FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22808
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x5628750f5e08 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5d88 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5d08 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x5628750e7938 size 56
| libevent_malloc: new ptr-libevent@0x5628750714c8 size 664
| libevent_malloc: new ptr-libevent@0x562875130408 size 24
| libevent_malloc: new ptr-libevent@0x562875130458 size 384
| libevent_malloc: new ptr-libevent@0x5628751303c8 size 16
| libevent_malloc: new ptr-libevent@0x5628750f5c88 size 40
| libevent_malloc: new ptr-libevent@0x5628750f5c08 size 48
| libevent_realloc: new ptr-libevent@0x562875071d88 size 256
| libevent_malloc: new ptr-libevent@0x562875130608 size 16
| libevent_free: release ptr-libevent@0x5628750e7938
| libevent initialized
| libevent_realloc: new ptr-libevent@0x5628750e7938 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 1
| starting up helper thread 1
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
started thread for crypto helper 2
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 4
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
| checking IKEv1 state table
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5628750efb28
| libevent_malloc: new ptr-libevent@0x56287512ea88 size 128
| libevent_malloc: new ptr-libevent@0x562875135c08 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x562875135b98
| libevent_malloc: new ptr-libevent@0x56287512eb38 size 128
| libevent_malloc: new ptr-libevent@0x562875135868 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x562875136038
| libevent_malloc: new ptr-libevent@0x562875141e98 size 128
| libevent_malloc: new ptr-libevent@0x56287514d188 size 16
| libevent_realloc: new ptr-libevent@0x56287507d768 size 256
| libevent_malloc: new ptr-libevent@0x56287514d1c8 size 8
| libevent_realloc: new ptr-libevent@0x56287514d208 size 144
| libevent_malloc: new ptr-libevent@0x5628750f40f8 size 152
| libevent_malloc: new ptr-libevent@0x56287514d2c8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x56287514d308 size 8
| libevent_malloc: new ptr-libevent@0x562875060ec8 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x56287514d348 size 8
| libevent_malloc: new ptr-libevent@0x562875076858 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x56287514d388 size 8
| libevent_realloc: release ptr-libevent@0x56287514d208
| libevent_realloc: new ptr-libevent@0x56287514d3c8 size 256
| libevent_malloc: new ptr-libevent@0x56287514d4f8 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:22957) using fork+execve
| forked child 22957
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x56287514da18
| libevent_malloc: new ptr-libevent@0x562875141de8 size 128
| libevent_malloc: new ptr-libevent@0x56287514da88 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x56287514dac8
| libevent_malloc: new ptr-libevent@0x5628750e8638 size 128
| libevent_malloc: new ptr-libevent@0x56287514db38 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x56287514db78
| libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128
| libevent_malloc: new ptr-libevent@0x56287514dbe8 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x56287514dc28
| libevent_malloc: new ptr-libevent@0x5628750e7658 size 128
| libevent_malloc: new ptr-libevent@0x56287514dc98 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x56287514dcd8
| libevent_malloc: new ptr-libevent@0x5628750ef968 size 128
| libevent_malloc: new ptr-libevent@0x56287514dd48 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x56287514dd88
| libevent_malloc: new ptr-libevent@0x5628750f0488 size 128
| libevent_malloc: new ptr-libevent@0x56287514ddf8 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.08 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x56287514ec58
added connection description "clear"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| 192.1.2.23---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0988 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear-or-private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c88
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c38
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751518f8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751517f8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151d38
| unreference key: 0x562875154af8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear
added connection description "clear-or-private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.999 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158a38
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751589e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875159368
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751588d8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158928
| unreference key: 0x5628751551b8 192.1.2.23 cnt 1--
| unreference key: 0x562875156588 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875158ce8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear-or-private
added connection description "private-or-clear"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.619 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515abb8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515ab68
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b4e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aa58
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aaa8
| unreference key: 0x562875154af8 192.1.2.23 cnt 1--
| unreference key: 0x5628751551b8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156588 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private-or-clear
added connection description "private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.579 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private
added connection description "block"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| 192.1.2.23---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0712 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d0e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d098
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515da18
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cf88
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cfd8
| unreference key: 0x562875158ce8 192.1.2.23 cnt 1--
| unreference key: 0x562875154af8 east@testing.libreswan.org cnt 1--
| unreference key: 0x5628751551b8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x562875156588 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.721 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| loading left certificate 'east' pubkey
| unreference key: 0x562875156588 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bed8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b498
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bdc8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515be18
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515c148
| unreference key: 0x5628751574f8 192.1.2.23 cnt 1--
| unreference key: 0x562875158ce8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875154af8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x5628751551b8 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| secrets entry for east already exists
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.23---192.1.2.254...%opportunisticgroup
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.602 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x562875141de8
| free_event_entry: release EVENT_NULL-pe@0x56287514da18
| add_fd_read_event_handler: new ethX-pe@0x56287514da18
| libevent_malloc: new ptr-libevent@0x562875151848 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x5628750e8638
| free_event_entry: release EVENT_NULL-pe@0x56287514dac8
| add_fd_read_event_handler: new ethX-pe@0x56287514dac8
| libevent_malloc: new ptr-libevent@0x5628750e8638 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x5628750e86e8
| free_event_entry: release EVENT_NULL-pe@0x56287514db78
| add_fd_read_event_handler: new ethX-pe@0x56287514db78
| libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x5628750e7658
| free_event_entry: release EVENT_NULL-pe@0x56287514dc28
| add_fd_read_event_handler: new ethX-pe@0x56287514dc28
| libevent_malloc: new ptr-libevent@0x5628750e7658 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x5628750ef968
| free_event_entry: release EVENT_NULL-pe@0x56287514dcd8
| add_fd_read_event_handler: new ethX-pe@0x56287514dcd8
| libevent_malloc: new ptr-libevent@0x5628750ef968 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x5628750f0488
| free_event_entry: release EVENT_NULL-pe@0x56287514dd88
| add_fd_read_event_handler: new ethX-pe@0x56287514dd88
| libevent_malloc: new ptr-libevent@0x5628750f0488 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| no group file "/etc/ipsec.d/policies/private-or-clear-all" (pwd:/tmp)
loading group "/etc/ipsec.d/policies/block"
loading group "/etc/ipsec.d/policies/private"
loading group "/etc/ipsec.d/policies/private-or-clear"
loading group "/etc/ipsec.d/policies/clear-or-private"
loading group "/etc/ipsec.d/policies/clear"
| 192.1.2.23/32->192.1.2.254/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.254/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.253/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.2.253/32 0 sport 0 dport 0 clear
| 192.1.2.23/32->192.1.3.0/24 0 sport 0 dport 0 private-or-clear
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.436 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3:
| cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 4.59 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| old debugging base+cpu-usage + none
| base debugging = base+cpu-usage
| old impairing none + suppress-retransmits
| base impairing = suppress-retransmits
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0322 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00428 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00268 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00279 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00264 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00276 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00241 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435)
| start processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:435)
| could_route called for private-or-clear#192.1.3.0/24 (kind=CK_TEMPLATE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: private-or-clear#192.1.3.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| IPsec Sa SPD priority set to 2088935
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC
| popen cmd is 1222 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd(  80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192:
| cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN:
| cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT:
| cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.:
| cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET:
| cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE:
| cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test:
| cmd( 640): Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STA:
| cmd( 720):CK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+:
| cmd( 800):PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW:
| cmd( 880):+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' :
| cmd( 960):XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_:
| cmd(1040):INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_:
| cmd(1120):CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=:
| cmd(1200):0x0 ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0
| popen cmd is 1220 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1:
| cmd(  80):92.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1:
| cmd( 160):.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_:
| cmd( 240):NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_:
| cmd( 320):MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0':
| cmd( 400): PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET=':
| cmd( 480):192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER:
| cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test D:
| cmd( 640):epartment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK:
| cmd( 720):='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PF:
| cmd( 800):S+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+E:
| cmd( 880):SN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XA:
| cmd( 960):UTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_IN:
| cmd(1040):FO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CO:
| cmd(1120):NFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x:
| cmd(1200):0 ipsec _updown 2>&1:
| suspend processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:439)
| start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.15 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00383 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0021 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0266 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0174 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0165 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0154 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 22957 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0235 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.15 milliseconds in whack
| spent 0.00265 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 851 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 03 53  22 00 01 b4
|   02 00 00 64  01 01 00 0b  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  03 00 00 08
|   02 00 00 05  03 00 00 08  04 00 00 0e  03 00 00 08
|   04 00 00 0f  03 00 00 08  04 00 00 10  03 00 00 08
|   04 00 00 12  03 00 00 08  04 00 00 13  03 00 00 08
|   04 00 00 14  03 00 00 08  04 00 00 15  00 00 00 08
|   04 00 00 1f  02 00 00 64  02 01 00 0b  03 00 00 0c
|   01 00 00 14  80 0e 00 80  03 00 00 08  02 00 00 07
|   03 00 00 08  02 00 00 05  03 00 00 08  04 00 00 0e
|   03 00 00 08  04 00 00 0f  03 00 00 08  04 00 00 10
|   03 00 00 08  04 00 00 12  03 00 00 08  04 00 00 13
|   03 00 00 08  04 00 00 14  03 00 00 08  04 00 00 15
|   00 00 00 08  04 00 00 1f  02 00 00 74  03 01 00 0d
|   03 00 00 0c  01 00 00 0c  80 0e 01 00  03 00 00 08
|   02 00 00 07  03 00 00 08  02 00 00 05  03 00 00 08
|   03 00 00 0e  03 00 00 08  03 00 00 0c  03 00 00 08
|   04 00 00 0e  03 00 00 08  04 00 00 0f  03 00 00 08
|   04 00 00 10  03 00 00 08  04 00 00 12  03 00 00 08
|   04 00 00 13  03 00 00 08  04 00 00 14  03 00 00 08
|   04 00 00 15  00 00 00 08  04 00 00 1f  00 00 00 74
|   04 01 00 0d  03 00 00 0c  01 00 00 0c  80 0e 00 80
|   03 00 00 08  02 00 00 07  03 00 00 08  02 00 00 05
|   03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
|   03 00 00 08  04 00 00 0e  03 00 00 08  04 00 00 0f
|   03 00 00 08  04 00 00 10  03 00 00 08  04 00 00 12
|   03 00 00 08  04 00 00 13  03 00 00 08  04 00 00 14
|   03 00 00 08  04 00 00 15  00 00 00 08  04 00 00 1f
|   28 00 01 08  00 0e 00 00  78 62 07 b9  43 93 c0 71
|   89 25 14 f6  40 f3 7c d9  c6 78 cc 64  f9 d9 cc c3
|   3d a6 c4 74  1f a0 a0 62  b5 56 92 7f  25 ee 76 81
|   05 70 21 34  ac 86 43 7d  76 fa c2 db  0d f7 d4 0f
|   6d 28 f6 d7  a0 06 9a 43  95 36 6a d1  5d 34 da 5a
|   c5 74 de 44  bd 52 e8 32  c2 80 3e ab  72 f3 4d 29
|   b3 99 3b a6  4c b3 aa 10  46 8c 53 99  09 63 dd d3
|   76 91 b0 0c  e8 44 d8 54  d7 f4 13 50  a6 3c f6 6d
|   6b 67 45 dd  9f 25 d7 d1  27 ed e5 b3  19 e4 25 af
|   d9 f1 56 53  80 2e f1 e7  41 b7 ba f6  de 47 c2 f6
|   e4 5d e7 0e  0f f2 cd c6  f9 6c 6e 4e  22 22 2d dc
|   37 f7 6d e1  a1 7b b2 53  96 84 06 78  b2 bf 0e 00
|   a6 57 5c 7b  5c bf eb 1a  11 35 bf b4  ed 14 e9 6a
|   fd e2 57 c7  0b 5a d7 94  65 22 7e 0c  84 f3 e2 57
|   a6 85 8f 38  0b 27 1b 2f  1b 61 07 27  5f 30 f6 a7
|   4e 01 64 d8  8d f2 87 35  10 6f 6b 0d  fd 55 fa 49
|   24 2d b0 cc  ab 48 ea 7b  29 00 00 24  55 fb 6b 4a
|   dd e4 d3 ae  4e a1 67 4c  59 9e e1 08  fd 5d 47 2b
|   89 81 b2 a2  81 38 98 03  83 70 c1 c8  29 00 00 08
|   00 00 40 2e  29 00 00 1c  00 00 40 04  15 54 03 c2
|   38 b5 c2 c7  71 a3 42 60  e2 1d 8e b9  bc 61 91 92
|   2b 00 00 1c  00 00 40 05  03 82 c6 70  6c 42 81 cb
|   3a dc 6c 2a  14 80 f2 c9  4f 71 00 32  00 00 00 17
|   4f 70 70 6f  72 74 75 6e  69 73 74 69  63 20 49 50
|   73 65 63
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 0 (0x0)
|    length: 851 (0x353)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request 
| State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE (0x22)
|    flags: none (0x0)
|    length: 436 (0x1b4)
| processing payload: ISAKMP_NEXT_v2SA (len=432)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni (0x28)
|    flags: none (0x0)
|    length: 264 (0x108)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2V (0x2b)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2V)
| ***parse IKEv2 Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 23 (0x17)
| processing payload: ISAKMP_NEXT_v2V (len=19)
| DDOS disabled and no cookie sent, continuing
| VID_OPPORTUNISTIC received
| Processing IKE request for Opportunistic IPsec
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all)
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all)
| find_next_host_connection returns private-or-clear-all
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| find_next_host_connection returns private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| find_next_host_connection returns private-or-clear
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| find_next_host_connection returns private-or-clear#192.1.3.0/24
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| find_next_host_connection returns clear-or-private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block)
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private)
| find_next_host_connection returns private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear)
| find_next_host_connection returns private-or-clear
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24)
| find_next_host_connection returns private-or-clear#192.1.3.0/24
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private)
| find_next_host_connection returns clear-or-private
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear)
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32)
| find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32)
| find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32)
| find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32)
| find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| oppo_instantiate
|    match_id a=(none)
|             b=(none)
|    results  matched
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x5628751613a8
| oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24
| oppo_instantiate() instantiated "[1] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209
| found connection: private-or-clear#192.1.3.0/24[1] ...192.1.3.209 with policy RSASIG+IKEV2_ALLOW
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| creating state object #1 at 0x562875161828
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1
| Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0
| #1 in state PARENT_R0: processing SA_INIT request
| selected state microcode Respond to IKE_SA_INIT
| Now let's proceed with state specific processing
| calling processor Respond to IKE_SA_INIT
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| received Vendor ID payload [Opportunistic IPsec]
| constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE responder 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH
| remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 116 (0x74)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 116 (0x74)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
| accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048
| converting proposal to internal trans attrs
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  a2 30 4a 5b  65 74 84 ee
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  03 82 c6 70  6c 42 81 cb  3a dc 6c 2a  14 80 f2 c9
| natd_hash: hash=  4f 71 00 32
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  a2 30 4a 5b  65 74 84 ee
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  15 54 03 c2  38 b5 c2 c7  71 a3 42 60  e2 1d 8e b9
| natd_hash: hash=  bc 61 91 92
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| adding ikev2_inI1outR1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x562875141de8 size 128
|   #1 spent 0.527 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.985 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.993 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000585 seconds
| (#1) spent 0.592 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fd560002888 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x5628735d6b50
| ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1
| **emit ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| Emitting ikev2_proposal ...
