FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22808 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x5628750f5e08 size 40 | libevent_malloc: new ptr-libevent@0x5628750f5d88 size 40 | libevent_malloc: new ptr-libevent@0x5628750f5d08 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x5628750e7938 size 56 | libevent_malloc: new ptr-libevent@0x5628750714c8 size 664 | libevent_malloc: new ptr-libevent@0x562875130408 size 24 | libevent_malloc: new ptr-libevent@0x562875130458 size 384 | libevent_malloc: new ptr-libevent@0x5628751303c8 size 16 | libevent_malloc: new ptr-libevent@0x5628750f5c88 size 40 | libevent_malloc: new ptr-libevent@0x5628750f5c08 size 48 | libevent_realloc: new ptr-libevent@0x562875071d88 size 256 | libevent_malloc: new ptr-libevent@0x562875130608 size 16 | libevent_free: release ptr-libevent@0x5628750e7938 | libevent initialized | libevent_realloc: new ptr-libevent@0x5628750e7938 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5628750efb28 | libevent_malloc: new ptr-libevent@0x56287512ea88 size 128 | libevent_malloc: new ptr-libevent@0x562875135c08 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x562875135b98 | libevent_malloc: new ptr-libevent@0x56287512eb38 size 128 | libevent_malloc: new ptr-libevent@0x562875135868 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x562875136038 | libevent_malloc: new ptr-libevent@0x562875141e98 size 128 | libevent_malloc: new ptr-libevent@0x56287514d188 size 16 | libevent_realloc: new ptr-libevent@0x56287507d768 size 256 | libevent_malloc: new ptr-libevent@0x56287514d1c8 size 8 | libevent_realloc: new ptr-libevent@0x56287514d208 size 144 | libevent_malloc: new ptr-libevent@0x5628750f40f8 size 152 | libevent_malloc: new ptr-libevent@0x56287514d2c8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x56287514d308 size 8 | libevent_malloc: new ptr-libevent@0x562875060ec8 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x56287514d348 size 8 | libevent_malloc: new ptr-libevent@0x562875076858 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x56287514d388 size 8 | libevent_realloc: release ptr-libevent@0x56287514d208 | libevent_realloc: new ptr-libevent@0x56287514d3c8 size 256 | libevent_malloc: new ptr-libevent@0x56287514d4f8 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:22957) using fork+execve | forked child 22957 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x56287514da18 | libevent_malloc: new ptr-libevent@0x562875141de8 size 128 | libevent_malloc: new ptr-libevent@0x56287514da88 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x56287514dac8 | libevent_malloc: new ptr-libevent@0x5628750e8638 size 128 | libevent_malloc: new ptr-libevent@0x56287514db38 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x56287514db78 | libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128 | libevent_malloc: new ptr-libevent@0x56287514dbe8 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x56287514dc28 | libevent_malloc: new ptr-libevent@0x5628750e7658 size 128 | libevent_malloc: new ptr-libevent@0x56287514dc98 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x56287514dcd8 | libevent_malloc: new ptr-libevent@0x5628750ef968 size 128 | libevent_malloc: new ptr-libevent@0x56287514dd48 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x56287514dd88 | libevent_malloc: new ptr-libevent@0x5628750f0488 size 128 | libevent_malloc: new ptr-libevent@0x56287514ddf8 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.08 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x56287514ec58 added connection description "clear" | ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE | 192.1.2.23---192.1.2.254...%group | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0988 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection clear-or-private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c88 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151c38 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751518f8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751517f8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875151d38 | unreference key: 0x562875154af8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear added connection description "clear-or-private" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23---192.1.2.254...%opportunisticgroup | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.999 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private-or-clear with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'east' pubkey | unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158a38 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751589e8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875159368 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x5628751588d8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562875158928 | unreference key: 0x5628751551b8 192.1.2.23 cnt 1-- | unreference key: 0x562875156588 east@testing.libreswan.org cnt 1-- | unreference key: 0x562875156b18 @east.testing.libreswan.org cnt 1-- | unreference key: 0x562875157038 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x562875158ce8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: clear-or-private added connection description "private-or-clear" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23---192.1.2.254...%opportunisticgroup | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.619 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'east' pubkey | unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515abb8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515ab68 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b4e8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aa58 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515aaa8 | unreference key: 0x562875154af8 192.1.2.23 cnt 1-- | unreference key: 0x5628751551b8 east@testing.libreswan.org cnt 1-- | unreference key: 0x562875156588 @east.testing.libreswan.org cnt 1-- | unreference key: 0x562875156b18 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x5628751574f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private-or-clear added connection description "private" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP | 192.1.2.23---192.1.2.254...%opportunisticgroup | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.579 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: private added connection description "block" | ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE | 192.1.2.23---192.1.2.254...%group | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0712 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'east' pubkey | unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d0e8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515d098 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515da18 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cf88 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515cfd8 | unreference key: 0x562875158ce8 192.1.2.23 cnt 1-- | unreference key: 0x562875154af8 east@testing.libreswan.org cnt 1-- | unreference key: 0x5628751551b8 @east.testing.libreswan.org cnt 1-- | unreference key: 0x562875156588 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x562875157038 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block added connection description "private-or-clear-all" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23---192.1.2.254...