 6e 4a c5 b3 8c 40 59 3a 5f 35 74 67 70 36 32 50
| Notify data ae 29 f0 53 d3 62 c3 30 5d e2 cc c6 9e d5 a6 b6
| Notify data 6f 9e 48 d9 61 1e 34 0a 24 a0 1b 07 34 92 a8 ca
| emitting length of IKEv2 Notify Payload: 72
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 1982
| emitting length of ISAKMP Message: 2010
| **parse ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_v2SK (0x2e)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 2010 (0x7da)
| **parse IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| length: 1982 (0x7be)
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| fragment number: 1 (0x1)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 25 00 00 0c 01 00 00 00 c0 01 02 17 27 00 04 f1
| cleartext fragment 04 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01
| cleartext fragment 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
| cleartext fragment 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41
| cleartext fragment 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72
| cleartext fragment 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72
| cleartext fragment 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c
| cleartext fragment 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04
| cleartext fragment 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65
| cleartext fragment 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62
| cleartext fragment 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66
| cleartext fragment 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a
| cleartext fragment 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e
| cleartext fragment 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30
| cleartext fragment 22 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35
| cleartext fragment 33 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37
| cleartext fragment 35 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13
| cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e
| cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07
| cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a
| cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06
| cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72
| cleartext fragment 74 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a
| cleartext fragment 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62
| cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09
| cleartext fragment 2a 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d
| cleartext fragment 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62
| cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d
| cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01
| cleartext fragment 8f 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 2 (0x2)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment b3 bf 11 96 94 23 ca 97 5e c7 66 36 55 71 49 95
| cleartext fragment 8d 0c 2a 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46
| cleartext fragment a6 04 63 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a
| cleartext fragment a8 e2 da 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a
| cleartext fragment 7f 6e 3a 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26
| cleartext fragment 52 f5 57 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7
| cleartext fragment 95 41 a7 a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b
| cleartext fragment 4e 04 57 c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb