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 3 (0x3)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 36
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 40
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  f9 16 54 e1  6e c2 e4 65  37 60 d7 cd  a5 a8 87 78
| ikev2 g^x  00 0c a0 12  fb 19 8c 6b  a3 5f 5b 57  35 2d 99 1a
| ikev2 g^x  e6 e6 a3 b0  aa a4 3e 23  d4 89 57 c6  50 50 31 9d
| ikev2 g^x  71 22 c7 40  2b 5f 1a 17  3d a8 14 9a  98 0b 7e 1b
| ikev2 g^x  d7 09 b5 d9  28 15 cc 53  ab 1c 8b 30  7c 21 4f 42
| ikev2 g^x  c8 e5 41 92  4f 48 be 10  e6 ee 77 e7  a7 d4 61 7d
| ikev2 g^x  10 5b dc 0a  18 ea 47 b9  72 5d 0d d0  89 64 86 74
| ikev2 g^x  17 e8 73 d4  23 bd 61 b5  76 7f e9 0d  1b ee 1b 81
| ikev2 g^x  fa 20 91 e7  9c e5 de 2d  0b 43 26 da  ce 88 69 a4
| ikev2 g^x  b7 96 9c 5d  6e 8e 5c f0  f1 97 f4 41  f9 74 f9 82
| ikev2 g^x  31 7d ac 71  d1 aa f8 53  22 32 fb 16  cf 62 16 7a
| ikev2 g^x  98 59 1d 20  54 d3 f0 63  45 99 5e 11  85 b3 e7 43
| ikev2 g^x  8d 7e 28 18  9a 81 fd 18  d8 f4 92 07  c5 e0 1c c2
| ikev2 g^x  2d 23 6f 56  e1 25 a0 b0  d3 1b 0c d5  78 cd b9 46
| ikev2 g^x  84 1a 2d 51  f5 36 9e ed  da fb 30 8a  56 13 d1 a5
| ikev2 g^x  c7 1a 82 18  83 ef f9 81  b3 1e b0 48  b0 e5 95 53
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  f9 f4 58 44  f0 ea 84 c6  d2 7f bb 9b  a8 bd 4c eb
| IKEv2 nonce  50 de f7 0f  5f b5 fe b4  01 70 2d 66  69 0d 7d 21
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
|  NAT-Traversal support  [enabled] add v2N payloads.
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  a2 30 4a 5b  65 74 84 ee
| natd_hash: rcookie=  2f a9 8f 22  d3 2d 1e 58
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  e2 bf 3c c5  fd f7 90 60  f0 be 5a 23  fb 53 e9 7b
| natd_hash: hash=  75 bf 43 c7
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  e2 bf 3c c5  fd f7 90 60  f0 be 5a 23  fb 53 e9 7b
| Notify data  75 bf 43 c7
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  a2 30 4a 5b  65 74 84 ee
| natd_hash: rcookie=  2f a9 8f 22  d3 2d 1e 58
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  e7 b2 78 60  2a ce 49 b5  08 0a c4 24  92 ea aa 58
| natd_hash: hash=  03 1e e7 12
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  e7 b2 78 60  2a ce 49 b5  08 0a c4 24  92 ea aa 58
| Notify data  03 1e e7 12
| emitting length of IKEv2 Notify Payload: 28
| going to send a certreq
| connection->kind is not CK_PERMANENT (instance), so collect CAs
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| Not a roadwarrior instance, sending empty CA in CERTREQ
| ***emit IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ)
| next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Certificate Request Payload: 5
| ***emit IKEv2 Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Certificate Request Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V)
| next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload
| Opportunistic IPsec  4f 70 70 6f  72 74 75 6e  69 73 74 69  63 20 49 50
| Opportunistic IPsec  73 65 63
| emitting length of IKEv2 Vendor ID Payload: 23
| emitting length of ISAKMP Message: 460
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1
| parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA)
| Message ID: updating counters for #1 to 0 after switching state
| Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1
| Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1
| STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 460 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   21 20 22 20  00 00 00 00  00 00 01 cc  22 00 00 28
|   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  00 00 00 08
|   04 00 00 0e  28 00 01 08  00 0e 00 00  f9 16 54 e1
|   6e c2 e4 65  37 60 d7 cd  a5 a8 87 78  00 0c a0 12
|   fb 19 8c 6b  a3 5f 5b 57  35 2d 99 1a  e6 e6 a3 b0
|   aa a4 3e 23  d4 89 57 c6  50 50 31 9d  71 22 c7 40
|   2b 5f 1a 17  3d a8 14 9a  98 0b 7e 1b  d7 09 b5 d9
|   28 15 cc 53  ab 1c 8b 30  7c 21 4f 42  c8 e5 41 92
|   4f 48 be 10  e6 ee 77 e7  a7 d4 61 7d  10 5b dc 0a
|   18 ea 47 b9  72 5d 0d d0  89 64 86 74  17 e8 73 d4
|   23 bd 61 b5  76 7f e9 0d  1b ee 1b 81  fa 20 91 e7
|   9c e5 de 2d  0b 43 26 da  ce 88 69 a4  b7 96 9c 5d
|   6e 8e 5c f0  f1 97 f4 41  f9 74 f9 82  31 7d ac 71
|   d1 aa f8 53  22 32 fb 16  cf 62 16 7a  98 59 1d 20
|   54 d3 f0 63  45 99 5e 11  85 b3 e7 43  8d 7e 28 18
|   9a 81 fd 18  d8 f4 92 07  c5 e0 1c c2  2d 23 6f 56
|   e1 25 a0 b0  d3 1b 0c d5  78 cd b9 46  84 1a 2d 51
|   f5 36 9e ed  da fb 30 8a  56 13 d1 a5  c7 1a 82 18
|   83 ef f9 81  b3 1e b0 48  b0 e5 95 53  29 00 00 24
|   f9 f4 58 44  f0 ea 84 c6  d2 7f bb 9b  a8 bd 4c eb
|   50 de f7 0f  5f b5 fe b4  01 70 2d 66  69 0d 7d 21
|   29 00 00 08  00 00 40 2e  29 00 00 1c  00 00 40 04
|   e2 bf 3c c5  fd f7 90 60  f0 be 5a 23  fb 53 e9 7b
|   75 bf 43 c7  26 00 00 1c  00 00 40 05  e7 b2 78 60
|   2a ce 49 b5  08 0a c4 24  92 ea aa 58  03 1e e7 12
|   2b 00 00 05  04 00 00 00  17 4f 70 70  6f 72 74 75
|   6e 69 73 74  69 63 20 49  50 73 65 63
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x562875141de8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| event_schedule: new EVENT_SO_DISCARD-pe@0x5628751614d8
| inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1
| libevent_malloc: new ptr-libevent@0x5628751615f8 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 0.321 milliseconds in resume sending helper answer
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd560002888
| spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   35 20 23 08  00 00 00 01  00 00 02 1b  23 00 01 ff
|   00 01 00 05  18 f1 c7 4b  12 8e ab a1  57 3e 80 a4
|   ad 72 83 2f  de f7 1c a7  34 62 0d 5d  76 54 8e 95
|   ea e3 ce 9a  d0 45 f6 8e  5f 66 bd 86  2f 4a 41 c5
|   1a e2 51 50  d7 37 f7 ed  b9 4a ca 10  05 92 b6 bb
|   c4 8e 66 2e  e7 8f 8c 15  78 43 9f c9  37 17 01 97
|   aa 6e 6c c6  82 49 f5 a3  e1 cc 21 93  f0 be b1 2a
|   af b5 b5 0d  98 66 f4 72  41 8a 65 73  ef fa c4 88
|   ca fc 31 98  3a a8 52 b8  eb 5c 55 80  c7 e3 a8 f5
|   d7 4a 52 8e  da b4 4d 95  25 64 23 7f  2c 61 d8 12
|   6c 56 2b d2  3f 49 7a d7  7f 79 7d 00  a1 8c 78 60
|   00 db 30 b8  be eb 2d f7  3f 58 b4 4a  a5 fc 51 2c
|   8a 85 57 8f  26 bd ae 3c  b4 dd 7b 93  30 68 80 36
|   a5 ab dc e9  58 7e c2 ff  c1 3b fa 39  db 56 3b 2b
|   fb 2b 91 8d  0c 2a ad 68  ae 0a 2e 8f  e7 9a 85 7d
|   c0 71 40 5c  22 39 de 03  88 c3 bc 61  61 f5 1b d5
|   84 17 85 94  8d 7e 55 3e  9a dc a4 d2  d1 5c 23 98
|   81 91 3a 8f  81 98 1c 62  6c a7 7d 9e  f0 03 42 9b
|   55 89 36 44  7e 67 e4 8a  85 d7 dd 31  70 38 cf 2a
|   0d a9 60 4c  5a db a3 6c  c3 18 14 20  52 e5 5a 32
|   28 b7 72 4a  9f 1b 9a c4  c0 ab 0d 01  ca 0e a2 12
|   3a a7 5d 1f  77 92 83 f2  c7 96 af 48  b9 78 4f a6
|   4c 82 c1 0f  f9 3b 7c e3  60 3f b2 e7  61 af 86 55
|   ba df 1a 13  8a a7 30 09  16 fa 1e 58  c3 76 d8 da
|   41 e4 6c 86  60 5b fc fa  68 7d ea 4e  45 81 e2 ee
|   5e 93 66 8d  2f 39 0d cb  18 86 fd 3f  89 a3 53 0a
|   8c fc c7 4e  35 2f 45 7b  a1 a0 73 d1  a6 b2 6d 82
|   ee 5b 05 ca  c6 70 02 a1  f3 f7 c3 a8  64 45 5b 25
|   46 6e 95 c5  28 76 26 85  fa 58 41 28  46 b0 92 c4
|   38 0b 98 cf  06 ac 3d 34  0c fd 0e a0  b3 e0 d0 cb
|   3a 69 f5 00  d2 d2 43 3b  49 73 25 32  09 b8 30 a8
|   03 1f d6 91  fd 44 c8 20  b9 68 88 1c  af 32 b5 b0
|   d8 2d ec de  d1 fa 24 25  9a 7a 86
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 1 (0x1)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '1', total number '5', next payload '35'
|  updated IKE fragment state to respond using fragments without waiting for re-transmits
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.157 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.171 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00161 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 02 00 05  f3 29 d3 a0  59 77 23 49  57 b2 22 e3
|   45 a8 e9 ad  43 0f aa 3b  f2 a5 15 5d  db 24 a3 cc
|   5b 42 c4 ac  d7 a0 c0 4e  7e 9d 54 fa  94 d7 0c 30
|   68 a0 24 8a  bc 79 a0 3b  ca 1c 59 00  5c 88 aa 65
|   1a 56 e2 84  f7 bb 0e 51  31 ff d8 de  b4 84 63 9b
|   f2 cb 14 55  59 6f e4 cd  64 f0 48 95  ae f3 d3 5d
|   04 05 08 ea  e1 d6 f9 68  65 e7 fb ba  fb 41 cf 78
|   a1 34 0d d9  ee f0 7a de  00 5f 3a 85  15 ae c0 9c
|   14 46 bc 3f  b8 94 d9 2e  f2 49 8f 6a  71 e7 b1 75
|   6b f5 33 aa  76 8c 9a 1f  29 87 ae df  d4 f5 36 c2
|   63 e5 f4 f6  e8 4c 67 05  a7 a0 39 e3  95 64 92 7e
|   af 78 f7 37  e9 3d e7 65  39 94 01 96  71 68 12 e7
|   5a 70 54 65  2e 7b 62 95  f6 36 ef 81  5b db 69 3f
|   88 25 6b 5e  00 c2 67 ad  14 98 bd 4e  79 53 fa e4
|   92 7e 19 14  9b 2c ef bf  3a d2 c5 d5  69 21 51 f9
|   e3 4f 09 c6  74 b0 48 e4  77 b6 da 82  a4 8e 61 9c
|   e1 94 0e 2b  42 b1 8b 1b  64 d5 20 6e  78 f6 e7 ef
|   a4 7f ca 4e  12 ad 51 98  d9 40 28 08  4e e3 c4 18
|   13 d4 4e 64  53 ae 98 72  b0 78 46 59  ed 11 8c b1
|   90 30 e1 5d  fd 73 26 82  29 34 b5 8d  55 a4 c3 42
|   a8 be 2d db  b3 6a 6f 42  c4 37 70 2f  c7 43 85 91
|   17 31 a2 91  5d ef d4 8e  8d 5f bb 7d  34 d5 28 9f
|   7d cd 04 a6  1f bd 5e c3  42 76 b1 eb  5a 6e a3 84
|   a4 9d b7 a9  dd 00 6b 42  a0 41 2e 4b  e4 45 09 2b
|   05 ad f9 5e  c5 96 90 fc  ba 5e b4 6b  fc 4a b2 95