%opportunisticgroup | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.721 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189) | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | flush revival: connection 'private-or-clear-all' wasn't on the list | stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private-or-clear-all with policy RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'east' pubkey | unreference key: 0x562875156588 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bed8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515b498 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515bdc8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515be18 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56287515c148 | unreference key: 0x5628751574f8 192.1.2.23 cnt 1-- | unreference key: 0x562875158ce8 east@testing.libreswan.org cnt 1-- | unreference key: 0x562875154af8 @east.testing.libreswan.org cnt 1-- | unreference key: 0x5628751551b8 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x562875156b18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x56287514ec58: block added connection description "private-or-clear-all" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23---192.1.2.254...%opportunisticgroup | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.602 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x562875141de8 | free_event_entry: release EVENT_NULL-pe@0x56287514da18 | add_fd_read_event_handler: new ethX-pe@0x56287514da18 | libevent_malloc: new ptr-libevent@0x562875151848 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x5628750e8638 | free_event_entry: release EVENT_NULL-pe@0x56287514dac8 | add_fd_read_event_handler: new ethX-pe@0x56287514dac8 | libevent_malloc: new ptr-libevent@0x5628750e8638 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x5628750e86e8 | free_event_entry: release EVENT_NULL-pe@0x56287514db78 | add_fd_read_event_handler: new ethX-pe@0x56287514db78 | libevent_malloc: new ptr-libevent@0x5628750e86e8 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x5628750e7658 | free_event_entry: release EVENT_NULL-pe@0x56287514dc28 | add_fd_read_event_handler: new ethX-pe@0x56287514dc28 | libevent_malloc: new ptr-libevent@0x5628750e7658 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x5628750ef968 | free_event_entry: release EVENT_NULL-pe@0x56287514dcd8 | add_fd_read_event_handler: new ethX-pe@0x56287514dcd8 | libevent_malloc: new ptr-libevent@0x5628750ef968 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x5628750f0488 | free_event_entry: release EVENT_NULL-pe@0x56287514dd88 | add_fd_read_event_handler: new ethX-pe@0x56287514dd88 | libevent_malloc: new ptr-libevent@0x5628750f0488 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | no group file "/etc/ipsec.d/policies/private-or-clear-all" (pwd:/tmp) loading group "/etc/ipsec.d/policies/block" loading group "/etc/ipsec.d/policies/private" loading group "/etc/ipsec.d/policies/private-or-clear" loading group "/etc/ipsec.d/policies/clear-or-private" loading group "/etc/ipsec.d/policies/clear" | 192.1.2.23/32->192.1.2.254/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.3.254/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.3.253/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.2.253/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.3.0/24 0 sport 0 dport 0 private-or-clear | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.436 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE | popen cmd is 1134 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25: | cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De: | cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=: | cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE: | cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA: | cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' : | cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR: | cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse: | cmd(1120):c _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER | popen cmd is 1132 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2: | cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_: | cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL: | cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL: | cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED: | cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec : | cmd(1120):_updown 2>&1: | suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE | popen cmd is 1134 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De: | cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=: | cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE: | cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA: | cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' : | cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR: | cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse: | cmd(1120):c _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER | popen cmd is 1132 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3: | cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_: | cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL: | cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL: | cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED: | cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec : | cmd(1120):_updown 2>&1: | suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE | popen cmd is 1134 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De: | cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=: | cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE: | cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA: | cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' : | cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR: | cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse: | cmd(1120):c _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER | popen cmd is 1132 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3: | cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_: | cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL: | cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL: | cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED: | cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec : | cmd(1120):_updown 2>&1: | suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE | popen cmd is 1134 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De: | cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=: | cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE: | cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA: | cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' : | cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR: | cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse: | cmd(1120):c _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER | popen cmd is 1132 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2: | cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_: | cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL: | cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL: | cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED: | cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec : | cmd(1120):_updown 2>&1: | suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 4.59 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0322 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00428 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00268 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00279 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00264 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00276 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00265 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00241 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435) | start processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:435) | could_route called for private-or-clear#192.1.3.0/24 (kind=CK_TEMPLATE) | FOR_EACH_CONNECTION_... in route_owner | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear-all mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: private-or-clear#192.1.3.