| cleartext fragment 0f f0 63 c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6
| cleartext fragment 2d 00 22 fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4
| cleartext fragment e5 2d 46 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0
| cleartext fragment 5f e0 8d 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6
| cleartext fragment 9d 6b 9f fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0
| cleartext fragment a6 1c 85 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99
| cleartext fragment 17 2d b1 bc e5 7b bd af 0e 28 aa a5 74 ea 69 74
| cleartext fragment 5e fa 2c c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa
| cleartext fragment f9 f7 30 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83
| cleartext fragment 17 58 24 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a
| cleartext fragment 02 ce 27 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64
| cleartext fragment 59 4e 6c 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d
| cleartext fragment fa 4a d7 f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8
| cleartext fragment 32 cd bf a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d
| cleartext fragment 32 fc 0f 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67
| cleartext fragment 84 ae b4 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01
| cleartext fragment 00 01 a3 82 01 06 30 82 01 02 30 09 06 03 55 1d
| cleartext fragment 13 04 02 30 00 30 47 06 03 55 1d 11 04 40 30 3e
| cleartext fragment 82 1a 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c
| cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61
| cleartext fragment 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65
| cleartext fragment 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 17
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 3 (0x3)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 1d 06
| cleartext fragment 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07
| cleartext fragment 03 01 06 08 2b 06 01 05 05 07 03 02 30 41 06 08
| cleartext fragment 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 06 08
| cleartext fragment 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 3a 2f
| cleartext fragment 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62
| cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 30 30
| cleartext fragment 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 a0 2e
| cleartext fragment 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73
| cleartext fragment 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f
| cleartext fragment 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c 30 0d
| cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81
| cleartext fragment 00 3a 56 a3 7d b1 4e 62 2f 82 0d e3 fe 74 40 ef
| cleartext fragment cb eb 93 ea ad e4 74 8b 80 6f ae 8b 65 87 12 a6
| cleartext fragment 24 0d 21 9c 5f 70 5c 6f d9 66 8d 98 8b ea 59 f8
| cleartext fragment 96 52 6a 6c 86 d6 7d ba 37 a9 8c 33 8c 77 18 23
| cleartext fragment 0b 1b 2a 66 47 e7 95 94 e6 75 84 30 d4 db b8 23
| cleartext fragment eb 89 82 a9 fd ed 46 8b ce 46 7f f9 19 8f 49 da
| cleartext fragment 29 2e 1e 97 cd 12 42 86 c7 57 fc 4f 0a 19 26 8a
| cleartext fragment a1 0d 26 81 4d 53 f4 5c 92 a1 03 03 8d 6c 51 33
| cleartext fragment cc 21 00 01 88 01 00 00 00 44 0b 80 72 6d 24 55
| cleartext fragment e5 08 6e d0 98 dc d6 1d 62 5b cd e7 b2 9e 12 ad
| cleartext fragment b0 b4 a9 94 31 38 84 90 99 3f 86 44 a8 07 81 80
| cleartext fragment d2 e6 7f 7b 82 80 ac ec d8 d7 02 1b bd 51 80 7a
| cleartext fragment 8a 2e 83 81 fe 53 d9 43 46 88 88 ba 81 9e 31 34