|   6d 66 d6 fd  76 bd ee 17  d9 a6 db 76  e9 f2 40 b7
|   7e 39 ff e1  07 4e 5c 55  11 0f 57 3f  16 ea 6d 5d
|   6f 04 83 32  71 4f e3 f1  f7 43 6e f9  7b 0f 76 67
|   89 95 f6 11  dc 80 2a d8  eb 76 f1 ec  ff bb d7 e7
|   3a bf 1f a3  d7 5d ff e9  83 ab 1a 33  7e 05 6b ff
|   74 a1 b2 8d  2b f4 18 bb  96 99 0a 41  53 86 b1 6b
|   f7 1f cf 32  ff c2 b7 5d  1a 6d 4a
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 2 (0x2)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '2', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.118 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.126 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00113 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 03 00 05  dc 13 df 3a  ad 21 77 e5  ad fe aa 40
|   ed eb d6 94  29 bd 3f b0  02 82 2a cb  f1 13 02 7e
|   91 38 b3 d5  06 bc 96 e1  18 38 d9 2b  6d 3d f5 36
|   5f b5 83 df  64 0e cc 1c  ae 81 55 27  41 74 b3 59
|   79 81 31 59  14 46 de 96  16 e3 d8 b0  0e a9 4a 4a
|   aa 22 6a da  e9 44 61 ef  73 b1 36 27  c4 85 10 e6
|   8c 89 f5 de  be 6c 79 2e  47 10 17 f1  c8 cb 81 ee
|   81 7e d3 d6  e4 e1 cb 4a  e5 e9 41 49  67 04 13 66
|   af e9 eb 6f  8b 05 de 74  c2 64 17 da  45 e5 ec 35
|   04 c4 2e 6e  69 a7 c1 fd  0c 23 6a de  e1 62 b8 19
|   2c 53 29 b1  c0 6e 75 04  ba 91 59 31  b9 90 45 b1
|   05 9c 24 f6  59 04 5d 21  f0 e1 6d 05  c1 ec e4 62
|   42 dc 34 44  b9 b6 67 b4  c8 ae 19 b5  20 1f 40 0c
|   fe 69 03 c6  a6 b0 15 45  62 b8 d2 92  14 a1 3e ce
|   5a fa 0d a3  63 dd 61 71  25 ff f8 5d  22 de 38 28
|   d2 bf 40 11  0a d6 10 13  51 90 7a e7  69 80 9b 68
|   2e 22 d8 a9  33 ca 02 6c  a3 5e 5e 25  05 ae de f8
|   53 df 78 f2  fd 53 5a 3a  08 38 27 5c  06 47 e4 6e
|   13 10 12 09  de 7d 44 2c  d9 30 53 c2  17 f3 cf 6a
|   5a fc 12 75  95 99 53 6d  94 e0 bc 71  d1 13 fd e1
|   56 85 ac e9  60 18 ef 72  f2 9e 59 26  17 78 e0 61
|   ea bf ee c3  db dd 1c ab  01 56 73 18  3f 27 6c ca
|   27 90 12 12  30 3e 99 91  df 6d 9d a5  7c b4 65 06
|   20 ae 78 04  e4 dd b4 56  c1 85 df 3b  be 69 10 2f
|   09 b5 2c 76  91 2b a9 5a  ee a7 18 49  d5 fa c3 9d
|   f2 cd 25 4c  1b 2b 0a e9  62 3b 11 a5  23 0c 58 0b
|   76 75 c0 33  a8 47 c1 ee  56 69 8a 9b  18 e7 47 02
|   1e bd 78 51  a4 d1 a5 a4  22 2c f7 3b  af 09 5e d9
|   9f d4 0a f4  40 a8 35 20  c0 ef c6 62  4c c4 f0 df
|   cb ff 4c 42  1e 9b cb 17  15 af 86 c7  d0 ef db ef
|   df 4e 5d d1  0b 76 32 64  73 af 5c eb  ea 80 da e6
|   08 64 49 be  7f 43 03 d6  a3 3d c3
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 3 (0x3)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '3', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.118 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.125 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00102 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 04 00 05  83 71 a1 63  26 08 8b d5  30 4f 8c f3
|   f9 12 8b a3  3a f2 f3 0a  59 b9 84 84  d6 1f 15 7b
|   02 e2 e6 8d  12 0f 01 f1  81 e5 17 38  39 4e 3e c0
|   7d 55 0c 9c  fc 23 44 95  45 ac 77 dd  cb 2d b8 a2
|   cd 37 f7 21  0f de a1 d3  b3 f9 13 22  b7 a2 1c 1f
|   e2 db 85 fe  11 a5 b6 74  cf 13 a9 09  6e b1 d6 5b
|   ec e7 6c 86  67 b2 97 48  9e 86 8d a3  6e ad 4e bc
|   0b 6d 2a b6  ec b3 62 44  5d 92 0a 47  2d 48 d0 9d
|   db 30 68 a9  ac 89 27 05  52 5c b8 87  75 89 ab 6e
|   83 41 f2 ae  9a cd 56 a5  81 9a b2 e5  1b 0d c9 db
|   82 2d 5a eb  ea af 56 13  a2 aa c0 77  e7 b1 45 7d
|   be 6b 23 8a  d3 fc e1 13  8f 7c f5 bc  e5 53 34 78
|   74 93 de 03  3e bb a7 a7  3b d6 af ea  88 96 d0 f5
|   0a 4d 69 b2  cc de 24 17  0c 06 09 83  3f 66 a6 f3
|   45 b7 c2 ae  eb 58 c8 03  4a f8 46 b6  3c f9 a1 cb
|   91 31 16 da  c0 b9 bb 2a  03 89 a1 1a  00 f0 26 35
|   30 81 6d 87  fe 1d dc 0f  3f 51 65 21  82 3b 84 2c
|   14 d9 7f e5  a5 f2 29 74  c7 3b 38 a0  e4 b6 69 e5
|   a9 89 47 d1  c9 2c 7c c7  38 89 fd 64  e7 b3 9d 7b
|   c4 3d 95 c5  aa 57 3f 0e  87 59 f2 95  34 cf f4 8e
|   6e 04 98 5c  f7 ec a1 1b  7a 95 91 b3  4c 66 53 27
|   0f a6 80 af  5a 2a 47 37  60 1b 4e 3a  45 eb 1f fa
|   d7 25 04 0e  2a a2 be e4  7a b6 70 77  c3 85 58 db
|   1d f5 3f 8c  fc a4 97 fe  30 64 eb 0f  62 87 5b e2
|   80 85 1d dc  0a 5b bc 5c  86 7d 8d 40  12 e1 2c 31
|   9e 46 05 45  0f 19 d4 49  06 85 ec 7c  09 20 5b 96
|   06 e8 1d da  c4 24 27 e9  a3 3d 49 27  0a 97 c4 f5
|   80 5d fa 5c  f1 f3 3b d3  25 19 56 8c  61 59 21 a7
|   15 f9 d2 1c  22 ef b0 0e  e3 f0 2f 31  7e 85 04 c0
|   42 10 3b 2a  67 d8 2e 92  77 bc d3 3d  21 c8 ee 9c
|   86 19 9e 5c  fb dd 55 c1  cc be f4 89  a9 2f 62 50
|   5d 8c bc 67  6a 87 d3 70  e2 b7 26
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 4 (0x4)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '4', total number '5', next payload '0'
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.113 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.124 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00126 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 66 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   35 20 23 08  00 00 00 01  00 00 00 42  00 00 00 26
|   00 05 00 05  77 81 c0 f9  d3 89 b7 f4  a9 c9 f0 fc
|   83 82 d8 f4  0a 17 30 05  89 b2 db c7  48 31 45 84
|   3f fb
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 66 (0x42)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 38 (0x26)
|    fragment number: 5 (0x5)
|    total fragments: 5 (0x5)
| processing payload: ISAKMP_NEXT_v2SKF (len=30)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '5', total number '5', next payload '0'
| selected state microcode Responder: process IKE_AUTH request (no SKEYSEED)
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request (no SKEYSEED)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inI2outR2 KE work-order 2 for state #1
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x5628751615f8
| free_event_entry: release EVENT_SO_DISCARD-pe@0x5628751614d8
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7fd560002888 size 128
|   #1 spent 0.0273 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet()
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND
| crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.155 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.165 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000879 seconds
| (#1) spent 0.873 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7fd558000f48 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x5628735d6b50
| ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2
| #1 in state PARENT_R1: received v2I1, sent v2R1
| already have all fragments, skipping fragment collection
| already have all fragments, skipping fragment collection
| #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2IDi)
| **parse IKEv2 Identification - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2CERT (0x25)
|    flags: none (0x0)
|    length: 12 (0xc)
|    ID type: ID_IPV4_ADDR (0x1)
| processing payload: ISAKMP_NEXT_v2IDi (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERT)
| **parse IKEv2 Certificate Payload:
|    next payload type: ISAKMP_NEXT_v2AUTH (0x27)
|    flags: none (0x0)
|    length: 1229 (0x4cd)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERT (len=1224)
| Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
| **parse IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    flags: none (0x0)
|    length: 392 (0x188)
|    auth method: IKEv2_AUTH_RSA (0x1)
| processing payload: ISAKMP_NEXT_v2AUTH (len=384)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| **parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2TSi (0x2c)
|    flags: none (0x0)
|    length: 164 (0xa4)
| processing payload: ISAKMP_NEXT_v2SA (len=160)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSi)
| **parse IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2TSr (0x2d)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSi (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSr)
| **parse IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSr (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 72 (0x48)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NULL_AUTH (0xa000)
| processing payload: ISAKMP_NEXT_v2N (len=64)
| selected state microcode Responder: process IKE_AUTH request
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,SA,TSi,TSr,N}
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds
loading root certificate cache
| spent 2.63 milliseconds in get_root_certs() calling PK11_ListCertsInSlot()
| spent 0.0154 milliseconds in get_root_certs() filtering CAs
|       #1 spent 2.67 milliseconds in find_and_verify_certs() calling get_root_certs()
| checking for known CERT payloads
| saving certificate of type 'X509_SIGNATURE'
| decoded cert: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
|       #1 spent 0.18 milliseconds in find_and_verify_certs() calling decode_cert_payloads()
| cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
|       #1 spent 0.0295 milliseconds in find_and_verify_certs() calling crl_update_check()
| missing or expired CRL
| crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0
| verify_end_cert trying profile IPsec
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure.