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7 | IPsec Sa SPD priority set to 2088935 | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC | popen cmd is 1222 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear: | cmd( 80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192: | cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN: | cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT: | cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.: | cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET: | cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE: | cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test: | cmd( 640): Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STA: | cmd( 720):CK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+: | cmd( 800):PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW: | cmd( 880):+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' : | cmd( 960):XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_: | cmd(1040):INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_: | cmd(1120):CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=: | cmd(1200):0x0 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | id type with ID_NONE means wildcard match | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0 | popen cmd is 1220 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1: | cmd( 80):92.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_: | cmd( 240):NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_: | cmd( 320):MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0': | cmd( 400): PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET=': | cmd( 480):192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER: | cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test D: | cmd( 640):epartment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK: | cmd( 720):='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PF: | cmd( 800):S+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+E: | cmd( 880):SN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XA: | cmd( 960):UTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_IN: | cmd(1040):FO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CO: | cmd(1120):NFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x: | cmd(1200):0 ipsec _updown 2>&1: | suspend processing: connection "private-or-clear#192.1.3.0/24" (in route_group() at foodgroups.c:439) | start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439) | stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.15 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00383 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.0021 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0266 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0174 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0165 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0154 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 22957 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0235 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.15 milliseconds in whack | spent 0.00265 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 851 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 78 62 07 b9 43 93 c0 71 | 89 25 14 f6 40 f3 7c d9 c6 78 cc 64 f9 d9 cc c3 | 3d a6 c4 74 1f a0 a0 62 b5 56 92 7f 25 ee 76 81 | 05 70 21 34 ac 86 43 7d 76 fa c2 db 0d f7 d4 0f | 6d 28 f6 d7 a0 06 9a 43 95 36 6a d1 5d 34 da 5a | c5 74 de 44 bd 52 e8 32 c2 80 3e ab 72 f3 4d 29 | b3 99 3b a6 4c b3 aa 10 46 8c 53 99 09 63 dd d3 | 76 91 b0 0c e8 44 d8 54 d7 f4 13 50 a6 3c f6 6d | 6b 67 45 dd 9f 25 d7 d1 27 ed e5 b3 19 e4 25 af | d9 f1 56 53 80 2e f1 e7 41 b7 ba f6 de 47 c2 f6 | e4 5d e7 0e 0f f2 cd c6 f9 6c 6e 4e 22 22 2d dc | 37 f7 6d e1 a1 7b b2 53 96 84 06 78 b2 bf 0e 00 | a6 57 5c 7b 5c bf eb 1a 11 35 bf b4 ed 14 e9 6a | fd e2 57 c7 0b 5a d7 94 65 22 7e 0c 84 f3 e2 57 | a6 85 8f 38 0b 27 1b 2f 1b 61 07 27 5f 30 f6 a7 | 4e 01 64 d8 8d f2 87 35 10 6f 6b 0d fd 55 fa 49 | 24 2d b0 cc ab 48 ea 7b 29 00 00 24 55 fb 6b 4a | dd e4 d3 ae 4e a1 67 4c 59 9e e1 08 fd 5d 47 2b | 89 81 b2 a2 81 38 98 03 83 70 c1 c8 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 15 54 03 c2 | 38 b5 c2 c7 71 a3 42 60 e2 1d 8e b9 bc 61 91 92 | 2b 00 00 1c 00 00 40 05 03 82 c6 70 6c 42 81 cb | 3a dc 6c 2a 14 80 f2 c9 4f 71 00 32 00 00 00 17 | 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | 73 65 63 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 851 (0x353) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2V (0x2b) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2V) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 23 (0x17) | processing payload: ISAKMP_NEXT_v2V (len=19) | DDOS disabled and no cookie sent, continuing | VID_OPPORTUNISTIC received | Processing IKE request for Opportunistic IPsec | find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all) | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32) | find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32) | find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear-all) | find_next_host_connection returns private-or-clear-all | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | find_next_host_connection returns private | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24) | find_next_host_connection returns private-or-clear#192.1.3.0/24 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32) | find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | find_next_host_connection returns private | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear#192.1.3.0/24) | find_next_host_connection returns private-or-clear#192.1.3.0/24 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.254/32) | find_next_host_connection returns clear#192.1.2.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | oppo_instantiate | match_id a=(none) | b=(none) | results matched | connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none | new hp@0x5628751613a8 | oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted | new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24 | oppo_instantiate() instantiated "[1] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209 | found connection: private-or-clear#192.1.3.0/24[1] ...192.1.3.209 with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | creating state object #1 at 0x562875161828 | State DB: adding IKEv2 state #1 in UNDEFINED | pstats #1 ikev2.ike started | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 | #1 in state PARENT_R0: processing SA_INIT request | selected state microcode Respond to IKE_SA_INIT | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | received Vendor ID payload [Opportunistic IPsec] | constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals) | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 2 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 8 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 2 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 8 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 2 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 8 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 2 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 8 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 116 (0x74) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 116 (0x74) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= a2 30 4a 5b 65 74 84 ee | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 03 82 c6 70 6c 42 81 cb 3a dc 6c 2a 14 80 f2 c9 | natd_hash: hash= 4f 71 00 32 | natd_hash: rcookie is zero | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= a2 30 4a 5b 65 74 84 ee | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= 15 54 03 c2 38 b5 c2 c7 71 a3 42 60 e2 1d 8e b9 | natd_hash: hash= bc 61 91 92 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209 | adding ikev2_inI1outR1 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562875141de8 size 128 | #1 spent 0.527 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND | suspending state #1 and saving MD | #1 is busy; has a suspended MD | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269) | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.985 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.993 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000585 seconds | (#1) spent 0.592 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fd560002888 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x5628735d6b50 | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x f9 16 54 e1 6e c2 e4 65 37 60 d7 cd a5 a8 87 78 | ikev2 g^x 00 0c a0 12 fb 19 8c 6b a3 5f 5b 57 35 2d 99 1a | ikev2 g^x e6 e6 a3 b0 aa a4 3e 23 d4 89 57 c6 50 50 31 9d | ikev2 g^x 71 22 c7 40 2b 5f 1a 17 3d a8 14 9a 98 0b 7e 1b | ikev2 g^x d7 09 b5 d9 28 15 cc 53 ab 1c 8b 30 7c 21 4f 42 | ikev2 g^x c8 e5 41 92 4f 48 be 10 e6 ee 77 e7 a7 d4 61 7d | ikev2 g^x 10 5b dc 0a 18 ea 47 b9 72 5d 0d d0 89 64 86 74 | ikev2 g^x 17 e8 73 d4 23 bd 61 b5 76 7f e9 0d 1b ee 1b 81 | ikev2 g^x fa 20 91 e7 9c e5 de 2d 0b 43 26 da ce 88 69 a4 | ikev2 g^x b7 96 9c 5d 6e 8e 5c f0 f1 97 f4 41 f9 74 f9 82 | ikev2 g^x 31 7d ac 71 d1 aa f8 53 22 32 fb 16 cf 62 16 7a | ikev2 g^x 98 59 1d 20 54 d3 f0 63 45 99 5e 11 85 b3 e7 43 | ikev2 g^x 8d 7e 28 18 9a 81 fd 18 d8 f4 92 07 c5 e0 1c c2 | ikev2 g^x 2d 23 6f 56 e1 25 a0 b0 d3 1b 0c d5 78 cd b9 46 | ikev2 g^x 84 1a 2d 51 f5 36 9e ed da fb 30 8a 56 13 d1 a5 | ikev2 g^x c7 1a 82 18 83 ef f9 81 b3 1e b0 48 b0 e5 95 53 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce f9 f4 58 44 f0 ea 84 c6 d2 7f bb 9b a8 bd 4c eb | IKEv2 nonce 50 de f7 0f 5f b5 fe b4 01 70 2d 66 69 0d 7d 21 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= a2 30 4a 5b 65 74 84 ee | natd_hash: rcookie= 2f a9 8f 22 d3 2d 1e 58 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b | natd_hash: hash= 75 bf 43 c7 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b | Notify data 75 bf 43 c7 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= a2 30 4a 5b 65 74 84 ee | natd_hash: rcookie= 2f a9 8f 22 d3 2d 1e 58 | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= e7 b2 78 60 2a ce 49 b5 08 0a c4 24 92 ea aa 58 | natd_hash: hash= 03 1e e7 12 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data e7 b2 78 60 2a ce 49 b5 08 0a c4 24 92 ea aa 58 | Notify data 03 1e e7 12 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is not CK_PERMANENT (instance), so collect CAs | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | Not a roadwarrior instance, sending empty CA in CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | ***emit IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Certificate Request Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V) | next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload | Opportunistic IPsec 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | Opportunistic IPsec 73 65 63 | emitting length of IKEv2 Vendor ID Payload: 23 | emitting length of ISAKMP Message: 460 | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #1 to 0 after switching state | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 | STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 21 20 22 20 00 00 00 00 00 00 01 cc 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 f9 16 54 e1 | 6e c2 e4 65 37 60 d7 cd a5 a8 87 78 00 0c a0 12 | fb 19 8c 6b a3 5f 5b 57 35 2d 99 1a e6 e6 a3 b0 | aa a4 3e 23 d4 89 57 c6 50 50 31 9d 71 22 c7 40 | 2b 5f 1a 17 3d a8 14 9a 98 0b 7e 1b d7 09 b5 d9 | 28 15 cc 53 ab 1c 8b 30 7c 21 4f 42 c8 e5 41 92 | 4f 48 be 10 e6 ee 77 e7 a7 d4 61 7d 10 5b dc 0a | 18 ea 47 b9 72 5d 0d d0 89 64 86 74 17 e8 73 d4 | 23 bd 61 b5 76 7f e9 0d 1b ee 1b 81 fa 20 91 e7 | 9c e5 de 2d 0b 43 26 da ce 88 69 a4 b7 96 9c 5d | 6e 8e 5c f0 f1 97 f4 41 f9 74 f9 82 31 7d ac 71 | d1 aa f8 53 22 32 fb 16 cf 62 16 7a 98 59 1d 20 | 54 d3 f0 63 45 99 5e 11 85 b3 e7 43 8d 7e 28 18 | 9a 81 fd 18 d8 f4 92 07 c5 e0 1c c2 2d 23 6f 56 | e1 25 a0 b0 d3 1b 0c d5 78 cd b9 46 84 1a 2d 51 | f5 36 9e ed da fb 30 8a 56 13 d1 a5 c7 1a 82 18 | 83 ef f9 81 b3 1e b0 48 b0 e5 95 53 29 00 00 24 | f9 f4 58 44 f0 ea 84 c6 d2 7f bb 9b a8 bd 4c eb | 50 de f7 0f 5f b5 fe b4 01 70 2d 66 69 0d 7d 21 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | e2 bf 3c c5 fd f7 90 60 f0 be 5a 23 fb 53 e9 7b | 75 bf 43 c7 26 00 00 1c 00 00 40 05 e7 b2 78 60 | 2a ce 49 b5 08 0a c4 24 92 ea aa 58 03 1e e7 12 | 2b 00 00 05 04 00 00 00 17 4f 70 70 6f 72 74 75 | 6e 69 73 74 69 63 20 49 50 73 65 63 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562875141de8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8 | event_schedule: new EVENT_SO_DISCARD-pe@0x5628751614d8 | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 | libevent_malloc: new ptr-libevent@0x5628751615f8 size 128 | resume sending helper answer for #1 suppresed complete_v2_state_transition() | #1 spent 0.321 milliseconds in resume sending helper answer | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd560002888 | spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 18 f1 c7 4b 12 8e ab a1 57 3e 80 a4 | ad 72 83 2f de f7 1c a7 34 62 0d 5d 76 54 8e 95 | ea e3 ce 9a d0 45 f6 8e 5f 66 bd 86 2f 4a 41 c5 | 1a e2 51 50 d7 37 f7 ed b9 4a ca 10 05 92 b6 bb | c4 8e 66 2e e7 8f 8c 15 78 43 9f c9 37 17 01 97 | aa 6e 6c c6 82 49 f5 a3 e1 cc 21 93 f0 be b1 2a | af b5 b5 0d 98 66 f4 72 41 8a 65 73 ef fa c4 88 | ca fc 31 98 3a a8 52 b8 eb 5c 55 80 c7 e3 a8 f5 | d7 4a 52 8e da b4 4d 95 25 64 23 7f 2c 61 d8 12 | 6c 56 2b d2 3f 49 7a d7 7f 79 7d 00 a1 8c 78 60 | 00 db 30 b8 be eb 2d f7 3f 58 b4 4a a5 fc 51 2c | 8a 85 57 8f 26 bd ae 3c b4 dd 7b 93 30 68 80 36 | a5 ab dc e9 58 7e c2 ff c1 3b fa 39 db 56 3b 2b | fb 2b 91 8d 0c 2a ad 68 ae 0a 2e 8f e7 9a 85 7d | c0 71 40 5c 22 39 de 03 88 c3 bc 61 61 f5 1b d5 | 84 17 85 94 8d 7e 55 3e 9a dc a4 d2 d1 5c 23 98 | 81 91 3a 8f 81 98 1c 62 6c a7 7d 9e f0 03 42 9b | 55 89 36 44 7e 67 e4 8a 85 d7 dd 31 70 38 cf 2a | 0d a9 60 4c 5a db a3 6c c3 18 14 20 52 e5 5a 32 | 28 b7 72 4a 9f 1b 9a c4 c0 ab 0d 01 ca 0e a2 12 | 3a a7 5d 1f 77 92 83 f2 c7 96 af 48 b9 78 4f a6 | 4c 82 c1 0f f9 3b 7c e3 60 3f b2 e7 61 af 86 55 | ba df 1a 13 8a a7 30 09 16 fa 1e 58 c3 76 d8 da | 41 e4 6c 86 60 5b fc fa 68 7d ea 4e 45 81 e2 ee | 5e 93 66 8d 2f 39 0d cb 18 86 fd 3f 89 a3 53 0a | 8c fc c7 4e 35 2f 45 7b a1 a0 73 d1 a6 b2 6d 82 | ee 5b 05 ca c6 70 02 a1 f3 f7 c3 a8 64 45 5b 25 | 46 6e 95 c5 28 76 26 85 fa 58 41 28 46 b0 92 c4 | 38 0b 98 cf 06 ac 3d 34 0c fd 0e a0 b3 e0 d0 cb | 3a 69 f5 00 d2 d2 43 3b 49 73 25 32 09 b8 30 a8 | 03 1f d6 91 fd 44 c8 20 b9 68 88 1c af 32 b5 b0 | d8 2d ec de d1 fa 24 25 9a 7a 86 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.157 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.171 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00161 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 f3 29 d3 a0 59 77 23 49 57 b2 22 e3 | 45 a8 e9 ad 43 0f aa 3b f2 a5 15 5d db 24 a3 cc | 5b 42 c4 ac d7 a0 c0 4e 7e 9d 54 fa 94 d7 0c 30 | 68 a0 24 8a bc 79 a0 3b ca 1c 59 00 5c 88 aa 65 | 1a 56 e2 84 f7 bb 0e 51 31 ff d8 de b4 84 63 9b | f2 cb 14 55 59 6f e4 cd 64 f0 48 95 ae f3 d3 5d | 04 05 08 ea e1 d6 f9 68 65 e7 fb ba fb 41 cf 78 | a1 34 0d d9 ee f0 7a de 00 5f 3a 85 15 ae c0 9c | 14 46 bc 3f b8 94 d9 2e f2 49 8f 6a 71 e7 b1 75 | 6b f5 33 aa 76 8c 9a 1f 29 87 ae df d4 f5 36 c2 | 63 e5 f4 f6 e8 4c 67 05 a7 a0 39 e3 95 64 92 7e | af 78 f7 37 e9 3d e7 65 39 94 01 96 71 68 12 e7 | 5a 70 54 65 2e 7b 62 95 f6 36 ef 81 5b db 69 3f | 88 25 6b 5e 00 c2 67 ad 14 98 bd 4e 79 53 fa e4 | 92 7e 19 14 9b 2c ef bf 3a d2 c5 d5 69 21 51 f9 | e3 4f 09 c6 74 b0 48 e4 77 b6 da 82 a4 8e 61 9c | e1 94 0e 2b 42 b1 8b 1b 64 d5 20 6e 78 f6 e7 ef | a4 7f ca 4e 12 