| cleartext fragment 7c 54 12 40 01 0e b7 a9 17 42 e1 9b 05 28 f5 e4
| cleartext fragment 7e a3 78 b5 0d 28 cd ee 1f 28 4a 87 92 13 c1 da
| cleartext fragment 71 35 ec 08 82 56 1b 72 c8 42 0c 76 e9 1b b3 44
| cleartext fragment dc 37 89 0d 38 3f fa 6c 6a 8b 12 eb 51 3b 32 af
| cleartext fragment b8 89 d2 34 71 f9 97 04 ed 8d 52 17 cf fc
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 4 (0x4)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment e9 a0 80 2f 87 dc c9 86 4c 0a 14 59 d6 42 48 47
| cleartext fragment 82 30 6e 2f 60 c3 15 69 d2 cf 69 69 5a ee 54 e0
| cleartext fragment 9d 2b 20 6d 6b 61 b5 bd ea 49 d4 ea 00 8a 9f 83
| cleartext fragment e6 e2 72 0f 57 94 96 33 f9 5f 37 c7 3d a9 e6 de
| cleartext fragment db 45 b0 04 bf 42 3c a1 fa 06 38 26 47 ff f9 cd
| cleartext fragment 86 c5 15 89 8b fb da 07 ce 09 27 75 7e 91 46 86
| cleartext fragment a8 04 08 1c ec 07 51 13 d4 6f 58 c9 05 72 d8 7f
| cleartext fragment 7a 64 68 46 da 55 61 dc c0 99 62 bf 14 01 ba 5c
| cleartext fragment 50 7f 50 85 66 e1 58 80 65 c7 9f 0f 91 36 bf 8f
| cleartext fragment 38 f2 11 a7 aa 18 5f 31 f9 3c 72 2f fa 31 30 06
| cleartext fragment 91 10 46 df bf c2 a1 21 b9 08 07 ee ef b3 12 5f
| cleartext fragment 12 cb 9c ae d8 6b ff 4a 7d 09 da 51 0d 12 56 5d
| cleartext fragment 45 ad 38 e9 92 b1 8a af 78 87 71 75 3e 42 c7 87
| cleartext fragment 51 03 cd 7c b4 98 d2 44 fb a8 e5 45 c8 02 0d 2a
| cleartext fragment fe 80 be aa 1f d8 c8 36 7d d6 05 2c 00 00 a4 02
| cleartext fragment 00 00 20 01 03 04 02 3d d2 86 68 03 00 00 0c 01
| cleartext fragment 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 00 02
| cleartext fragment 00 00 20 02 03 04 02 3d d2 86 68 03 00 00 0c 01
| cleartext fragment 00 00 14 80 0e 00 80 00 00 00 08 05 00 00 00 02
| cleartext fragment 00 00 30 03 03 04 04 3d d2 86 68 03 00 00 0c 01
| cleartext fragment 00 00 0c 80 0e 01 00 03 00 00 08 03 00 00 0e 03
| cleartext fragment 00 00 08 03 00 00 0c 00 00 00 08 05 00 00 00 00
| cleartext fragment 00 00 30 04 03 04 04 3d d2 86 68 03 00 00 0c 01
| cleartext fragment 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 0e 03
| cleartext fragment 00 00 08 03 00 00 0c 00 00 00 08 05 00 00 00 2d
| cleartext fragment 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff c0
| cleartext fragment 01 02 17 c0 01 02 17 29 00 00 18 01 00 00 00 07
| cleartext fragment 00 00 10 00 00 ff ff c0 01 03 d1 c0 01 03 d1 00
| cleartext fragment 00 00 48 00 00 a0 00 25 f9 35 a4 3e 3f 85 55 e2
| cleartext fragment 83 e7 29 b6 7a 43 50 6e 4a c5 b3 8c 40 59
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 5 (0x5)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 41 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 3a 5f 35 74 67 70 36 32 50 ae 29 f0 53 d3 62 c3
| cleartext fragment 30 5d e2 cc c6 9e d5 a6 b6 6f 9e 48 d9 61 1e 34
| cleartext fragment 0a 24 a0 1b 07 34 92 a8 ca
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 74
| emitting length of ISAKMP Message: 102
| suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #3 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
| child state #3: UNDEFINED(ignore) => PARENT_I2(open IKE SA)
| Message ID: updating counters for #3 to 0 after switching state
| Message ID: recv #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1
| Message ID: sent #2.#3 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1
| STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending fragments ...
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff
| 00 01 00 05 db 73 a6 bf d9 8b 0b a1 26 bb bc 87