|       #1 spent 0.312 milliseconds in find_and_verify_certs() calling verify_end_cert()
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: Certificate rejected for this connection
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: CERT payload bogus or revoked
| parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID
| peer ID  c0 01 03 d1
| refine_host_connection for IKEv2: starting with "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209
|    match_id a=192.1.3.209
|             b=192.1.3.209
|    results  matched
| refine_host_connection: checking "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 against "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| No IDr payload received from peer
| refine_host_connection: checked private-or-clear#192.1.3.0/24[1] ...192.1.3.209 against private-or-clear#192.1.3.0/24[1] ...192.1.3.209, now for see if best
| started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA
| searching for certificate PKK_RSA:AQO9bJbr3 vs PKK_RSA:AwEAAbEef
| private key for cert east not found in local cache; loading from NSS DB
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
| returning because exact peer id match
| offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.209'
| received v2N_NULL_AUTH
| parsing 64 raw bytes of IKEv2 Notify Payload into NULL_AUTH extract
| NULL_AUTH extract  be 93 fe 5a  f9 7e 2f a3  ec 4e ed 84  12 8c f9 b8
| NULL_AUTH extract  38 fc c2 5c  2f ad 30 da  51 89 07 00  6d 88 16 ec
| NULL_AUTH extract  a4 1d 22 5d  8e 55 12 18  3f c9 cc ef  9a db b1 a6
| NULL_AUTH extract  75 09 f7 6d  cf fd d2 fe  4d 8a 0a fc  30 ec 2e 56
| verifying AUTH payload
| required RSA CA is '%any'
| checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid 'user-east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid '@east.testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid 'east@testing.libreswan.org' for match with '192.1.3.209'
| checking RSA keyid '192.1.2.23' for match with '192.1.3.209'
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: no RSA public key known for '192.1.3.209'
|       #1 spent 0.028 milliseconds in ikev2_verify_rsa_hash()
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: RSA authentication of I2 Auth Payload failed
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: responding to IKE_AUTH message (ID 1) from 192.1.3.209:500 with encrypted notification AUTHENTICATION_FAILED
| Opening output PBS encrypted notification
| **emit ISAKMP Message:
|    initiator cookie:
|   a2 30 4a 5b  65 74 84 ee
|    responder cookie:
|   2f a9 8f 22  d3 2d 1e 58
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'encrypted notification'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| Adding a v2N Payload
| ****emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'encrypted notification'
| emitting length of IKEv2 Notify Payload: 8
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 37
| emitting length of ISAKMP Message: 65
| sending 65 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   a2 30 4a 5b  65 74 84 ee  2f a9 8f 22  d3 2d 1e 58
|   2e 20 23 20  00 00 00 01  00 00 00 41  29 00 00 25
|   90 7c fc 3b  7f 6e dc 3d  35 aa 25 8f  bc 69 83 77
|   b2 e3 83 14  a8 be b4 28  90 00 fa ff  35 9f 33 35
|   ae
| pstats #1 ikev2.ike failed auth-failed
| ikev2_parent_inI2outR2_continue_tail returned STF_FATAL
|   #1 spent 3.65 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R1->V2_IPSEC_R with status STF_FATAL
| release_pending_whacks: state #1 has no whack fd
| pstats #1 ikev2.ike deleted auth-failed
| #1 spent 3.43 milliseconds in total
| [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: deleting state (STATE_PARENT_R1) aged 0.017s and NOT sending notification
| parent state #1: PARENT_R1(half-open IKE SA) => delete
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7fd560002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| connection is instance
| not in pending use
| State DB: state not found (connection_discard)
| no states use this connection instance, deleting
| start processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| free hp@0x5628751613a8
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in discard_connection() at connections.c:249)
| State DB: deleting IKEv2 state #1 in PARENT_R1
| parent state #1: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| in statetime_stop() and could not find #1
| processing: STOP state #0 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd558000f48
| processing global timer EVENT_SHUNT_SCAN
| expiring aged bare shunts from shunt table
| spent 0.00347 milliseconds in global timer EVENT_SHUNT_SCAN
|  kernel_process_msg_cb process netlink message
| netlink_get: XFRM_MSG_ACQUIRE message
| xfrm netlink msg len 376
| xfrm acquire rtattribute type 5
| xfrm acquire rtattribute type 16
| add bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0    %acquire-netlink
initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire
| find_connection: looking for policy for connection: 192.1.2.23:1/0 -> 192.1.3.209:1/0
| FOR_EACH_CONNECTION_... in find_connection_for_clients
| find_connection: conn "private-or-clear#192.1.3.0/24" has compatible peers: 192.1.2.23/32 -> 192.1.3.0/24 [pri: 33554444]
| find_connection: first OK "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} (child none)
| find_connection: concluding with "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#192.1.3.0/24"
| shunt widened for protoports since conn does not limit protocols
| going to initiate opportunistic, first installing pass negotiationshunt
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| oe-negotiating eroute 192.1.2.23/32:0 --0-> 192.1.3.209/32:0 => %pass (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 2088935
| raw_eroute result=success
| added bare (possibly wided) passthrough negotiationshunt succeeded (violating API)
| add bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0    oe-negotiating
| fiddle_bare_shunt called
| fiddle_bare_shunt with transport_proto 1
| removing specific host-to-host bare shunt
| delete bare kernel shunt - was replaced with  negotiationshunt eroute 192.1.2.23/32:0 --1-> 192.1.3.209/32:0 => %hold (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| raw_eroute result=success
| raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded
| delete bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0    %acquire-netlink
| success taking down narrow bare shunt
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.3.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.3.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x5628751613a8
| oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24
| oppo_instantiate() instantiated "[2] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209
| assigning negotiation_shunt to connection
| assign hold, routing was unrouted, needs to be unrouted HOLD
| assign_holdpass() removing bare shunt
| delete bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0    oe-negotiating
|  assign_holdpass() done - returning success
| assign_holdpass succeeded
| initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire
| FOR_EACH_STATE_... in find_phase1_state
| creating state object #2 at 0x562875174638
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.ike started
| Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #2: UNDEFINED(ignore) => PARENT_I0(ignore)
| Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:535)
| dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551)
| Queuing pending IPsec SA negotiating with 192.1.3.209 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 IKE SA #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209
| constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| adding ikev2_outI1 KE work-order 3 for state #2
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x56287517bb58 size 128
| #2 spent 0.339 milliseconds in ikev2_parent_outI1()
| crypto helper 2 resuming
| crypto helper 2 starting work-order 3 for state #2
| crypto helper 2 doing build KE and nonce (ikev2_outI1 KE); request ID 3
| crypto helper 2 finished build KE and nonce (ikev2_outI1 KE); request ID 3 time elapsed 0.001001 seconds
| (#2) spent 0.996 milliseconds in crypto helper computing work-order 3: ikev2_outI1 KE (pcr)
| crypto helper 2 sending results from work-order 3 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
| crypto helper 2 waiting (nothing to do)
| RESET processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:610)
| initiate on demand using AUTH_NULL from 192.1.2.23 to 192.1.3.209
| spent 0.388 milliseconds in kernel message
| processing resume sending helper answer for #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797)
| crypto helper 2 replies to request ID 3
| calling continuation function 0x5628735d6b50
| ikev2_parent_outI1_continue for #2
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Emitting ikev2_proposals ...
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 436
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  eb 1e 10 d3  ea 20 4d c3  02 15 82 50  12 8c 49 7c
| ikev2 g^x  69 f5 73 cf  e3 30 9b 18  36 ca 56 70  91 94 62 02
| ikev2 g^x  e3 b9 14 16  23 0a 87 ed  c7 fb b6 66  bb ec 74 bc
| ikev2 g^x  8b ec ea 58  27 64 cd ac  7d 2d 6f 9f  13 2d 24 97
| ikev2 g^x  a0 86 00 0d  a5 98 78 4c  7f 3b 02 46  bb 19 3b 4f
| ikev2 g^x  25 46 9f 7a  2b ad 7e 91  58 b9 44 a4  85 a2 6f 42
| ikev2 g^x  cd f8 56 f2  7d 26 1a 8f  cd c2 bd 83  8c 96 59 26
| ikev2 g^x  15 23 84 cb  b7 71 87 0a  31 60 53 48  64 90 bf 00
| ikev2 g^x  c7 bf a8 7b  b5 cb 68 65  9a e6 9d 09  10 d8 4d 7f
| ikev2 g^x  70 14 1d 5c  f5 38 19 34  55 18 7a 5f  76 a9 a8 0a
| ikev2 g^x  16 3b 86 2b  90 53 19 8a  fa b5 aa ed  f6 e1 47 6f
| ikev2 g^x  04 b0 08 b9  a9 17 59 6b  28 3d 93 32  a0 5a 99 fd
| ikev2 g^x  2f bd d0 d5  4c d6 2d e8  77 e8 61 02  61 7e a2 6b
| ikev2 g^x  52 33 0e 4d  19 c9 4b 8a  0e 0a 7a 29  88 41 e3 59
| ikev2 g^x  95 8b f6 2f  21 0a 8b 4e  24 a0 9f 0e  1b 68 c5 3b
| ikev2 g^x  79 c7 cb 4b  e9 34 72 fa  d0 53 13 f5  27 8f fe a8
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  0e ee 5e fb  18 2e 44 cc  a5 f8 16 85  08 88 83 57
| IKEv2 nonce  c3 ca c4 37  37 31 51 47  ce e6 66 ae  5c 5e c7 7a
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
|  NAT-Traversal support  [enabled] add v2N payloads.
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  7b 6a 2a dd  5c 7a c7 69
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  ac ee 88 87  3e c6 65 1c  e6 a7 e1 02  a7 b1 95 f2
| natd_hash: hash=  39 e4 45 a2
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  ac ee 88 87  3e c6 65 1c  e6 a7 e1 02  a7 b1 95 f2
| Notify data  39 e4 45 a2
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: rcookie is zero
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  7b 6a 2a dd  5c 7a c7 69
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  5f a7 95 a7  73 e6 21 8f  2e 56 f5 e1  db f0 5a 81
| natd_hash: hash=  46 71 d4 8a
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  5f a7 95 a7  73 e6 21 8f  2e 56 f5 e1  db f0 5a 81
| Notify data  46 71 d4 8a
| emitting length of IKEv2 Notify Payload: 28
| ***emit IKEv2 Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V)
| next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload
| Opportunistic IPsec  4f 70 70 6f  72 74 75 6e  69 73 74 69  63 20 49 50
| Opportunistic IPsec  73 65 63
| emitting length of IKEv2 Vendor ID Payload: 23
| emitting length of ISAKMP Message: 851
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1_common() at ikev2_parent.c:817)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1
| parent state #2: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA)
| Message ID: updating counters for #2 to 4294967295 after switching state
| Message ID: IKE #2 skipping update_recv as MD is fake
| Message ID: sent #2 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1
| STATE_PARENT_I1: sent v2I1, expected v2R1
| sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 851 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 03 53  22 00 01 b4
|   02 00 00 64  01 01 00 0b  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  03 00 00 08
|   02 00 00 05  03 00 00 08  04 00 00 0e  03 00 00 08
|   04 00 00 0f  03 00 00 08  04 00 00 10  03 00 00 08
|   04 00 00 12  03 00 00 08  04 00 00 13  03 00 00 08
|   04 00 00 14  03 00 00 08  04 00 00 15  00 00 00 08
|   04 00 00 1f  02 00 00 64  02 01 00 0b  03 00 00 0c
|   01 00 00 14  80 0e 00 80  03 00 00 08  02 00 00 07
|   03 00 00 08  02 00 00 05  03 00 00 08  04 00 00 0e
|   03 00 00 08  04 00 00 0f  03 00 00 08  04 00 00 10
|   03 00 00 08  04 00 00 12  03 00 00 08  04 00 00 13
|   03 00 00 08  04 00 00 14  03 00 00 08  04 00 00 15
|   00 00 00 08  04 00 00 1f  02 00 00 74  03 01 00 0d
|   03 00 00 0c  01 00 00 0c  80 0e 01 00  03 00 00 08
|   02 00 00 07  03 00 00 08  02 00 00 05  03 00 00 08
|   03 00 00 0e  03 00 00 08  03 00 00 0c  03 00 00 08
|   04 00 00 0e  03 00 00 08  04 00 00 0f  03 00 00 08
|   04 00 00 10  03 00 00 08  04 00 00 12  03 00 00 08
|   04 00 00 13  03 00 00 08  04 00 00 14  03 00 00 08
|   04 00 00 15  00 00 00 08  04 00 00 1f  00 00 00 74
|   04 01 00 0d  03 00 00 0c  01 00 00 0c  80 0e 00 80
|   03 00 00 08  02 00 00 07  03 00 00 08  02 00 00 05
|   03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
|   03 00 00 08  04 00 00 0e  03 00 00 08  04 00 00 0f
|   03 00 00 08  04 00 00 10  03 00 00 08  04 00 00 12