ad 51 98 d9 40 28 08 4e e3 c4 18 | 13 d4 4e 64 53 ae 98 72 b0 78 46 59 ed 11 8c b1 | 90 30 e1 5d fd 73 26 82 29 34 b5 8d 55 a4 c3 42 | a8 be 2d db b3 6a 6f 42 c4 37 70 2f c7 43 85 91 | 17 31 a2 91 5d ef d4 8e 8d 5f bb 7d 34 d5 28 9f | 7d cd 04 a6 1f bd 5e c3 42 76 b1 eb 5a 6e a3 84 | a4 9d b7 a9 dd 00 6b 42 a0 41 2e 4b e4 45 09 2b | 05 ad f9 5e c5 96 90 fc ba 5e b4 6b fc 4a b2 95 | 6d 66 d6 fd 76 bd ee 17 d9 a6 db 76 e9 f2 40 b7 | 7e 39 ff e1 07 4e 5c 55 11 0f 57 3f 16 ea 6d 5d | 6f 04 83 32 71 4f e3 f1 f7 43 6e f9 7b 0f 76 67 | 89 95 f6 11 dc 80 2a d8 eb 76 f1 ec ff bb d7 e7 | 3a bf 1f a3 d7 5d ff e9 83 ab 1a 33 7e 05 6b ff | 74 a1 b2 8d 2b f4 18 bb 96 99 0a 41 53 86 b1 6b | f7 1f cf 32 ff c2 b7 5d 1a 6d 4a | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '2', total number '5', next payload '0' | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.118 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.126 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00113 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 dc 13 df 3a ad 21 77 e5 ad fe aa 40 | ed eb d6 94 29 bd 3f b0 02 82 2a cb f1 13 02 7e | 91 38 b3 d5 06 bc 96 e1 18 38 d9 2b 6d 3d f5 36 | 5f b5 83 df 64 0e cc 1c ae 81 55 27 41 74 b3 59 | 79 81 31 59 14 46 de 96 16 e3 d8 b0 0e a9 4a 4a | aa 22 6a da e9 44 61 ef 73 b1 36 27 c4 85 10 e6 | 8c 89 f5 de be 6c 79 2e 47 10 17 f1 c8 cb 81 ee | 81 7e d3 d6 e4 e1 cb 4a e5 e9 41 49 67 04 13 66 | af e9 eb 6f 8b 05 de 74 c2 64 17 da 45 e5 ec 35 | 04 c4 2e 6e 69 a7 c1 fd 0c 23 6a de e1 62 b8 19 | 2c 53 29 b1 c0 6e 75 04 ba 91 59 31 b9 90 45 b1 | 05 9c 24 f6 59 04 5d 21 f0 e1 6d 05 c1 ec e4 62 | 42 dc 34 44 b9 b6 67 b4 c8 ae 19 b5 20 1f 40 0c | fe 69 03 c6 a6 b0 15 45 62 b8 d2 92 14 a1 3e ce | 5a fa 0d a3 63 dd 61 71 25 ff f8 5d 22 de 38 28 | d2 bf 40 11 0a d6 10 13 51 90 7a e7 69 80 9b 68 | 2e 22 d8 a9 33 ca 02 6c a3 5e 5e 25 05 ae de f8 | 53 df 78 f2 fd 53 5a 3a 08 38 27 5c 06 47 e4 6e | 13 10 12 09 de 7d 44 2c d9 30 53 c2 17 f3 cf 6a | 5a fc 12 75 95 99 53 6d 94 e0 bc 71 d1 13 fd e1 | 56 85 ac e9 60 18 ef 72 f2 9e 59 26 17 78 e0 61 | ea bf ee c3 db dd 1c ab 01 56 73 18 3f 27 6c ca | 27 90 12 12 30 3e 99 91 df 6d 9d a5 7c b4 65 06 | 20 ae 78 04 e4 dd b4 56 c1 85 df 3b be 69 10 2f | 09 b5 2c 76 91 2b a9 5a ee a7 18 49 d5 fa c3 9d | f2 cd 25 4c 1b 2b 0a e9 62 3b 11 a5 23 0c 58 0b | 76 75 c0 33 a8 47 c1 ee 56 69 8a 9b 18 e7 47 02 | 1e bd 78 51 a4 d1 a5 a4 22 2c f7 3b af 09 5e d9 | 9f d4 0a f4 40 a8 35 20 c0 ef c6 62 4c c4 f0 df | cb ff 4c 42 1e 9b cb 17 15 af 86 c7 d0 ef db ef | df 4e 5d d1 0b 76 32 64 73 af 5c eb ea 80 da e6 | 08 64 49 be 7f 43 03 d6 a3 3d c3 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '3', total number '5', next payload '0' | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.118 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.125 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00102 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 83 71 a1 63 26 08 8b d5 30 4f 8c f3 | f9 12 8b a3 3a f2 f3 0a 59 b9 84 84 d6 1f 15 7b | 02 e2 e6 8d 12 0f 01 f1 81 e5 17 38 39 4e 3e c0 | 7d 55 0c 9c fc 23 44 95 45 ac 77 dd cb 2d b8 a2 | cd 37 f7 21 0f de a1 d3 b3 f9 13 22 b7 a2 1c 1f | e2 db 85 fe 11 a5 b6 74 cf 13 a9 09 6e b1 d6 5b | ec e7 6c 86 67 b2 97 48 9e 86 8d a3 6e ad 4e bc | 0b 6d 2a b6 ec b3 62 44 5d 92 0a 47 2d 48 d0 9d | db 30 68 a9 ac 89 27 05 52 5c b8 87 75 89 ab 6e | 83 41 f2 ae 9a cd 56 a5 81 9a b2 e5 1b 0d c9 db | 82 2d 5a eb ea af 56 13 a2 aa c0 77 e7 b1 45 7d | be 6b 23 8a d3 fc e1 13 8f 7c f5 bc e5 53 34 78 | 74 93 de 03 3e bb a7 a7 3b d6 af ea 88 96 d0 f5 | 0a 4d 69 b2 cc de 24 17 0c 06 09 83 3f 66 a6 f3 | 45 b7 c2 ae eb 58 c8 03 4a f8 46 b6 3c f9 a1 cb | 91 31 16 da c0 b9 bb 2a 03 89 a1 1a 00 f0 26 35 | 30 81 6d 87 fe 1d dc 0f 3f 51 65 21 82 3b 84 2c | 14 d9 7f e5 a5 f2 29 74 c7 3b 38 a0 e4 b6 69 e5 | a9 89 47 d1 c9 2c 7c c7 38 89 fd 64 e7 b3 9d 7b | c4 3d 95 c5 aa 57 3f 0e 87 59 f2 95 34 cf f4 8e | 6e 04 98 5c f7 ec a1 1b 7a 95 91 b3 4c 66 53 27 | 0f a6 80 af 5a 2a 47 37 60 1b 4e 3a 45 eb 1f fa | d7 25 04 0e 2a a2 be e4 7a b6 70 77 c3 85 58 db | 1d f5 3f 8c fc a4 97 fe 30 64 eb 0f 62 87 5b e2 | 80 85 1d dc 0a 5b bc 5c 86 7d 8d 40 12 e1 2c 31 | 9e 46 05 45 0f 19 d4 49 06 85 ec 7c 09 20 5b 96 | 06 e8 1d da c4 24 27 e9 a3 3d 49 27 0a 97 c4 f5 | 80 5d fa 5c f1 f3 3b d3 25 19 56 8c 61 59 21 a7 | 15 f9 d2 1c 22 ef b0 0e e3 f0 2f 31 7e 85 04 c0 | 42 10 3b 2a 67 d8 2e 92 77 bc d3 3d 21 c8 ee 9c | 86 19 9e 5c fb dd 55 c1 cc be f4 89 a9 2f 62 50 | 5d 8c bc 67 6a 87 d3 70 e2 b7 26 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '4', total number '5', next payload '0' | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.113 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.124 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00126 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 66 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 35 20 23 08 00 00 00 01 00 00 00 42 00 00 00 26 | 00 05 00 05 77 81 c0 f9 d3 89 b7 f4 a9 c9 f0 fc | 83 82 d8 f4 0a 17 30 05 89 b2 db c7 48 31 45 84 | 3f fb | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 66 (0x42) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 38 (0x26) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=30) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 2 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x5628751615f8 | free_event_entry: release EVENT_SO_DISCARD-pe@0x5628751614d8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x7fd560002888 size 128 | #1 spent 0.0273 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269) | "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 | stop processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.155 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.165 milliseconds in comm_handle_cb() reading and processing packet | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000879 seconds | (#1) spent 0.873 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fd558000f48 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x5628735d6b50 | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 | #1 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | processing payload: ISAKMP_NEXT_v2IDi (len=4) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 1229 (0x4cd) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1224) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 164 (0xa4) | processing payload: ISAKMP_NEXT_v2SA (len=160) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | **parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 72 (0x48) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NULL_AUTH (0xa000) | processing payload: ISAKMP_NEXT_v2N (len=64) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,SA,TSi,TSr,N} | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 2.63 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0154 milliseconds in get_root_certs() filtering CAs | #1 spent 2.67 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.18 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0295 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.312 milliseconds in find_and_verify_certs() calling verify_end_cert() "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: Certificate rejected for this connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: X509: CERT payload bogus or revoked | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID | peer ID c0 01 03 d1 | refine_host_connection for IKEv2: starting with "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 | match_id a=192.1.3.209 | b=192.1.3.209 | results matched | refine_host_connection: checking "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 against "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked private-or-clear#192.1.3.0/24[1] ...192.1.3.209 against private-or-clear#192.1.3.0/24[1] ...192.1.3.209, now for see if best | started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA | searching for certificate PKK_RSA:AQO9bJbr3 vs PKK_RSA:AwEAAbEef | private key for cert east not found in local cache; loading from NSS DB | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | returning because exact peer id match | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.209' | received v2N_NULL_AUTH | parsing 64 raw bytes of IKEv2 Notify Payload into NULL_AUTH extract | NULL_AUTH extract be 93 fe 5a f9 7e 2f a3 ec 4e ed 84 12 8c f9 b8 | NULL_AUTH extract 38 fc c2 5c 2f ad 30 da 51 89 07 00 6d 88 16 ec | NULL_AUTH extract a4 1d 22 5d 8e 55 12 18 3f c9 cc ef 9a db b1 a6 | NULL_AUTH extract 75 09 f7 6d cf fd d2 fe 4d 8a 0a fc 30 ec 2e 56 | verifying AUTH payload | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with '192.1.3.209' | checking RSA keyid 'user-east@testing.libreswan.org' for match with '192.1.3.209' | checking RSA keyid '@east.testing.libreswan.org' for match with '192.1.3.209' | checking RSA keyid 'east@testing.libreswan.org' for match with '192.1.3.209' | checking RSA keyid '192.1.2.23' for match with '192.1.3.209' "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: no RSA public key known for '192.1.3.209' | #1 spent 0.028 milliseconds in ikev2_verify_rsa_hash() "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: RSA authentication of I2 Auth Payload failed "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: responding to IKE_AUTH message (ID 1) from 192.1.3.209:500 with encrypted notification AUTHENTICATION_FAILED | Opening output PBS encrypted notification | **emit ISAKMP Message: | initiator cookie: | a2 30 4a 5b 65 74 84 ee | responder cookie: | 2f a9 8f 22 d3 2d 1e 58 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'encrypted notification' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | Adding a v2N Payload | ****emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'encrypted notification' | emitting length of IKEv2 Notify Payload: 8 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 37 | emitting length of ISAKMP Message: 65 | sending 65 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | a2 30 4a 5b 65 74 84 ee 2f a9 8f 22 d3 2d 1e 58 | 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25 | 90 7c fc 3b 7f 6e dc 3d 35 aa 25 8f bc 69 83 77 | b2 e3 83 14 a8 be b4 28 90 00 fa ff 35 9f 33 35 | ae | pstats #1 ikev2.ike failed auth-failed | ikev2_parent_inI2outR2_continue_tail returned STF_FATAL | #1 spent 3.65 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379) | #1 complete_v2_state_transition() PARENT_R1->V2_IPSEC_R with status STF_FATAL | release_pending_whacks: state #1 has no whack fd | pstats #1 ikev2.ike deleted auth-failed | #1 spent 3.43 milliseconds in total | [RE]START processing: state #1 connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879) "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 #1: deleting state (STATE_PARENT_R1) aged 0.017s and NOT sending notification | parent state #1: PARENT_R1(half-open IKE SA) => delete | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fd560002888 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5628751614d8 | State DB: IKEv2 state not found (flush_incomplete_children) | in connection_discard for connection private-or-clear#192.1.3.0/24 | connection is instance | not in pending use | State DB: state not found (connection_discard) | no states use this connection instance, deleting | start processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in delete_connection() at connections.c:189) | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | free hp@0x5628751613a8 | flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list | stop processing: connection "private-or-clear#192.1.3.0/24"[1] ...192.1.3.209 (BACKGROUND) (in discard_connection() at connections.c:249) | State DB: deleting IKEv2 state #1 in PARENT_R1 | parent state #1: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore) | stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143) | resume sending helper answer for #1 suppresed complete_v2_state_transition() | in statetime_stop() and could not find #1 | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd558000f48 | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00347 milliseconds in global timer EVENT_SHUNT_SCAN | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_ACQUIRE message | xfrm netlink msg len 376 | xfrm acquire rtattribute type 5 | xfrm acquire rtattribute type 16 | add bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0 %acquire-netlink initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire | find_connection: looking for policy for connection: 192.1.2.23:1/0 -> 192.1.3.209:1/0 | FOR_EACH_CONNECTION_... in find_connection_for_clients | find_connection: conn "private-or-clear#192.1.3.0/24" has compatible peers: 192.1.2.23/32 -> 192.1.3.0/24 [pri: 33554444] | find_connection: first OK "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} (child none) | find_connection: concluding with "private-or-clear#192.1.3.0/24" [pri:33554444]{0x56287515ecb8} kind=CK_TEMPLATE | creating new instance from "private-or-clear#192.1.3.0/24" | shunt widened for protoports since conn does not limit protocols | going to initiate opportunistic, first installing pass negotiationshunt | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7 | oe-negotiating eroute 192.1.2.23/32:0 --0-> 192.1.3.209/32:0 => %pass (raw_eroute) | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 2088935 | raw_eroute result=success | added bare (possibly wided) passthrough negotiationshunt succeeded (violating API) | add bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0 oe-negotiating | fiddle_bare_shunt called | fiddle_bare_shunt with transport_proto 1 | removing specific host-to-host bare shunt | delete bare kernel shunt - was replaced with negotiationshunt eroute 192.1.2.23/32:0 --1-> 192.1.3.209/32:0 => %hold (raw_eroute) | netlink_raw_eroute: SPI_PASS | raw_eroute result=success | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded | delete bare shunt 0x56287514f628 192.1.2.23/32:0 --1--> 192.1.3.209/32:0 => %hold 0 %acquire-netlink | success taking down narrow bare shunt | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | checking private-or-clear-all | checking block | checking private | checking private-or-clear | checking private-or-clear#192.1.3.0/24 | checking clear-or-private | checking clear | checking clear#192.1.2.253/32 | checking clear#192.1.3.253/32 | checking clear#192.1.3.254/32 | checking clear#192.1.2.254/32 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | checking private-or-clear-all | checking block | checking private | checking private-or-clear | checking private-or-clear#192.1.3.0/24 | checking clear-or-private | checking clear | checking clear#192.1.2.253/32 | checking clear#192.1.3.253/32 | checking clear#192.1.3.254/32 | checking clear#192.1.2.254/32 | connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none | new hp@0x5628751613a8 | oppo instantiate d="private-or-clear#192.1.3.0/24" from c="private-or-clear#192.1.3.0/24" with c->routing prospective erouted, d->routing unrouted | new oppo instance: 192.1.2.23---192.1.2.254...192.1.3.209===192.1.3.0/24 | oppo_instantiate() instantiated "[2] ...192.1.3.209"private-or-clear#192.1.3.0/24: 192.1.2.23---192.1.2.254...192.1.3.209 | assigning negotiation_shunt to connection | assign hold, routing was unrouted, needs to be unrouted HOLD | assign_holdpass() removing bare shunt | delete bare shunt 0x562875172648 192.1.2.23/32:0 --0--> 192.1.3.209/32:0 => %hold 0 oe-negotiating | assign_holdpass() done - returning success | assign_holdpass succeeded | initiate on demand from 192.1.2.23:0 to 192.1.3.209:0 proto=1 because: acquire | FOR_EACH_STATE_... in find_phase1_state | creating state object #2 at 0x562875174638 | State DB: adding IKEv2 state #2 in UNDEFINED | pstats #2 ikev2.ike started | Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 | parent state #2: UNDEFINED(ignore) => PARENT_I0(ignore) | Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:535) | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) | Queuing pending IPsec SA negotiating with 192.1.3.209 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 IKE SA #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 | constructing local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE) | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local IKE proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | adding ikev2_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x56287517bb58 size 128 | #2 spent 0.339 milliseconds in ikev2_parent_outI1() | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | crypto helper 2 doing build KE and nonce (ikev2_outI1 KE); request ID 3 | crypto helper 2 finished build KE and nonce (ikev2_outI1 KE); request ID 3 time elapsed 0.001001 seconds | (#2) spent 0.996 milliseconds in crypto helper computing work-order 3: ikev2_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128 | crypto helper 2 waiting (nothing to do) | RESET processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1() at ikev2_parent.c:610) | initiate on demand using AUTH_NULL from 192.1.2.23 to 192.1.3.209 | spent 0.388 milliseconds in kernel message | processing resume sending helper answer for #2 | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x5628735d6b50 | ikev2_parent_outI1_continue for #2 | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | Emitting ikev2_proposals ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | discarding INTEG=NONE | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | discarding INTEG=NONE | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 100 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | discarding INTEG=NONE | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | discarding INTEG=NONE | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 100 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 116 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 116 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 436 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x eb 1e 10 d3 ea 20 4d c3 02 15 82 50 12 8c 49 7c | ikev2 g^x 69 f5 73 cf e3 30 9b 18 36 ca 56 70 91 94 62 02 | ikev2 g^x e3 b9 14 16 23 0a 87 ed c7 fb b6 66 bb ec 74 bc | ikev2 g^x 8b ec ea 58 27 64 cd ac 7d 2d 6f 9f 13 2d 24 97 | ikev2 g^x a0 86 00 0d a5 98 78 4c 7f 3b 02 46 bb 19 3b 4f | ikev2 g^x 25 46 9f 7a 2b ad 7e 91 58 b9 44 a4 85 a2 6f 42 | ikev2 g^x cd f8 56 f2 7d 26 1a 8f cd c2 bd 83 8c 96 59 26 | ikev2 g^x 15 23 84 cb b7 71 87 0a 31 60 53 48 64 90 bf 00 | ikev2 g^x c7 bf a8 7b b5 cb 68 65 9a e6 9d 09 10 d8 4d 7f | ikev2 g^x 70 14 1d 5c f5 38 19 34 55 18 7a 5f 76 a9 a8 0a | ikev2 g^x 16 3b 86 2b 90 53 19 8a fa b5 aa ed f6 e1 47 6f | ikev2 g^x 04 b0 08 b9 a9 17 59 6b 28 3d 93 32 a0 5a 99 fd | ikev2 g^x 2f bd d0 d5 4c d6 2d e8 77 e8 61 02 61 7e a2 6b | ikev2 g^x 52 33 0e 4d 19 c9 4b 8a 0e 0a 7a 29 88 41 e3 59 | ikev2 g^x 95 8b f6 2f 21 0a 8b 4e 24 a0 9f 0e 1b 68 c5 3b | ikev2 g^x 79 c7 cb 4b e9 34 72 fa d0 53 13 f5 27 8f fe a8 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 0e ee 5e fb 18 2e 44 cc a5 f8 16 85 08 88 83 57 | IKEv2 nonce c3 ca c4 37 37 31 51 47 ce e6 66 ae 5c 5e c7 7a | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: rcookie is zero | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= ac ee 88 87 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2 | natd_hash: hash= 39 e4 45 a2 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data ac ee 88 87 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2 | Notify data 39 e4 45 a2 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: rcookie is zero | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= 5f a7 95 a7 73 e6 21 8f 2e 56 f5 e1 db f0 5a 81 | natd_hash: hash= 46 71 d4 8a | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 5f a7 95 a7 73 e6 21 8f 2e 56 f5 e1 db f0 5a 81 | Notify data 46 71 d4 8a | emitting length of IKEv2 Notify Payload: 28 | ***emit IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Vendor ID Payload (43:ISAKMP_NEXT_v2V) | next payload chain: saving location 'IKEv2 Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 19 raw bytes of Opportunistic IPsec into IKEv2 Vendor ID Payload | Opportunistic IPsec 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | Opportunistic IPsec 73 65 63 | emitting length of IKEv2 Vendor ID Payload: 23 | emitting length of ISAKMP Message: 851 | stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379) | #2 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 | parent state #2: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) | Message ID: updating counters for #2 to 4294967295 after switching state | Message ID: IKE #2 skipping update_recv as MD is fake | Message ID: sent #2 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 | STATE_PARENT_I1: sent v2I1, expected v2R1 | sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 851 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 eb 1e 10 d3 ea 20 4d c3 | 02 15 82 50 12 8c 49 7c 69 f5 73 cf e3 30 9b 18 | 36 ca 56 70 91 94 62 02 e3 b9 14 16 23 0a 87 ed | c7 fb b6 66 bb ec 74 bc 8b ec ea 58 27 64 cd ac | 7d 2d 6f 9f 13 2d 24 97 a0 86 00 0d a5 98 78 4c | 7f 3b 02 46 bb 19 3b 4f 25 46 9f 7a 2b ad 7e 91 | 58 b9 44 a4 85 a2 6f 42 cd f8 56 f2 7d 26 1a 8f | cd c2 bd 83 8c 96 59 26 15 23 84 cb b7 71 87 0a | 31 60 53 48 64 90 bf 00 c7 bf a8 7b b5 cb 68 65 | 9a e6 9d 09 10 d8 4d 7f 70 14 1d 5c f5 38 19 34 | 55 18 7a 5f 76 a9 a8 0a 16 3b 86 2b 90 53 19 8a | fa b5 aa ed f6 e1 47 6f 04 b0 08 b9 a9 17 59 6b | 28 3d 93 32 a0 5a 99 fd 2f bd d0 d5 4c d6 2d e8 | 77 e8 61 02 61 7e a2 6b 52 33 0e 4d 19 c9 4b 8a | 0e 0a 7a 29 88 41 e3 59 95 8b f6 2f 21 0a 8b 4e | 24 a0 9f 0e 1b 68 c5 3b 79 c7 cb 4b e9 34 72 fa | d0 53 13 f5 27 8f fe a8 29 00 00 24 0e ee 5e fb | 18 2e 44 cc a5 f8 16 85 08 88 83 57 c3 ca c4 37 | 37 31 51 47 ce e6 66 ae 5c 5e c7 7a 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 ac ee 88 87 | 3e c6 65 1c e6 a7 e1 02 a7 b1 95 f2 39 e4 45 a2 | 2b 00 00 1c 00 00 40 05 5f a7 95 a7 73 e6 21 8f | 2e 56 f5 e1 db f0 5a 81 46 71 d4 8a 00 00 00 17 | 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | 73 65 63 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x56287517bb58 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18 | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x7fd558001f18 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x562875172718 size 128 | #2 STATE_PARENT_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.146101 | resume sending helper answer for #2 suppresed complete_v2_state_transition() and stole MD | #2 spent 1.25 milliseconds in resume sending helper answer | stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd55c002888 | spent 0.00196 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 460 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 21 20 22 20 00 00 00 00 00 00 01 cc 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 90 2b e0 aa | 81 e4 e1 bb bd e7 37 a1 3f bd 53 08 58 6f 40 c5 | 95 ee cd 47 97 8d 98 1c 8f 98 20 cf 89 50 06 e3 | a6 f5 08 2f 08 cf 51 78 4e 74 33 f4 25 12 35 9e | 10 c4 9b d4 a3 d8 25 f8 a7 d9 a4 8a 8f dc b0 ee | 7b 01 ec 3d 5d 53 d9 64 f3 9c eb 80 3f 53 cd ec | 66 7c 7a b6 d3 01 6e 98 a9 28 fb a1 b6 b0 c9 5a | 77 47 7d c4 31 54 d8 2e bd 41 d9 6d 69 b2 e2 be | a1 4b 1a e5 e9 59 87 29 08 17 6f 5a 0c 53 be 51 | 65 75 0d 4d e8 cd 29 ba 64 ae b4 ee c1 49 16 64 | 11 db fd fd 33 fc 76 0d 23 80 b3 26 c8 86 31 46 | 62 56 09 71 80 71 c1 bf b9 d0 25 b0 4f a1 c5 0e | e9 68 76 4e 42 04 b1 54 64 e4 7a 94 67 ee d4 5d | 72 e0 ce f6 85 43 5e fa 0c 62 ed 03 15 e0 57 