| 1e 67 f7 fd 55 9e ad 00 40 f2 89 93 ad d3 94 87
| e6 8c 00 82 78 27 80 31 16 cf a4 e6 10 9f 23 ab
| 4e 7a c1 2c 8f 14 db cc 29 85 b5 ce 41 86 59 24
| 69 79 6d 70 1c 5f 91 65 b1 bd d6 bd 7d a9 da 5c
| 4d 34 73 2c 7a f4 b7 ca fd 6a 9e 23 59 fa de 59
| c1 52 78 47 52 ba 4d e1 17 d0 74 0a 64 de 20 7c
| 80 9f 70 62 2e de 6d 05 39 44 31 42 d8 34 3c 77
| b0 ce 7a 5d df a9 83 48 c4 ce 8d 8a d4 43 13 01
| 13 7b 27 a3 93 fb 0b 4c b9 de 06 6c 9c 03 43 57
| 49 93 fd 46 6d 4b 1a 96 83 5a 2f 93 08 45 c4 ec
| b6 63 a4 d8 14 84 32 03 d7 52 53 92 2e 1b 3a bd
| 2f 38 a4 7d 15 0f 48 7e 39 eb a4 54 65 75 83 bc
| 01 e2 1e fd 28 01 d8 8d 5a 13 d2 e1 ee 1d ad 50
| 53 f8 77 32 87 de e5 44 dc 59 58 f1 f0 1f 40 63
| 2e c9 cb e5 8d 34 e4 e1 1f 08 8d 1a d4 39 19 81
| 5d 14 c9 2c 34 af 1d 2f 76 e7 c9 1b 54 3c 1b 26
| 30 23 41 16 02 22 dc d9 fd a9 60 67 e4 67 ed 77
| a3 ee 5b 40 9d 26 93 b9 66 ce b4 c3 41 a1 36 c3
| 6f 41 fe 6d 5d 2f 77 ff dc 8f 11 b3 0a 45 72 61
| 7a 4a fb 1c 09 32 a6 fa ac 9e 29 2f 32 4a 44 71
| 7a 39 79 97 b1 ea 44 e9 eb f2 46 89 5a 92 6c dc
| 9b ec 7a 7e 92 7b d9 6c f4 98 37 0b 2c 43 cd 95
| e3 46 b7 de 10 05 65 99 f6 ba 66 78 15 cf 61 8b
| fa 1e ab 5e 40 d2 36 19 b4 87 4d e4 82 0f b0 95
| 86 0f ba 73 66 53 12 6e 69 c9 99 a5 98 fc cf db
| 9a e5 7b ab f1 e9 ce 3a 86 86 5a 7d 57 e0 1a 19
| 0e df 58 25 27 6f 1d cc 04 b3 29 27 7e 2d 38 4b
| d0 5f ed c3 75 2b 58 e6 c6 7b 38 1e 7e 89 d4 29
| fd c6 78 ce a4 70 67 f1 9f 6e cb 1e 53 13 0b 53
| 82 f7 5e f4 70 a1 0f 53 12 0f 6a 4d 13 3b a1 b0
| 56 db 87 0e dc 8d 78 de 2d a3 72
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 02 00 05 17 25 c9 47 5e 43 42 f4 a3 65 d4 57
| 8f ea f1 e7 69 60 84 e9 d3 ef 33 56 f6 04 de 1b
| e5 78 ca f3 29 ab 94 b1 87 6a 8b 81 72 58 2b 2c
| 5c a5 82 52 34 46 54 c8 21 7f d4 15 56 a9 59 06
| 3d d0 3b 7f e7 66 8b 4e 43 46 1c 24 27 2d 99 79
| 75 c0 e1 5b 2c 60 fc 0c 00 bd eb 41 96 a3 69 8e
| 0b 00 8f bf d4 7c 70 04 b9 7c fa 13 8e 97 a1 e2
| 81 d1 18 5e 90 bc b2 68 03 f2 b5 2d 40 df 67 0b
| 1c 24 96 d9 09 9f 46 16 69 ad f5 3e 99 50 6d 9b
| bc 32 a0 b1 d2 58 14 a9 f0 25 8b 4c d2 5b 0e 4e
| b5 8a e1 de 35 7e 10 d3 09 b0 7b 49 7b 90 34 cb
| 72 b7 50 7f 7b 2e 73 93 e6 37 4f 05 a6 75 ac 98
| 7a e2 1d 30 37 d0 08 05 c4 99 95 69 35 e1 23 86
| 95 0b 77 e5 62 b2 25 45 12 68 54 40 7e a1 b7 89
| 9f 66 08 a5 da c9 b1 e4 77 a3 1b 62 ff 5c d2 0d
| f6 ea 3d 2b bc 61 c7 2e cb d7 3e f5 66 4c e5 60
| 80 cc 67 09 cc fe e3 9b 7f 43 0a aa 13 74 65 f5
| da 32 75 fb 4e 7c 87 0b 5b b6 5a 1e 1c 56 20 ae
| af 92 ed ae 87 64 e5 db 77 fe 7f 86 4d 4d 03 14
| 2f 21 57 75 6b b9 c9 9a 80 61 8f d3 25 f7 0b bd
| 91 c0 a1 ef d6 3f 3d 1f 21 99 83 17 6b a7 f0 2a
| ce 63 c6 62 65 15 8b e4 5b b3 36 71 59 54 cb ba
| 51 a8 71 f7 a2 53 ae 39 0a 8d 7e 16 27 45 30 72
| 47 83 b3 82 6c 19 40 a7 4b b5 ad ee 88 c9 3b ba
| 98 a3 f3 bf 09 8f b6 ae e8 c7 1f ef 06 24 7e f7
| 17 54 46 55 8f a8 5b 07 1a a1 05 b4 40 61 ae e6
| 5f f6 de 6d 42 00 29 43 06 67 bf c0 d8 29 1b 68
| 5f 37 fd ed 0b 1c e3 57 fc ff 78 43 db 3b fe c1
| d4 e2 fb 02 06 5f 10 56 64 b1 76 b3 b5 02 8c 56
| 50 f0 90 98 d9 32 3d 35 da a4 46 05 42 ba ec 08
| 2e cb 19 36 61 8f 62 ca fe 0d 4e fe 51 2c b5 ef
| 6e 5b fb f9 99 fe b8 f9 43 f9 af
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 03 00 05 5a db c8 d4 04 50 a5 18 6f 94 53 3c
| ca 0f 21 90 bd 30 c0 4d a4 cd 08 82 82 33 1f 98
| 34 53 44 49 3d 42 a3 d0 48 e5 36 a4 70 17 e9 cf
| 6c 12 be 50 3f ce 9f b9 63 cf c9 46 ac 99 f5 00
| 48 eb e3 6e 2f 85 90 d8 4d 0b c6 91 1b 40 8b b0
| 7b 55 84 7c 6c 6b 4c de 04 7f 69 df ea 1d 46 dd
| 16 2b 91 c9 83 33 47 3f 1a 15 36 f5 3f 25 60 e0