|   03 00 00 08  04 00 00 13  03 00 00 08  04 00 00 14
|   03 00 00 08  04 00 00 15  00 00 00 08  04 00 00 1f
|   28 00 01 08  00 0e 00 00  eb 1e 10 d3  ea 20 4d c3
|   02 15 82 50  12 8c 49 7c  69 f5 73 cf  e3 30 9b 18
|   36 ca 56 70  91 94 62 02  e3 b9 14 16  23 0a 87 ed
|   c7 fb b6 66  bb ec 74 bc  8b ec ea 58  27 64 cd ac
|   7d 2d 6f 9f  13 2d 24 97  a0 86 00 0d  a5 98 78 4c
|   7f 3b 02 46  bb 19 3b 4f  25 46 9f 7a  2b ad 7e 91
|   58 b9 44 a4  85 a2 6f 42  cd f8 56 f2  7d 26 1a 8f
|   cd c2 bd 83  8c 96 59 26  15 23 84 cb  b7 71 87 0a
|   31 60 53 48  64 90 bf 00  c7 bf a8 7b  b5 cb 68 65
|   9a e6 9d 09  10 d8 4d 7f  70 14 1d 5c  f5 38 19 34
|   55 18 7a 5f  76 a9 a8 0a  16 3b 86 2b  90 53 19 8a
|   fa b5 aa ed  f6 e1 47 6f  04 b0 08 b9  a9 17 59 6b
|   28 3d 93 32  a0 5a 99 fd  2f bd d0 d5  4c d6 2d e8
|   77 e8 61 02  61 7e a2 6b  52 33 0e 4d  19 c9 4b 8a
|   0e 0a 7a 29  88 41 e3 59  95 8b f6 2f  21 0a 8b 4e
|   24 a0 9f 0e  1b 68 c5 3b  79 c7 cb 4b  e9 34 72 fa
|   d0 53 13 f5  27 8f fe a8  29 00 00 24  0e ee 5e fb
|   18 2e 44 cc  a5 f8 16 85  08 88 83 57  c3 ca c4 37
|   37 31 51 47  ce e6 66 ae  5c 5e c7 7a  29 00 00 08
|   00 00 40 2e  29 00 00 1c  00 00 40 04  ac ee 88 87
|   3e c6 65 1c  e6 a7 e1 02  a7 b1 95 f2  39 e4 45 a2
|   2b 00 00 1c  00 00 40 05  5f a7 95 a7  73 e6 21 8f
|   2e 56 f5 e1  db f0 5a 81  46 71 d4 8a  00 00 00 17
|   4f 70 70 6f  72 74 75 6e  69 73 74 69  63 20 49 50
|   73 65 63
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x56287517bb58
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd558001f18
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x562875172718 size 128
| #2 STATE_PARENT_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.146101
| resume sending helper answer for #2 suppresed complete_v2_state_transition() and stole MD
| #2 spent 1.25 milliseconds in resume sending helper answer
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd55c002888
| spent 0.00196 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 460 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   21 20 22 20  00 00 00 00  00 00 01 cc  22 00 00 28
|   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  00 00 00 08
|   04 00 00 0e  28 00 01 08  00 0e 00 00  90 2b e0 aa
|   81 e4 e1 bb  bd e7 37 a1  3f bd 53 08  58 6f 40 c5
|   95 ee cd 47  97 8d 98 1c  8f 98 20 cf  89 50 06 e3
|   a6 f5 08 2f  08 cf 51 78  4e 74 33 f4  25 12 35 9e
|   10 c4 9b d4  a3 d8 25 f8  a7 d9 a4 8a  8f dc b0 ee
|   7b 01 ec 3d  5d 53 d9 64  f3 9c eb 80  3f 53 cd ec
|   66 7c 7a b6  d3 01 6e 98  a9 28 fb a1  b6 b0 c9 5a
|   77 47 7d c4  31 54 d8 2e  bd 41 d9 6d  69 b2 e2 be
|   a1 4b 1a e5  e9 59 87 29  08 17 6f 5a  0c 53 be 51
|   65 75 0d 4d  e8 cd 29 ba  64 ae b4 ee  c1 49 16 64
|   11 db fd fd  33 fc 76 0d  23 80 b3 26  c8 86 31 46
|   62 56 09 71  80 71 c1 bf  b9 d0 25 b0  4f a1 c5 0e
|   e9 68 76 4e  42 04 b1 54  64 e4 7a 94  67 ee d4 5d
|   72 e0 ce f6  85 43 5e fa  0c 62 ed 03  15 e0 57 e6
|   7f 6c a3 1b  a4 41 f9 8a  73 9f 4b c8  bf 07 31 1c
|   10 d4 2f f5  f1 cf c5 c0  13 85 74 35  ad 93 2a ba
|   1b 90 e1 eb  4a 47 e3 9a  10 56 44 82  29 00 00 24
|   e3 9f a3 0c  bd 28 70 94  b3 21 4e 6b  5b 6f be 5c
|   15 55 1e 31  b8 42 74 ec  7f cb 90 3d  1e dd 70 dd
|   29 00 00 08  00 00 40 2e  29 00 00 1c  00 00 40 04
|   2c c8 62 a9  0e e7 b8 59  45 3c 1d 09  56 90 2c 19
|   eb a7 82 48  26 00 00 1c  00 00 40 05  a4 02 ab 2f
|   84 be 38 bc  aa b4 de 69  5c 05 d5 e3  6f 7b 7d 25
|   2b 00 00 05  04 00 00 00  17 4f 70 70  6f 72 74 75
|   6e 69 73 74  69 63 20 49  50 73 65 63
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 0 (0x0)
|    length: 460 (0x1cc)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response 
| State DB: found IKEv2 state #2 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| #2 is idle
| #2 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE (0x22)
|    flags: none (0x0)
|    length: 40 (0x28)
| processing payload: ISAKMP_NEXT_v2SA (len=36)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni (0x28)
|    flags: none (0x0)
|    length: 264 (0x108)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2CERTREQ (0x26)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)
| ***parse IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2V (0x2b)
|    flags: none (0x0)
|    length: 5 (0x5)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERTREQ (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2V)
| ***parse IKEv2 Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 23 (0x17)
| processing payload: ISAKMP_NEXT_v2V (len=19)
| State DB: re-hashing IKEv2 state #2 IKE SPIi and SPI[ir]
| #2 in state PARENT_I1: sent v2I1, expected v2R1
| selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| Now let's proceed with state specific processing
| calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| ikev2 parent inR1: calculating g^{xy} in order to send I2
| using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE initiator (accepting) 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 36 (0x24)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 3 (0x3)
| Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match]
| converting proposal to internal trans attrs
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  7b 6a 2a dd  5c 7a c7 69
| natd_hash: rcookie=  09 8a aa 72  c2 0f 6a aa
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  a4 02 ab 2f  84 be 38 bc  aa b4 de 69  5c 05 d5 e3
| natd_hash: hash=  6f 7b 7d 25
| natd_hash: hasher=0x5628736ab800(20)
| natd_hash: icookie=  7b 6a 2a dd  5c 7a c7 69
| natd_hash: rcookie=  09 8a aa 72  c2 0f 6a aa
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  2c c8 62 a9  0e e7 b8 59  45 3c 1d 09  56 90 2c 19
| natd_hash: hash=  eb a7 82 48
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inR1outI2 KE work-order 4 for state #2
| state #2 requesting EVENT_RETRANSMIT to be deleted
| #2 STATE_PARENT_I1: retransmits: cleared
| libevent_free: release ptr-libevent@0x562875172718
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd558001f18
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
|   #2 spent 0.205 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet()
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND
| suspending state #2 and saving MD
| crypto helper 3 resuming
| #2 is busy; has a suspended MD
| crypto helper 3 starting work-order 4 for state #2
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| crypto helper 3 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 4
| stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018)
| #2 spent 0.468 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.479 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 3 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 time elapsed 0.001337 seconds
| (#2) spent 1.33 milliseconds in crypto helper computing work-order 4: ikev2_inR1outI2 KE (pcr)
| crypto helper 3 sending results from work-order 4 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128
| crypto helper 3 waiting (nothing to do)
| processing resume sending helper answer for #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797)
| crypto helper 3 replies to request ID 4
| calling continuation function 0x5628735d6b50
| ikev2_parent_inR1outI2_continue for #2: calculating g^{xy}, sending I2
| creating state object #3 at 0x562875176218
| State DB: adding IKEv2 state #3 in UNDEFINED
| pstats #3 ikev2.child started
| duplicating state object #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 as #3 for IPSEC SA
| #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #2.#3; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1
| Message ID: switch-to #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7fd55c002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18
| event_schedule: new EVENT_SA_REPLACE-pe@0x7fd558001f18
| inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128
| parent state #2: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA)
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: OK to send a certificate (always)
| IDr payload will NOT be sent
| ****emit IKEv2 Identification - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ID type: ID_IPV4_ADDR (0x1)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi)
| next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of my identity into IKEv2 Identification - Initiator - Payload
| my identity  c0 01 02 17
| emitting length of IKEv2 Identification - Initiator - Payload: 12
| Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| ****emit IKEv2 Certificate Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT)
| next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet'
| emitting 1260 raw bytes of CERT into IKEv2 Certificate Payload
| CERT  30 82 04 e8  30 82 04 51  a0 03 02 01  02 02 01 03
| CERT  30 0d 06 09  2a 86 48 86  f7 0d 01 01  0b 05 00 30
| CERT  81 ac 31 0b  30 09 06 03  55 04 06 13  02 43 41 31
| CERT  10 30 0e 06  03 55 04 08  0c 07 4f 6e  74 61 72 69
| CERT  6f 31 10 30  0e 06 03 55  04 07 0c 07  54 6f 72 6f
| CERT  6e 74 6f 31  12 30 10 06  03 55 04 0a  0c 09 4c 69
| CERT  62 72 65 73  77 61 6e 31  18 30 16 06  03 55 04 0b
| CERT  0c 0f 54 65  73 74 20 44  65 70 61 72  74 6d 65 6e
| CERT  74 31 25 30  23 06 03 55  04 03 0c 1c  4c 69 62 72
| CERT  65 73 77 61  6e 20 74 65  73 74 20 43  41 20 66 6f
| CERT  72 20 6d 61  69 6e 63 61  31 24 30 22  06 09 2a 86
| CERT  48 86 f7 0d  01 09 01 16  15 74 65 73  74 69 6e 67
| CERT  40 6c 69 62  72 65 73 77  61 6e 2e 6f  72 67 30 22
| CERT  18 0f 32 30  31 39 30 38  32 34 30 39  30 37 35 33
| CERT  5a 18 0f 32  30 32 32 30  38 32 33 30  39 30 37 35
| CERT  33 5a 30 81  b4 31 0b 30  09 06 03 55  04 06 13 02
| CERT  43 41 31 10  30 0e 06 03  55 04 08 0c  07 4f 6e 74
| CERT  61 72 69 6f  31 10 30 0e  06 03 55 04  07 0c 07 54
| CERT  6f 72 6f 6e  74 6f 31 12  30 10 06 03  55 04 0a 0c
| CERT  09 4c 69 62  72 65 73 77  61 6e 31 18  30 16 06 03
| CERT  55 04 0b 0c  0f 54 65 73  74 20 44 65  70 61 72 74
| CERT  6d 65 6e 74  31 23 30 21  06 03 55 04  03 0c 1a 65
| CERT  61 73 74 2e  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 31 2e 30  2c 06 09 2a
| CERT  86 48 86 f7  0d 01 09 01  16 1f 75 73  65 72 2d 65
| CERT  61 73 74 40  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 30 82 01  a2 30 0d 06
| CERT  09 2a 86 48  86 f7 0d 01  01 01 05 00  03 82 01 8f
| CERT  00 30 82 01  8a 02 82 01  81 00 b1 1e  7c b3 bf 11
| CERT  96 94 23 ca  97 5e c7 66  36 55 71 49  95 8d 0c 2a
| CERT  5c 30 4d 58  29 a3 7b 4d  3b 3f 03 06  46 a6 04 63
| CERT  71 0d e1 59  4f 9c ec 3a  17 24 8d 91  6a a8 e2 da
| CERT  57 41 de f4  ff 65 bf f6  11 34 d3 7d  5a 7f 6e 3a
| CERT  3b 74 3c 51  2b e4 bf ce  6b b2 14 47  26 52 f5 57
| CERT  28 bc c5 fb  f9 bc 2d 4e  b9 f8 46 54  c7 95 41 a7
| CERT  a4 b4 d3 b3  fe 55 4b df  f5 c3 78 39  8b 4e 04 57
| CERT  c0 1d 5b 17  3c 28 eb 40  9d 1d 7c b3  bb 0f f0 63
| CERT  c7 c0 84 b0  4e e4 a9 7c  c5 4b 08 43  a6 2d 00 22
| CERT  fd 98 d4 03  d0 ad 97 85  d1 48 15 d3  e4 e5 2d 46
| CERT  7c ab 41 97  05 27 61 77  3d b6 b1 58  a0 5f e0 8d
| CERT  26 84 9b 03  20 ce 5e 27  7f 7d 14 03  b6 9d 6b 9f
| CERT  fd 0c d4 c7  2d eb be ea  62 87 fa 99  e0 a6 1c 85
| CERT  4f 34 da 93  2e 5f db 03  10 58 a8 c4  99 17 2d b1
| CERT  bc e5 7b bd  af 0e 28 aa  a5 74 ea 69  74 5e fa 2c
| CERT  c3 00 3c 2f  58 d0 20 cf  e3 46 8d de  aa f9 f7 30
| CERT  5c 16 05 04  89 4c 92 9b  8a 33 11 70  83 17 58 24
| CERT  2a 4b ab be  b6 ec 84 9c  78 9c 11 04  2a 02 ce 27
| CERT  83 a1 1f 2b  38 3f 27 7d  46 94 63 ff  64 59 4e 6c
| CERT  87 ca 3e e6  31 df 1e 7d  48 88 02 c7  9d fa 4a d7
| CERT  f2 5b a5 fd  7f 1b c6 dc  1a bb a6 c4  f8 32 cd bf
| CERT  a7 0b 71 8b  2b 31 41 17  25 a4 18 52  7d 32 fc 0f
| CERT  5f b8 bb ca  e1 94 1a 42  4d 1f 37 16  67 84 ae b4
| CERT  32 42 9c 5a  91 71 62 b4  4b 07 02 03  01 00 01 a3
| CERT  82 01 06 30  82 01 02 30  09 06 03 55  1d 13 04 02
| CERT  30 00 30 47  06 03 55 1d  11 04 40 30  3e 82 1a 65
| CERT  61 73 74 2e  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 81 1a 65  61 73 74 40
| CERT  74 65 73 74  69 6e 67 2e  6c 69 62 72  65 73 77 61
| CERT  6e 2e 6f 72  67 87 04 c0  01 02 17 30  0b 06 03 55
| CERT  1d 0f 04 04  03 02 07 80  30 1d 06 03  55 1d 25 04
| CERT  16 30 14 06  08 2b 06 01  05 05 07 03  01 06 08 2b
| CERT  06 01 05 05  07 03 02 30  41 06 08 2b  06 01 05 05
| CERT  07 01 01 04  35 30 33 30  31 06 08 2b  06 01 05 05
| CERT  07 30 01 86  25 68 74 74  70 3a 2f 2f  6e 69 63 2e
| CERT  74 65 73 74  69 6e 67 2e  6c 69 62 72  65 73 77 61
| CERT  6e 2e 6f 72  67 3a 32 35  36 30 30 3d  06 03 55 1d
| CERT  1f 04 36 30  34 30 32 a0  30 a0 2e 86  2c 68 74 74
| CERT  70 3a 2f 2f  6e 69 63 2e  74 65 73 74  69 6e 67 2e
| CERT  6c 69 62 72  65 73 77 61  6e 2e 6f 72  67 2f 72 65
| CERT  76 6f 6b 65  64 2e 63 72  6c 30 0d 06  09 2a 86 48
| CERT  86 f7 0d 01  01 0b 05 00  03 81 81 00  3a 56 a3 7d
| CERT  b1 4e 62 2f  82 0d e3 fe  74 40 ef cb  eb 93 ea ad
| CERT  e4 74 8b 80  6f ae 8b 65  87 12 a6 24  0d 21 9c 5f
| CERT  70 5c 6f d9  66 8d 98 8b  ea 59 f8 96  52 6a 6c 86
| CERT  d6 7d ba 37  a9 8c 33 8c  77 18 23 0b  1b 2a 66 47
| CERT  e7 95 94 e6  75 84 30 d4  db b8 23 eb  89 82 a9 fd
| CERT  ed 46 8b ce  46 7f f9 19  8f 49 da 29  2e 1e 97 cd
| CERT  12 42 86 c7  57 fc 4f 0a  19 26 8a a1  0d 26 81 4d
| CERT  53 f4 5c 92  a1 03 03 8d  6c 51 33 cc
| emitting length of IKEv2 Certificate Payload: 1265
| IKEv2 CERTREQ: send a cert request?
| IKEv2 CERTREQ: no CA DN known to send
| not sending INITIAL_CONTACT
| ****emit IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA
| searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef
|     #2 spent 9.77 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature  44 0b 80 72  6d 24 55 e5  08 6e d0 98  dc d6 1d 62
| rsa signature  5b cd e7 b2  9e 12 ad b0  b4 a9 94 31  38 84 90 99
| rsa signature  3f 86 44 a8  07 81 80 d2  e6 7f 7b 82  80 ac ec d8
| rsa signature  d7 02 1b bd  51 80 7a 8a  2e 83 81 fe  53 d9 43 46
| rsa signature  88 88 ba 81  9e 31 34 7c  54 12 40 01  0e b7 a9 17
| rsa signature  42 e1 9b 05  28 f5 e4 7e  a3 78 b5 0d  28 cd ee 1f
| rsa signature  28 4a 87 92  13 c1 da 71  35 ec 08 82  56 1b 72 c8
| rsa signature  42 0c 76 e9  1b b3 44 dc  37 89 0d 38  3f fa 6c 6a
| rsa signature  8b 12 eb 51  3b 32 af b8  89 d2 34 71  f9 97 04 ed
| rsa signature  8d 52 17 cf  fc e9 a0 80  2f 87 dc c9  86 4c 0a 14
| rsa signature  59 d6 42 48  47 82 30 6e  2f 60 c3 15  69 d2 cf 69
| rsa signature  69 5a ee 54  e0 9d 2b 20  6d 6b 61 b5  bd ea 49 d4
| rsa signature  ea 00 8a 9f  83 e6 e2 72  0f 57 94 96  33 f9 5f 37
| rsa signature  c7 3d a9 e6  de db 45 b0  04 bf 42 3c  a1 fa 06 38
| rsa signature  26 47 ff f9  cd 86 c5 15  89 8b fb da  07 ce 09 27
| rsa signature  75 7e 91 46  86 a8 04 08  1c ec 07 51  13 d4 6f 58
| rsa signature  c9 05 72 d8  7f 7a 64 68  46 da 55 61  dc c0 99 62
| rsa signature  bf 14 01 ba  5c 50 7f 50  85 66 e1 58  80 65 c7 9f
| rsa signature  0f 91 36 bf  8f 38 f2 11  a7 aa 18 5f  31 f9 3c 72
| rsa signature  2f fa 31 30  06 91 10 46  df bf c2 a1  21 b9 08 07
| rsa signature  ee ef b3 12  5f 12 cb 9c  ae d8 6b ff  4a 7d 09 da
| rsa signature  51 0d 12 56  5d 45 ad 38  e9 92 b1 8a  af 78 87 71
| rsa signature  75 3e 42 c7  87 51 03 cd  7c b4 98 d2  44 fb a8 e5
| rsa signature  45 c8 02 0d  2a fe 80 be  aa 1f d8 c8  36 7d d6 05
|   #2 spent 9.94 milliseconds in ikev2_calculate_rsa_hash()
| ikev2_calculate_psk_sighash() called from STATE_PARENT_I2 to create PSK with authby=null
| emitting length of IKEv2 Authentication Payload: 392
| getting first pending from state #2
| netlink_get_spi: allocated 0x3dd28668 for esp.0@192.1.2.23
| constructing ESP/AH proposals with all DH removed  for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ...  ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ...  ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local ESP/AH proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Emitting ikev2_proposals ...
| ****emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  3d d2 86 68
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 164
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 01 02 17
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 01 02 17
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 01 03 d1
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 01 03 d1
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| Adding a v2N Payload
| ****emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NULL_AUTH (0xa000)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 64 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  25 f9 35 a4  3e 3f 85 55  e2 83 e7 29  b6 7a 43 50
| Notify data  6e 4a c5 b3  8c 40 59 3a  5f 35 74 67  70 36 32 50
| Notify data  ae 29 f0 53  d3 62 c3 30  5d e2 cc c6  9e d5 a6 b6
| Notify data  6f 9e 48 d9  61 1e 34 0a  24 a0 1b 07  34 92 a8 ca
| emitting length of IKEv2 Notify Payload: 72
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 1982
| emitting length of ISAKMP Message: 2010
| **parse ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_v2SK (0x2e)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 2010 (0x7da)
| **parse IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    length: 1982 (0x7be)
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    fragment number: 1 (0x1)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  25 00 00 0c  01 00 00 00  c0 01 02 17  27 00 04 f1
| cleartext fragment  04 30 82 04  e8 30 82 04  51 a0 03 02  01 02 02 01
| cleartext fragment  03 30 0d 06  09 2a 86 48  86 f7 0d 01  01 0b 05 00
| cleartext fragment  30 81 ac 31  0b 30 09 06  03 55 04 06  13 02 43 41
| cleartext fragment  31 10 30 0e  06 03 55 04  08 0c 07 4f  6e 74 61 72
| cleartext fragment  69 6f 31 10  30 0e 06 03  55 04 07 0c  07 54 6f 72
| cleartext fragment  6f 6e 74 6f  31 12 30 10  06 03 55 04  0a 0c 09 4c
| cleartext fragment  69 62 72 65  73 77 61 6e  31 18 30 16  06 03 55 04
| cleartext fragment  0b 0c 0f 54  65 73 74 20  44 65 70 61  72 74 6d 65
| cleartext fragment  6e 74 31 25  30 23 06 03  55 04 03 0c  1c 4c 69 62
| cleartext fragment  72 65 73 77  61 6e 20 74  65 73 74 20  43 41 20 66
| cleartext fragment  6f 72 20 6d  61 69 6e 63  61 31 24 30  22 06 09 2a
| cleartext fragment  86 48 86 f7  0d 01 09 01  16 15 74 65  73 74 69 6e
| cleartext fragment  67 40 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 30
| cleartext fragment  22 18 0f 32  30 31 39 30  38 32 34 30  39 30 37 35
| cleartext fragment  33 5a 18 0f  32 30 32 32  30 38 32 33  30 39 30 37
| cleartext fragment  35 33 5a 30  81 b4 31 0b  30 09 06 03  55 04 06 13
| cleartext fragment  02 43 41 31  10 30 0e 06  03 55 04 08  0c 07 4f 6e
| cleartext fragment  74 61 72 69  6f 31 10 30  0e 06 03 55  04 07 0c 07
| cleartext fragment  54 6f 72 6f  6e 74 6f 31  12 30 10 06  03 55 04 0a
| cleartext fragment  0c 09 4c 69  62 72 65 73  77 61 6e 31  18 30 16 06
| cleartext fragment  03 55 04 0b  0c 0f 54 65  73 74 20 44  65 70 61 72
| cleartext fragment  74 6d 65 6e  74 31 23 30  21 06 03 55  04 03 0c 1a
| cleartext fragment  65 61 73 74  2e 74 65 73  74 69 6e 67  2e 6c 69 62
| cleartext fragment  72 65 73 77  61 6e 2e 6f  72 67 31 2e  30 2c 06 09
| cleartext fragment  2a 86 48 86  f7 0d 01 09  01 16 1f 75  73 65 72 2d
| cleartext fragment  65 61 73 74  40 74 65 73  74 69 6e 67  2e 6c 69 62
| cleartext fragment  72 65 73 77  61 6e 2e 6f  72 67 30 82  01 a2 30 0d
| cleartext fragment  06 09 2a 86  48 86 f7 0d  01 01 01 05  00 03 82 01
| cleartext fragment  8f 00 30 82  01 8a 02 82  01 81 00 b1  1e 7c
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 2 (0x2)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  b3 bf 11 96  94 23 ca 97  5e c7 66 36  55 71 49 95
| cleartext fragment  8d 0c 2a 5c  30 4d 58 29  a3 7b 4d 3b  3f 03 06 46
| cleartext fragment  a6 04 63 71  0d e1 59 4f  9c ec 3a 17  24 8d 91 6a
| cleartext fragment  a8 e2 da 57  41 de f4 ff  65 bf f6 11  34 d3 7d 5a
| cleartext fragment  7f 6e 3a 3b  74 3c 51 2b  e4 bf ce 6b  b2 14 47 26
| cleartext fragment  52 f5 57 28  bc c5 fb f9  bc 2d 4e b9  f8 46 54 c7
| cleartext fragment  95 41 a7 a4  b4 d3 b3 fe  55 4b df f5  c3 78 39 8b
| cleartext fragment  4e 04 57 c0  1d 5b 17 3c  28 eb 40 9d  1d 7c b3 bb
| cleartext fragment  0f f0 63 c7  c0 84 b0 4e  e4 a9 7c c5  4b 08 43 a6
| cleartext fragment  2d 00 22 fd  98 d4 03 d0  ad 97 85 d1  48 15 d3 e4
| cleartext fragment  e5 2d 46 7c  ab 41 97 05  27 61 77 3d  b6 b1 58 a0
| cleartext fragment  5f e0 8d 26  84 9b 03 20  ce 5e 27 7f  7d 14 03 b6
| cleartext fragment  9d 6b 9f fd  0c d4 c7 2d  eb be ea 62  87 fa 99 e0
| cleartext fragment  a6 1c 85 4f  34 da 93 2e  5f db 03 10  58 a8 c4 99
| cleartext fragment  17 2d b1 bc  e5 7b bd af  0e 28 aa a5  74 ea 69 74
| cleartext fragment  5e fa 2c c3  00 3c 2f 58  d0 20 cf e3  46 8d de aa
| cleartext fragment  f9 f7 30 5c  16 05 04 89  4c 92 9b 8a  33 11 70 83
| cleartext fragment  17 58 24 2a  4b ab be b6  ec 84 9c 78  9c 11 04 2a
| cleartext fragment  02 ce 27 83  a1 1f 2b 38  3f 27 7d 46  94 63 ff 64
| cleartext fragment  59 4e 6c 87  ca 3e e6 31  df 1e 7d 48  88 02 c7 9d
| cleartext fragment  fa 4a d7 f2  5b a5 fd 7f  1b c6 dc 1a  bb a6 c4 f8
| cleartext fragment  32 cd bf a7  0b 71 8b 2b  31 41 17 25  a4 18 52 7d
| cleartext fragment  32 fc 0f 5f  b8 bb ca e1  94 1a 42 4d  1f 37 16 67
| cleartext fragment  84 ae b4 32  42 9c 5a 91  71 62 b4 4b  07 02 03 01
| cleartext fragment  00 01 a3 82  01 06 30 82  01 02 30 09  06 03 55 1d
| cleartext fragment  13 04 02 30  00 30 47 06  03 55 1d 11  04 40 30 3e
| cleartext fragment  82 1a 65 61  73 74 2e 74  65 73 74 69  6e 67 2e 6c
| cleartext fragment  69 62 72 65  73 77 61 6e  2e 6f 72 67  81 1a 65 61
| cleartext fragment  73 74 40 74  65 73 74 69  6e 67 2e 6c  69 62 72 65
| cleartext fragment  73 77 61 6e  2e 6f 72 67  87 04 c0 01  02 17
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 3 (0x3)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  30 0b 06 03  55 1d 0f 04  04 03 02 07  80 30 1d 06
| cleartext fragment  03 55 1d 25  04 16 30 14  06 08 2b 06  01 05 05 07
| cleartext fragment  03 01 06 08  2b 06 01 05  05 07 03 02  30 41 06 08
| cleartext fragment  2b 06 01 05  05 07 01 01  04 35 30 33  30 31 06 08
| cleartext fragment  2b 06 01 05  05 07 30 01  86 25 68 74  74 70 3a 2f
| cleartext fragment  2f 6e 69 63  2e 74 65 73  74 69 6e 67  2e 6c 69 62
| cleartext fragment  72 65 73 77  61 6e 2e 6f  72 67 3a 32  35 36 30 30
| cleartext fragment  3d 06 03 55  1d 1f 04 36  30 34 30 32  a0 30 a0 2e
| cleartext fragment  86 2c 68 74  74 70 3a 2f  2f 6e 69 63  2e 74 65 73
| cleartext fragment  74 69 6e 67  2e 6c 69 62  72 65 73 77  61 6e 2e 6f
| cleartext fragment  72 67 2f 72  65 76 6f 6b  65 64 2e 63  72 6c 30 0d
| cleartext fragment  06 09 2a 86  48 86 f7 0d  01 01 0b 05  00 03 81 81
| cleartext fragment  00 3a 56 a3  7d b1 4e 62  2f 82 0d e3  fe 74 40 ef
| cleartext fragment  cb eb 93 ea  ad e4 74 8b  80 6f ae 8b  65 87 12 a6
| cleartext fragment  24 0d 21 9c  5f 70 5c 6f  d9 66 8d 98  8b ea 59 f8
| cleartext fragment  96 52 6a 6c  86 d6 7d ba  37 a9 8c 33  8c 77 18 23
| cleartext fragment  0b 1b 2a 66  47 e7 95 94  e6 75 84 30  d4 db b8 23
| cleartext fragment  eb 89 82 a9  fd ed 46 8b  ce 46 7f f9  19 8f 49 da
| cleartext fragment  29 2e 1e 97  cd 12 42 86  c7 57 fc 4f  0a 19 26 8a
| cleartext fragment  a1 0d 26 81  4d 53 f4 5c  92 a1 03 03  8d 6c 51 33
| cleartext fragment  cc 21 00 01  88 01 00 00  00 44 0b 80  72 6d 24 55
| cleartext fragment  e5 08 6e d0  98 dc d6 1d  62 5b cd e7  b2 9e 12 ad
| cleartext fragment  b0 b4 a9 94  31 38 84 90  99 3f 86 44  a8 07 81 80
| cleartext fragment  d2 e6 7f 7b  82 80 ac ec  d8 d7 02 1b  bd 51 80 7a
| cleartext fragment  8a 2e 83 81  fe 53 d9 43  46 88 88 ba  81 9e 31 34
| cleartext fragment  7c 54 12 40  01 0e b7 a9  17 42 e1 9b  05 28 f5 e4
| cleartext fragment  7e a3 78 b5  0d 28 cd ee  1f 28 4a 87  92 13 c1 da
| cleartext fragment  71 35 ec 08  82 56 1b 72  c8 42 0c 76  e9 1b b3 44
| cleartext fragment  dc 37 89 0d  38 3f fa 6c  6a 8b 12 eb  51 3b 32 af
| cleartext fragment  b8 89 d2 34  71 f9 97 04  ed 8d 52 17  cf fc
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 4 (0x4)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  e9 a0 80 2f  87 dc c9 86  4c 0a 14 59  d6 42 48 47
| cleartext fragment  82 30 6e 2f  60 c3 15 69  d2 cf 69 69  5a ee 54 e0
| cleartext fragment  9d 2b 20 6d  6b 61 b5 bd  ea 49 d4 ea  00 8a 9f 83
| cleartext fragment  e6 e2 72 0f  57 94 96 33  f9 5f 37 c7  3d a9 e6 de