| 84 cb 72 58 91 44 5d 2e 89 66 b7 5d ef 13 7a da
| 90 ba ed 2b 21 68 c0 40 5d 1f 74 f4 df 61 7b f4
| 6e c2 73 83 db 32 bf 38 f3 db b3 6f bb ed 45 5b
| 8d b2 57 40 36 76 99 68 31 38 61 0c 85 cf 4e 4b
| 0e a8 d8 8a 51 37 35 b5 14 e3 c9 3a aa 2d f8 56
| 7a c1 bf e7 30 4f 81 69 01 3a 62 9f 89 35 98 43
| c4 34 20 09 d4 b2 da bc b7 92 10 c6 ef cb 04 6a
| 30 56 51 05 11 5f 59 fd a4 67 86 d1 e2 9e d0 f6
| f3 1b bc 60 65 49 ba 27 1a e9 8a 2e 68 c3 81 cd
| 20 64 e2 a1 30 b0 14 f3 23 60 6c 34 72 5d 92 27
| 79 e6 35 db 9e 35 a3 d7 01 73 99 77 46 ab 40 de
| d4 07 8b 6a 39 aa c5 2c 8b 14 e5 e8 e1 76 ec 52
| 5c 09 40 e8 f9 79 b4 15 81 69 6b 62 ca fa 5e 07
| c1 46 4f 3c 9c 13 57 22 7a 37 ff 4d 38 2c 03 56
| a2 4b 36 73 a3 12 0d eb 64 59 e2 f3 34 78 fb b6
| dc 0b 83 2e e4 d9 ee 25 c8 0c 63 cd 82 11 50 ac
| ef 62 24 d2 27 29 9b 17 9e b6 24 9c 0d 3e 89 58
| 2c 70 16 43 d4 32 58 62 1e 22 a2 40 4f 46 a4 9a
| 27 36 ab 72 4f c1 40 a8 dc 52 e4 f2 3f 22 dd cf
| e3 c1 25 50 71 ef 37 82 c8 df a5 65 d4 22 73 b0
| 03 52 cc 42 f6 a6 95 01 03 96 c2 f6 21 e1 74 97
| 1c ff ed 6e 22 5f 65 98 5a 45 0c 5a 90 58 f8 ce
| 2f b5 0d 41 c8 15 48 c8 a2 9d aa d6 0f f6 81 a7
| 42 ad 13 29 28 30 15 d6 fb b8 1a 26 d3 bd 07 7d
| a8 09 f3 81 4b 43 9b 6f ae f2 c4
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 04 00 05 e4 fb 1d 27 fd 82 e5 10 ad 1c 6c a0
| 03 60 18 ea 61 7c 43 42 3b 88 ea 37 08 49 44 a4
| bc 5c 59 e9 13 e4 39 22 03 2d 7a c3 dd 39 97 5a
| 8c 9f f6 ab 55 d7 cd 46 91 cd 7b 59 b3 0a 49 dc
| 0d 8a b4 b5 a2 6d c0 60 a3 45 63 c4 1c 91 aa 07
| 4a 32 33 06 a9 7d 51 a4 ea 59 51 1c e5 5a d5 71
| b9 bc dd 2f 22 22 10 88 35 1d f6 0a 44 2b 2b 71
| 4a 65 b8 07 38 c4 f3 b8 3c a4 9d e5 df e9 53 21
| a8 98 da ee ef bc 9e 85 d1 50 f4 fb 87 b5 63 e7
| b3 42 db 1c ae 4c 9a a7 91 c2 ed c2 29 3c 06 1f
| 22 91 c4 cb 73 f0 51 f8 bd 12 a5 f0 ae 66 1b ec
| 1b ba 1b 55 91 da 53 4d 82 eb 9c 74 23 9d f6 2a
| 32 5d d0 c9 2d 06 e6 75 7e e8 da 3d c9 50 92 ba
| 27 75 0a dc 81 15 60 5d 52 b1 9a e4 c8 da 30 13
| fb 87 71 31 e9 f1 96 9f 5a 0c a8 7b fe a2 10 52
| d5 b9 7e 9e 93 57 0e 9d 5c 36 22 f7 f0 7d 3c c6
| b0 cd 13 82 39 38 b1 2c 43 33 89 8d cf 92 97 7e
| 8f f4 ee 79 5c 81 1b e2 1a 57 91 8b 56 df a7 8d
| b0 ab 68 ca 0d 9e 18 e8 5f 36 1e 83 2a 5e f5 27
| 04 dd fd d1 ca b0 4b 93 87 b8 52 b9 e2 cc c1 52
| 77 14 60 51 09 97 af fd ae 20 67 9c c5 01 d0 80
| 01 90 79 8e 8e 38 62 b7 46 44 93 07 10 10 fb 00
| f8 5f b7 dd 12 9e b2 39 da 35 53 e3 cd 33 e6 a2
| c6 7e 07 67 fb 23 c5 c4 ff 2d ed 50 5d e0 68 bb
| 31 74 31 51 43 6b 97 53 b7 f7 1b 67 ce 59 21 30
| 27 2f c2 c4 24 e7 f5 ae 14 ca f4 6b fe 93 61 f0
| e7 6f 40 62 f5 5c a0 b0 48 ba b5 64 72 dc 9b b8
| 30 82 10 7c f1 25 b3 d3 a4 ca 8e dd 95 5b 46 54
| 95 ae 20 c7 4c 92 70 bf 3e c1 2d 9f 56 87 ae 9d
| 39 1f cf 36 f2 34 cd 36 9a e6 97 23 77 6e 3b 23
| a6 e4 72 e1 a9 19 e9 3d 17 c6 14 7e a6 d6 b6 64
| 38 c6 54 5d 4b d6 6a af 97 67 1a
| sending 102 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 35 20 23 08 00 00 00 01 00 00 00 66 00 00 00 4a
| 00 05 00 05 a3 33 37 56 a9 ab ef 31 79 26 42 fc
| 1f 23 3a 4f 0b ea 05 aa e8 b2 0a ef 18 c8 66 c6
| 9c d0 88 a7 8c 21 a5 30 82 12 bf 95 85 d3 11 58
| 5f 42 b3 c1 7e dc 63 6b b1 34 db cc bf 8d d4 2a
| 20 23 c0 03 0e 63
| sent 5 fragments
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #3
| libevent_malloc: new ptr-libevent@0x562875178b08 size 128
| #3 STATE_PARENT_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.168353
| resume sending helper answer for #2 suppresed complete_v2_state_transition()
| #2 spent 1.59 milliseconds
| #2 spent 11.9 milliseconds in resume sending helper answer
| stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd550000f48
| spent 0.00289 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 65 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
| 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa
| 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25
| fd 7a 57 34 60 56 83 cb 35 06 6c b1 c4 33 b6 7b
| 70 c3 1d 7f 05 09 49 f9 32 09 95 12 ee 6b d8 79
| a2
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| 7b 6a 2a dd 5c 7a c7 69
| responder cookie:
| 09 8a aa 72 c2 0f 6a aa
| next payload type: ISAKMP_NEXT_v2SK (0x2e)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 1 (0x1)
| length: 65 (0x41)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response
| State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_ike_sa)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: found IKEv2 state #3 in PARENT_I2 (find_v2_sa_by_initiator_wip)
| suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| #3 is idle
| #3 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SK)
| ***parse IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 37 (0x25)
| processing payload: ISAKMP_NEXT_v2SK (len=33)
| #3 in state PARENT_I2: sent v2I2, expected v2R2
| #3 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification
| Now let's proceed with state specific processing
| calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
| pstats #2 ikev2.ike failed auth-failed
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: scheduling retry attempt 1 of an unlimited number
| release_pending_whacks: state #3 has no whack fd
| release_pending_whacks: IKE SA #2 fd@-1 has pending CHILD SA with socket fd@-1
| libevent_free: release ptr-libevent@0x562875178b08
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78
| inserting event EVENT_RETRANSMIT, timeout in 59.991397 seconds for #3
| libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: STATE_PARENT_I2: suppressing retransmits; will wait 59.991397 seconds for retry
| #3 spent 0.0372 milliseconds in processing: Initiator: process AUTHENTICATION_FAILED AUTH notification in ikev2_process_state_packet()
| [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #3 complete_v2_state_transition() PARENT_I2->PARENT_I2 with status STF_IGNORE
| stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018)
| #2 spent 0.193 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.203 milliseconds in comm_handle_cb() reading and processing packet
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.71 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
destroying root certificate cache
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x5628751551b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875154af8 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875158ce8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x5628751574f8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 192.1.2.23 cnt 1--
| start processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in delete_connection() at connections.c:189)
| removing pending policy for no connection {0x56287512a558}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #3
| suspend processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #3 ikev2.child deleted other
| #3 spent 0.0372 milliseconds in total
| [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: deleting state (STATE_PARENT_I2) aged 12.587s and NOT sending notification
| child state #3: PARENT_I2(open IKE SA) => delete
| child state #3: PARENT_I2(open IKE SA) => CHILDSA_DEL(informational)
| state #3 requesting EVENT_RETRANSMIT to be deleted
| #3 STATE_CHILDSA_DEL: retransmits: cleared
| libevent_free: release ptr-libevent@0x7fd550000f48
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| delete inbound eroute 192.1.3.209/32:0 --0-> 192.1.2.23/32:0 => unk255.10000@192.1.2.23 (raw_eroute)
| raw_eroute result=success
| stop processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| State DB: deleting IKEv2 state #3 in CHILDSA_DEL
| child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore)
| stop processing: state #3 from 192.1.3.209 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.ike deleted auth-failed
| #2 spent 16.4 milliseconds in total
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: deleting state (STATE_PARENT_I2) aged 12.596s and NOT sending notification
| parent state #2: PARENT_I2(open IKE SA) => delete
| state #2 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7fd55c002888
| free_event_entry: release EVENT_SA_REPLACE-pe@0x7fd558001f18
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| State DB: deleting IKEv2 state #2 in PARENT_I2
| parent state #2: PARENT_I2(open IKE SA) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.3.209 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| netlink_raw_eroute: SPI_PASS
| free hp@0x5628751613a8
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| start processing: connection "block" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'block' wasn't on the list
| stop processing: connection "block" (in discard_connection() at connections.c:249)
| start processing: connection "private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private' wasn't on the list
| stop processing: connection "private" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear#192.1.3.0/24" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| netlink_raw_eroute: SPI_PASS
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0'
| popen cmd is 1104 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd( 80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192:
| cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN:
| cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT:
| cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.:
| cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET:
| cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE:
| cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CO:
| cmd( 640):NN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTA:
| cmd( 720):NCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND=':
| cmd( 800):CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0':
| cmd( 880): PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG:
| cmd( 960):_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTIN:
| cmd(1040):G='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.3.0/24" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'private-or-clear' wasn't on the list
| stop processing: connection "private-or-clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.253/32" 0.0.0.0: deleting connection "clear#192.1.2.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.253/32' wasn't on the list
| stop processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.253/32" 0.0.0.0: deleting connection "clear#192.1.3.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.253/32' wasn't on the list
| stop processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.254/32" 0.0.0.0: deleting connection "clear#192.1.3.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.254/32' wasn't on the list