| cleartext fragment  db 45 b0 04  bf 42 3c a1  fa 06 38 26  47 ff f9 cd
| cleartext fragment  86 c5 15 89  8b fb da 07  ce 09 27 75  7e 91 46 86
| cleartext fragment  a8 04 08 1c  ec 07 51 13  d4 6f 58 c9  05 72 d8 7f
| cleartext fragment  7a 64 68 46  da 55 61 dc  c0 99 62 bf  14 01 ba 5c
| cleartext fragment  50 7f 50 85  66 e1 58 80  65 c7 9f 0f  91 36 bf 8f
| cleartext fragment  38 f2 11 a7  aa 18 5f 31  f9 3c 72 2f  fa 31 30 06
| cleartext fragment  91 10 46 df  bf c2 a1 21  b9 08 07 ee  ef b3 12 5f
| cleartext fragment  12 cb 9c ae  d8 6b ff 4a  7d 09 da 51  0d 12 56 5d
| cleartext fragment  45 ad 38 e9  92 b1 8a af  78 87 71 75  3e 42 c7 87
| cleartext fragment  51 03 cd 7c  b4 98 d2 44  fb a8 e5 45  c8 02 0d 2a
| cleartext fragment  fe 80 be aa  1f d8 c8 36  7d d6 05 2c  00 00 a4 02
| cleartext fragment  00 00 20 01  03 04 02 3d  d2 86 68 03  00 00 0c 01
| cleartext fragment  00 00 14 80  0e 01 00 00  00 00 08 05  00 00 00 02
| cleartext fragment  00 00 20 02  03 04 02 3d  d2 86 68 03  00 00 0c 01
| cleartext fragment  00 00 14 80  0e 00 80 00  00 00 08 05  00 00 00 02
| cleartext fragment  00 00 30 03  03 04 04 3d  d2 86 68 03  00 00 0c 01
| cleartext fragment  00 00 0c 80  0e 01 00 03  00 00 08 03  00 00 0e 03
| cleartext fragment  00 00 08 03  00 00 0c 00  00 00 08 05  00 00 00 00
| cleartext fragment  00 00 30 04  03 04 04 3d  d2 86 68 03  00 00 0c 01
| cleartext fragment  00 00 0c 80  0e 00 80 03  00 00 08 03  00 00 0e 03
| cleartext fragment  00 00 08 03  00 00 0c 00  00 00 08 05  00 00 00 2d
| cleartext fragment  00 00 18 01  00 00 00 07  00 00 10 00  00 ff ff c0
| cleartext fragment  01 02 17 c0  01 02 17 29  00 00 18 01  00 00 00 07
| cleartext fragment  00 00 10 00  00 ff ff c0  01 03 d1 c0  01 03 d1 00
| cleartext fragment  00 00 48 00  00 a0 00 25  f9 35 a4 3e  3f 85 55 e2
| cleartext fragment  83 e7 29 b6  7a 43 50 6e  4a c5 b3 8c  40 59
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 5 (0x5)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 41 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  3a 5f 35 74  67 70 36 32  50 ae 29 f0  53 d3 62 c3
| cleartext fragment  30 5d e2 cc  c6 9e d5 a6  b6 6f 9e 48  d9 61 1e 34
| cleartext fragment  0a 24 a0 1b  07 34 92 a8  ca
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 74
| emitting length of ISAKMP Message: 102
| suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #3 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
| child state #3: UNDEFINED(ignore) => PARENT_I2(open IKE SA)
| Message ID: updating counters for #3 to 0 after switching state
| Message ID: recv #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1
| Message ID: sent #2.#3 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1
| STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending fragments ...
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   35 20 23 08  00 00 00 01  00 00 02 1b  23 00 01 ff
|   00 01 00 05  db 73 a6 bf  d9 8b 0b a1  26 bb bc 87
|   1e 67 f7 fd  55 9e ad 00  40 f2 89 93  ad d3 94 87
|   e6 8c 00 82  78 27 80 31  16 cf a4 e6  10 9f 23 ab
|   4e 7a c1 2c  8f 14 db cc  29 85 b5 ce  41 86 59 24
|   69 79 6d 70  1c 5f 91 65  b1 bd d6 bd  7d a9 da 5c
|   4d 34 73 2c  7a f4 b7 ca  fd 6a 9e 23  59 fa de 59
|   c1 52 78 47  52 ba 4d e1  17 d0 74 0a  64 de 20 7c
|   80 9f 70 62  2e de 6d 05  39 44 31 42  d8 34 3c 77
|   b0 ce 7a 5d  df a9 83 48  c4 ce 8d 8a  d4 43 13 01
|   13 7b 27 a3  93 fb 0b 4c  b9 de 06 6c  9c 03 43 57
|   49 93 fd 46  6d 4b 1a 96  83 5a 2f 93  08 45 c4 ec
|   b6 63 a4 d8  14 84 32 03  d7 52 53 92  2e 1b 3a bd
|   2f 38 a4 7d  15 0f 48 7e  39 eb a4 54  65 75 83 bc
|   01 e2 1e fd  28 01 d8 8d  5a 13 d2 e1  ee 1d ad 50
|   53 f8 77 32  87 de e5 44  dc 59 58 f1  f0 1f 40 63
|   2e c9 cb e5  8d 34 e4 e1  1f 08 8d 1a  d4 39 19 81
|   5d 14 c9 2c  34 af 1d 2f  76 e7 c9 1b  54 3c 1b 26
|   30 23 41 16  02 22 dc d9  fd a9 60 67  e4 67 ed 77
|   a3 ee 5b 40  9d 26 93 b9  66 ce b4 c3  41 a1 36 c3
|   6f 41 fe 6d  5d 2f 77 ff  dc 8f 11 b3  0a 45 72 61
|   7a 4a fb 1c  09 32 a6 fa  ac 9e 29 2f  32 4a 44 71
|   7a 39 79 97  b1 ea 44 e9  eb f2 46 89  5a 92 6c dc
|   9b ec 7a 7e  92 7b d9 6c  f4 98 37 0b  2c 43 cd 95
|   e3 46 b7 de  10 05 65 99  f6 ba 66 78  15 cf 61 8b
|   fa 1e ab 5e  40 d2 36 19  b4 87 4d e4  82 0f b0 95
|   86 0f ba 73  66 53 12 6e  69 c9 99 a5  98 fc cf db
|   9a e5 7b ab  f1 e9 ce 3a  86 86 5a 7d  57 e0 1a 19
|   0e df 58 25  27 6f 1d cc  04 b3 29 27  7e 2d 38 4b
|   d0 5f ed c3  75 2b 58 e6  c6 7b 38 1e  7e 89 d4 29
|   fd c6 78 ce  a4 70 67 f1  9f 6e cb 1e  53 13 0b 53
|   82 f7 5e f4  70 a1 0f 53  12 0f 6a 4d  13 3b a1 b0
|   56 db 87 0e  dc 8d 78 de  2d a3 72
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 02 00 05  17 25 c9 47  5e 43 42 f4  a3 65 d4 57
|   8f ea f1 e7  69 60 84 e9  d3 ef 33 56  f6 04 de 1b
|   e5 78 ca f3  29 ab 94 b1  87 6a 8b 81  72 58 2b 2c
|   5c a5 82 52  34 46 54 c8  21 7f d4 15  56 a9 59 06
|   3d d0 3b 7f  e7 66 8b 4e  43 46 1c 24  27 2d 99 79
|   75 c0 e1 5b  2c 60 fc 0c  00 bd eb 41  96 a3 69 8e
|   0b 00 8f bf  d4 7c 70 04  b9 7c fa 13  8e 97 a1 e2
|   81 d1 18 5e  90 bc b2 68  03 f2 b5 2d  40 df 67 0b
|   1c 24 96 d9  09 9f 46 16  69 ad f5 3e  99 50 6d 9b
|   bc 32 a0 b1  d2 58 14 a9  f0 25 8b 4c  d2 5b 0e 4e
|   b5 8a e1 de  35 7e 10 d3  09 b0 7b 49  7b 90 34 cb
|   72 b7 50 7f  7b 2e 73 93  e6 37 4f 05  a6 75 ac 98
|   7a e2 1d 30  37 d0 08 05  c4 99 95 69  35 e1 23 86
|   95 0b 77 e5  62 b2 25 45  12 68 54 40  7e a1 b7 89
|   9f 66 08 a5  da c9 b1 e4  77 a3 1b 62  ff 5c d2 0d
|   f6 ea 3d 2b  bc 61 c7 2e  cb d7 3e f5  66 4c e5 60
|   80 cc 67 09  cc fe e3 9b  7f 43 0a aa  13 74 65 f5
|   da 32 75 fb  4e 7c 87 0b  5b b6 5a 1e  1c 56 20 ae
|   af 92 ed ae  87 64 e5 db  77 fe 7f 86  4d 4d 03 14
|   2f 21 57 75  6b b9 c9 9a  80 61 8f d3  25 f7 0b bd
|   91 c0 a1 ef  d6 3f 3d 1f  21 99 83 17  6b a7 f0 2a
|   ce 63 c6 62  65 15 8b e4  5b b3 36 71  59 54 cb ba
|   51 a8 71 f7  a2 53 ae 39  0a 8d 7e 16  27 45 30 72
|   47 83 b3 82  6c 19 40 a7  4b b5 ad ee  88 c9 3b ba
|   98 a3 f3 bf  09 8f b6 ae  e8 c7 1f ef  06 24 7e f7
|   17 54 46 55  8f a8 5b 07  1a a1 05 b4  40 61 ae e6
|   5f f6 de 6d  42 00 29 43  06 67 bf c0  d8 29 1b 68
|   5f 37 fd ed  0b 1c e3 57  fc ff 78 43  db 3b fe c1
|   d4 e2 fb 02  06 5f 10 56  64 b1 76 b3  b5 02 8c 56
|   50 f0 90 98  d9 32 3d 35  da a4 46 05  42 ba ec 08
|   2e cb 19 36  61 8f 62 ca  fe 0d 4e fe  51 2c b5 ef
|   6e 5b fb f9  99 fe b8 f9  43 f9 af
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 03 00 05  5a db c8 d4  04 50 a5 18  6f 94 53 3c
|   ca 0f 21 90  bd 30 c0 4d  a4 cd 08 82  82 33 1f 98
|   34 53 44 49  3d 42 a3 d0  48 e5 36 a4  70 17 e9 cf
|   6c 12 be 50  3f ce 9f b9  63 cf c9 46  ac 99 f5 00
|   48 eb e3 6e  2f 85 90 d8  4d 0b c6 91  1b 40 8b b0
|   7b 55 84 7c  6c 6b 4c de  04 7f 69 df  ea 1d 46 dd
|   16 2b 91 c9  83 33 47 3f  1a 15 36 f5  3f 25 60 e0
|   84 cb 72 58  91 44 5d 2e  89 66 b7 5d  ef 13 7a da
|   90 ba ed 2b  21 68 c0 40  5d 1f 74 f4  df 61 7b f4
|   6e c2 73 83  db 32 bf 38  f3 db b3 6f  bb ed 45 5b
|   8d b2 57 40  36 76 99 68  31 38 61 0c  85 cf 4e 4b
|   0e a8 d8 8a  51 37 35 b5  14 e3 c9 3a  aa 2d f8 56
|   7a c1 bf e7  30 4f 81 69  01 3a 62 9f  89 35 98 43
|   c4 34 20 09  d4 b2 da bc  b7 92 10 c6  ef cb 04 6a
|   30 56 51 05  11 5f 59 fd  a4 67 86 d1  e2 9e d0 f6
|   f3 1b bc 60  65 49 ba 27  1a e9 8a 2e  68 c3 81 cd
|   20 64 e2 a1  30 b0 14 f3  23 60 6c 34  72 5d 92 27
|   79 e6 35 db  9e 35 a3 d7  01 73 99 77  46 ab 40 de
|   d4 07 8b 6a  39 aa c5 2c  8b 14 e5 e8  e1 76 ec 52
|   5c 09 40 e8  f9 79 b4 15  81 69 6b 62  ca fa 5e 07
|   c1 46 4f 3c  9c 13 57 22  7a 37 ff 4d  38 2c 03 56
|   a2 4b 36 73  a3 12 0d eb  64 59 e2 f3  34 78 fb b6
|   dc 0b 83 2e  e4 d9 ee 25  c8 0c 63 cd  82 11 50 ac
|   ef 62 24 d2  27 29 9b 17  9e b6 24 9c  0d 3e 89 58
|   2c 70 16 43  d4 32 58 62  1e 22 a2 40  4f 46 a4 9a
|   27 36 ab 72  4f c1 40 a8  dc 52 e4 f2  3f 22 dd cf
|   e3 c1 25 50  71 ef 37 82  c8 df a5 65  d4 22 73 b0
|   03 52 cc 42  f6 a6 95 01  03 96 c2 f6  21 e1 74 97
|   1c ff ed 6e  22 5f 65 98  5a 45 0c 5a  90 58 f8 ce
|   2f b5 0d 41  c8 15 48 c8  a2 9d aa d6  0f f6 81 a7
|   42 ad 13 29  28 30 15 d6  fb b8 1a 26  d3 bd 07 7d
|   a8 09 f3 81  4b 43 9b 6f  ae f2 c4
| sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 04 00 05  e4 fb 1d 27  fd 82 e5 10  ad 1c 6c a0
|   03 60 18 ea  61 7c 43 42  3b 88 ea 37  08 49 44 a4
|   bc 5c 59 e9  13 e4 39 22  03 2d 7a c3  dd 39 97 5a
|   8c 9f f6 ab  55 d7 cd 46  91 cd 7b 59  b3 0a 49 dc
|   0d 8a b4 b5  a2 6d c0 60  a3 45 63 c4  1c 91 aa 07
|   4a 32 33 06  a9 7d 51 a4  ea 59 51 1c  e5 5a d5 71
|   b9 bc dd 2f  22 22 10 88  35 1d f6 0a  44 2b 2b 71
|   4a 65 b8 07  38 c4 f3 b8  3c a4 9d e5  df e9 53 21
|   a8 98 da ee  ef bc 9e 85  d1 50 f4 fb  87 b5 63 e7
|   b3 42 db 1c  ae 4c 9a a7  91 c2 ed c2  29 3c 06 1f
|   22 91 c4 cb  73 f0 51 f8  bd 12 a5 f0  ae 66 1b ec
|   1b ba 1b 55  91 da 53 4d  82 eb 9c 74  23 9d f6 2a
|   32 5d d0 c9  2d 06 e6 75  7e e8 da 3d  c9 50 92 ba
|   27 75 0a dc  81 15 60 5d  52 b1 9a e4  c8 da 30 13
|   fb 87 71 31  e9 f1 96 9f  5a 0c a8 7b  fe a2 10 52
|   d5 b9 7e 9e  93 57 0e 9d  5c 36 22 f7  f0 7d 3c c6
|   b0 cd 13 82  39 38 b1 2c  43 33 89 8d  cf 92 97 7e
|   8f f4 ee 79  5c 81 1b e2  1a 57 91 8b  56 df a7 8d
|   b0 ab 68 ca  0d 9e 18 e8  5f 36 1e 83  2a 5e f5 27
|   04 dd fd d1  ca b0 4b 93  87 b8 52 b9  e2 cc c1 52
|   77 14 60 51  09 97 af fd  ae 20 67 9c  c5 01 d0 80
|   01 90 79 8e  8e 38 62 b7  46 44 93 07  10 10 fb 00
|   f8 5f b7 dd  12 9e b2 39  da 35 53 e3  cd 33 e6 a2
|   c6 7e 07 67  fb 23 c5 c4  ff 2d ed 50  5d e0 68 bb
|   31 74 31 51  43 6b 97 53  b7 f7 1b 67  ce 59 21 30
|   27 2f c2 c4  24 e7 f5 ae  14 ca f4 6b  fe 93 61 f0
|   e7 6f 40 62  f5 5c a0 b0  48 ba b5 64  72 dc 9b b8
|   30 82 10 7c  f1 25 b3 d3  a4 ca 8e dd  95 5b 46 54
|   95 ae 20 c7  4c 92 70 bf  3e c1 2d 9f  56 87 ae 9d
|   39 1f cf 36  f2 34 cd 36  9a e6 97 23  77 6e 3b 23
|   a6 e4 72 e1  a9 19 e9 3d  17 c6 14 7e  a6 d6 b6 64
|   38 c6 54 5d  4b d6 6a af  97 67 1a
| sending 102 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   35 20 23 08  00 00 00 01  00 00 00 66  00 00 00 4a
|   00 05 00 05  a3 33 37 56  a9 ab ef 31  79 26 42 fc
|   1f 23 3a 4f  0b ea 05 aa  e8 b2 0a ef  18 c8 66 c6
|   9c d0 88 a7  8c 21 a5 30  82 12 bf 95  85 d3 11 58
|   5f 42 b3 c1  7e dc 63 6b  b1 34 db cc  bf 8d d4 2a
|   20 23 c0 03  0e 63
| sent 5 fragments
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #3
| libevent_malloc: new ptr-libevent@0x562875178b08 size 128
| #3 STATE_PARENT_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.168353
| resume sending helper answer for #2 suppresed complete_v2_state_transition()
|   #2 spent 1.59 milliseconds
| #2 spent 11.9 milliseconds in resume sending helper answer
| stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7fd550000f48
| spent 0.00289 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 65 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   7b 6a 2a dd  5c 7a c7 69  09 8a aa 72  c2 0f 6a aa
|   2e 20 23 20  00 00 00 01  00 00 00 41  29 00 00 25
|   fd 7a 57 34  60 56 83 cb  35 06 6c b1  c4 33 b6 7b
|   70 c3 1d 7f  05 09 49 f9  32 09 95 12  ee 6b d8 79
|   a2
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   7b 6a 2a dd  5c 7a c7 69
|    responder cookie:
|   09 8a aa 72  c2 0f 6a aa
|    next payload type: ISAKMP_NEXT_v2SK (0x2e)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 1 (0x1)
|    length: 65 (0x41)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response 
| State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_ike_sa)
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: found IKEv2 state #3 in PARENT_I2 (find_v2_sa_by_initiator_wip)
| suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062)
| #3 is idle
| #3 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SK)
| ***parse IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 37 (0x25)
| processing payload: ISAKMP_NEXT_v2SK (len=33)
| #3 in state PARENT_I2: sent v2I2, expected v2R2
| #3 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification
| Now let's proceed with state specific processing
| calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
| pstats #2 ikev2.ike failed auth-failed
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: scheduling retry attempt 1 of an unlimited number
| release_pending_whacks: state #3 has no whack fd
| release_pending_whacks: IKE SA #2 fd@-1 has pending CHILD SA with socket fd@-1
| libevent_free: release ptr-libevent@0x562875178b08
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78
| event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78
| inserting event EVENT_RETRANSMIT, timeout in 59.991397 seconds for #3
| libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: STATE_PARENT_I2: suppressing retransmits; will wait 59.991397 seconds for retry
| #3 spent 0.0372 milliseconds in processing: Initiator: process AUTHENTICATION_FAILED AUTH notification in ikev2_process_state_packet()
| [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379)
| #3 complete_v2_state_transition() PARENT_I2->PARENT_I2 with status STF_IGNORE
| stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018)
| #2 spent 0.193 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.203 milliseconds in comm_handle_cb() reading and processing packet
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.71 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
destroying root certificate cache
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x5628751551b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875154af8 user-east@testing.libreswan.org cnt 1--
| unreference key: 0x562875158ce8 @east.testing.libreswan.org cnt 1--
| unreference key: 0x5628751574f8 east@testing.libreswan.org cnt 1--
| unreference key: 0x562875157038 192.1.2.23 cnt 1--
| start processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in delete_connection() at connections.c:189)
| removing pending policy for no connection {0x56287512a558}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #3
| suspend processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #3 ikev2.child deleted other
| #3 spent 0.0372 milliseconds in total
| [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: deleting state (STATE_PARENT_I2) aged 12.587s and NOT sending notification
| child state #3: PARENT_I2(open IKE SA) => delete
| child state #3: PARENT_I2(open IKE SA) => CHILDSA_DEL(informational)
| state #3 requesting EVENT_RETRANSMIT to be deleted
| #3 STATE_CHILDSA_DEL: retransmits: cleared
| libevent_free: release ptr-libevent@0x7fd550000f48
| free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| delete inbound eroute 192.1.3.209/32:0 --0-> 192.1.2.23/32:0 => unk255.10000@192.1.2.23 (raw_eroute)
| raw_eroute result=success
| stop processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| State DB: deleting IKEv2 state #3 in CHILDSA_DEL
| child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore)
| stop processing: state #3 from 192.1.3.209 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #2
| start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.ike deleted auth-failed
| #2 spent 16.4 milliseconds in total
| [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879)
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: deleting state (STATE_PARENT_I2) aged 12.596s and NOT sending notification
| parent state #2: PARENT_I2(open IKE SA) => delete
| state #2 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7fd55c002888
| free_event_entry: release EVENT_SA_REPLACE-pe@0x7fd558001f18
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.3.0/24
| State DB: deleting IKEv2 state #2 in PARENT_I2
| parent state #2: PARENT_I2(open IKE SA) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.3.209 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf
| netlink_raw_eroute: SPI_PASS
| free hp@0x5628751613a8
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| start processing: connection "block" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'block' wasn't on the list
| stop processing: connection "block" (in discard_connection() at connections.c:249)
| start processing: connection "private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private' wasn't on the list
| stop processing: connection "private" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear#192.1.3.0/24" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7
| netlink_raw_eroute: SPI_PASS
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' 
| popen cmd is 1104 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd(  80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192:
| cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN:
| cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT:
| cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.:
| cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET:
| cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE:
| cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CO:
| cmd( 640):NN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTA:
| cmd( 720):NCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND=':
| cmd( 800):CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0':
| cmd( 880): PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG:
| cmd( 960):_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTIN:
| cmd(1040):G='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.3.0/24" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'private-or-clear' wasn't on the list
| stop processing: connection "private-or-clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.253/32" 0.0.0.0: deleting connection "clear#192.1.2.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.253/32' wasn't on the list
| stop processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.253/32" 0.0.0.0: deleting connection "clear#192.1.3.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.253/32' wasn't on the list
| stop processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.254/32" 0.0.0.0: deleting connection "clear#192.1.3.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.254/32' wasn't on the list
| stop processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.254/32" 0.0.0.0: deleting connection "clear#192.1.2.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O
| popen cmd is 1018 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_:
| cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING:
| cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO:
| cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE:
| cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no':
| cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.254/32' wasn't on the list
| stop processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'clear' wasn't on the list
| stop processing: connection "clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear-or-private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x56287514ec58
| flush revival: connection 'clear-or-private' wasn't on the list
| stop processing: connection "clear-or-private" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x562875151848
| free_event_entry: release EVENT_NULL-pe@0x56287514da18
| libevent_free: release ptr-libevent@0x5628750e8638
| free_event_entry: release EVENT_NULL-pe@0x56287514dac8
| libevent_free: release ptr-libevent@0x5628750e86e8
| free_event_entry: release EVENT_NULL-pe@0x56287514db78
| libevent_free: release ptr-libevent@0x5628750e7658
| free_event_entry: release EVENT_NULL-pe@0x56287514dc28
| libevent_free: release ptr-libevent@0x5628750ef968
| free_event_entry: release EVENT_NULL-pe@0x56287514dcd8
| libevent_free: release ptr-libevent@0x5628750f0488
| free_event_entry: release EVENT_NULL-pe@0x56287514dd88
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x562875141e98
| free_event_entry: release EVENT_NULL-pe@0x562875136038
| libevent_free: release ptr-libevent@0x56287512eb38
| free_event_entry: release EVENT_NULL-pe@0x562875135b98
| libevent_free: release ptr-libevent@0x56287512ea88
| free_event_entry: release EVENT_NULL-pe@0x5628750efb28
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x5628750f40f8
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x562875060ec8
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x562875076858
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x56287514d4f8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x56287514d3c8
| libevent_free: release ptr-libevent@0x562875130458
| libevent_free: release ptr-libevent@0x562875130408
| libevent_free: release ptr-libevent@0x5628750e7938
| libevent_free: release ptr-libevent@0x5628751303c8
| libevent_free: release ptr-libevent@0x56287514d188
| libevent_free: release ptr-libevent@0x56287514d2c8
| libevent_free: release ptr-libevent@0x562875130608
| libevent_free: release ptr-libevent@0x562875135c08
| libevent_free: release ptr-libevent@0x562875135868
| libevent_free: release ptr-libevent@0x56287514ddf8
| libevent_free: release ptr-libevent@0x56287514dd48
| libevent_free: release ptr-libevent@0x56287514dc98
| libevent_free: release ptr-libevent@0x56287514dbe8
| libevent_free: release ptr-libevent@0x56287514db38
| libevent_free: release ptr-libevent@0x56287514da88
| libevent_free: release ptr-libevent@0x562875071d88
| libevent_free: release ptr-libevent@0x56287514d348
| libevent_free: release ptr-libevent@0x56287514d308
| libevent_free: release ptr-libevent@0x56287514d1c8
| libevent_free: release ptr-libevent@0x56287514d388
| libevent_free: release ptr-libevent@0x56287507d768
| libevent_free: release ptr-libevent@0x5628750f5c88
| libevent_free: release ptr-libevent@0x5628750f5c08
| libevent_free: release ptr-libevent@0x5628750714c8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x5628750f5e08
| libevent_free: release ptr-libevent@0x5628750f5d88
| libevent_free: release ptr-libevent@0x5628750f5d08
leak: group instance name, item size: 30
leak: cloned from groupname, item size: 17
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: policy group path, item size: 54
leak detective found 11 leaks, total size 209