| stop processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.254/32" 0.0.0.0: deleting connection "clear#192.1.2.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.254/32' wasn't on the list
| stop processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'clear' wasn't on the list
| stop processing: connection "clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear-or-private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x56287514ec58
| flush revival: connection 'clear-or-private' wasn't on the list
| stop processing: connection "clear-or-private" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x562875151848
| free_event_entry: release EVENT_NULL-pe@0x56287514da18
| libevent_free: release ptr-libevent@0x5628750e8638
| free_event_entry: release EVENT_NULL-pe@0x56287514dac8
| libevent_free: release ptr-libevent@0x5628750e86e8
| free_event_entry: release EVENT_NULL-pe@0x56287514db78
| libevent_free: release ptr-libevent@0x5628750e7658
| free_event_entry: release EVENT_NULL-pe@0x56287514dc28
| libevent_free: release ptr-libevent@0x5628750ef968
| free_event_entry: release EVENT_NULL-pe@0x56287514dcd8
| libevent_free: release ptr-libevent@0x5628750f0488
| free_event_entry: release EVENT_NULL-pe@0x56287514dd88
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x562875141e98
| free_event_entry: release EVENT_NULL-pe@0x562875136038
| libevent_free: release ptr-libevent@0x56287512eb38
| free_event_entry: release EVENT_NULL-pe@0x562875135b98
| libevent_free: release ptr-libevent@0x56287512ea88
| free_event_entry: release EVENT_NULL-pe@0x5628750efb28
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x5628750f40f8
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x562875060ec8
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x562875076858
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x56287514d4f8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x56287514d3c8
| libevent_free: release ptr-libevent@0x562875130458
| libevent_free: release ptr-libevent@0x562875130408
| libevent_free: release ptr-libevent@0x5628750e7938
| libevent_free: release ptr-libevent@0x5628751303c8
| libevent_free: release ptr-libevent@0x56287514d188
| libevent_free: release ptr-libevent@0x56287514d2c8
| libevent_free: release ptr-libevent@0x562875130608
| libevent_free: release ptr-libevent@0x562875135c08
| libevent_free: release ptr-libevent@0x562875135868
| libevent_free: release ptr-libevent@0x56287514ddf8
| libevent_free: release ptr-libevent@0x56287514dd48
| libevent_free: release ptr-libevent@0x56287514dc98
| libevent_free: release ptr-libevent@0x56287514dbe8
| libevent_free: release ptr-libevent@0x56287514db38
| libevent_free: release ptr-libevent@0x56287514da88
| libevent_free: release ptr-libevent@0x562875071d88
| libevent_free: release ptr-libevent@0x56287514d348
| libevent_free: release ptr-libevent@0x56287514d308
| libevent_free: release ptr-libevent@0x56287514d1c8
| libevent_free: release ptr-libevent@0x56287514d388
| libevent_free: release ptr-libevent@0x56287507d768
| libevent_free: release ptr-libevent@0x5628750f5c88
| libevent_free: release ptr-libevent@0x5628750f5c08
| libevent_free: release ptr-libevent@0x5628750714c8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x5628750f5e08
| libevent_free: release ptr-libevent@0x5628750f5d88
| libevent_free: release ptr-libevent@0x5628750f5d08
leak: group instance name, item size: 30
leak: cloned from groupname, item size: 17
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: policy group path, item size: 54
leak detective found 11 leaks, total size 209