e6 | 7f 6c a3 1b a4 41 f9 8a 73 9f 4b c8 bf 07 31 1c | 10 d4 2f f5 f1 cf c5 c0 13 85 74 35 ad 93 2a ba | 1b 90 e1 eb 4a 47 e3 9a 10 56 44 82 29 00 00 24 | e3 9f a3 0c bd 28 70 94 b3 21 4e 6b 5b 6f be 5c | 15 55 1e 31 b8 42 74 ec 7f cb 90 3d 1e dd 70 dd | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 2c c8 62 a9 0e e7 b8 59 45 3c 1d 09 56 90 2c 19 | eb a7 82 48 26 00 00 1c 00 00 40 05 a4 02 ab 2f | 84 be 38 bc aa b4 de 69 5c 05 d5 e3 6f 7b 7d 25 | 2b 00 00 05 04 00 00 00 17 4f 70 70 6f 72 74 75 | 6e 69 73 74 69 63 20 49 50 73 65 63 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | length: 460 (0x1cc) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response | State DB: found IKEv2 state #2 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062) | #2 is idle | #2 idle | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 40 (0x28) | processing payload: ISAKMP_NEXT_v2SA (len=36) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2CERTREQ (0x26) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ) | ***parse IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2V (0x2b) | flags: none (0x0) | length: 5 (0x5) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERTREQ (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2V) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 23 (0x17) | processing payload: ISAKMP_NEXT_v2V (len=19) | State DB: re-hashing IKEv2 state #2 IKE SPIi and SPI[ir] | #2 in state PARENT_I1: sent v2I1, expected v2R1 | selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH | Now let's proceed with state specific processing | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH | ikev2 parent inR1: calculating g^{xy} in order to send I2 | using existing local IKE proposals for connection private-or-clear#192.1.3.0/24 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | Comparing remote proposals against IKE initiator (accepting) 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 2 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 8 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 2 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 8 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 2 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 8 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 2 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 8 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 36 (0x24) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match] | converting proposal to internal trans attrs | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69 | natd_hash: rcookie= 09 8a aa 72 c2 0f 6a aa | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= a4 02 ab 2f 84 be 38 bc aa b4 de 69 5c 05 d5 e3 | natd_hash: hash= 6f 7b 7d 25 | natd_hash: hasher=0x5628736ab800(20) | natd_hash: icookie= 7b 6a 2a dd 5c 7a c7 69 | natd_hash: rcookie= 09 8a aa 72 c2 0f 6a aa | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= 2c c8 62 a9 0e e7 b8 59 45 3c 1d 09 56 90 2c 19 | natd_hash: hash= eb a7 82 48 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inR1outI2 KE work-order 4 for state #2 | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_PARENT_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x562875172718 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd558001f18 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128 | #2 spent 0.205 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet() | [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379) | #2 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND | suspending state #2 and saving MD | crypto helper 3 resuming | #2 is busy; has a suspended MD | crypto helper 3 starting work-order 4 for state #2 | [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in log_stf_suspend() at ikev2.c:3269) | "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 | crypto helper 3 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 | stop processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018) | #2 spent 0.468 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.479 milliseconds in comm_handle_cb() reading and processing packet | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 3 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 time elapsed 0.001337 seconds | (#2) spent 1.33 milliseconds in crypto helper computing work-order 4: ikev2_inR1outI2 KE (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x5628735d6b50 | ikev2_parent_inR1outI2_continue for #2: calculating g^{xy}, sending I2 | creating state object #3 at 0x562875176218 | State DB: adding IKEv2 state #3 in UNDEFINED | pstats #3 ikev2.child started | duplicating state object #2 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 as #3 for IPSEC SA | #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1484) | Message ID: init_child #2.#3; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 | Message ID: switch-from #2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1 | Message ID: switch-to #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fd55c002888 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fd558001f18 | event_schedule: new EVENT_SA_REPLACE-pe@0x7fd558001f18 | inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fd55c002888 size 128 | parent state #2: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | IDr payload will NOT be sent | ****emit IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_IPV4_ADDR (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into IKEv2 Identification - Initiator - Payload | my identity c0 01 02 17 | emitting length of IKEv2 Identification - Initiator - Payload: 12 | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1260 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33 | CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c b3 bf 11 | CERT 96 94 23 ca 97 5e c7 66 36 55 71 49 95 8d 0c 2a | CERT 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46 a6 04 63 | CERT 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a a8 e2 da | CERT 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a 7f 6e 3a | CERT 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26 52 f5 57 | CERT 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7 95 41 a7 | CERT a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b 4e 04 57 | CERT c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb 0f f0 63 | CERT c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6 2d 00 22 | CERT fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4 e5 2d 46 | CERT 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0 5f e0 8d | CERT 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6 9d 6b 9f | CERT fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0 a6 1c 85 | CERT 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99 17 2d b1 | CERT bc e5 7b bd af 0e 28 aa a5 74 ea 69 74 5e fa 2c | CERT c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa f9 f7 30 | CERT 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83 17 58 24 | CERT 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a 02 ce 27 | CERT 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64 59 4e 6c | CERT 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d fa 4a d7 | CERT f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8 32 cd bf | CERT a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d 32 fc 0f | CERT 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67 84 ae b4 | CERT 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01 00 01 a3 | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 3a 56 a3 7d | CERT b1 4e 62 2f 82 0d e3 fe 74 40 ef cb eb 93 ea ad | CERT e4 74 8b 80 6f ae 8b 65 87 12 a6 24 0d 21 9c 5f | CERT 70 5c 6f d9 66 8d 98 8b ea 59 f8 96 52 6a 6c 86 | CERT d6 7d ba 37 a9 8c 33 8c 77 18 23 0b 1b 2a 66 47 | CERT e7 95 94 e6 75 84 30 d4 db b8 23 eb 89 82 a9 fd | CERT ed 46 8b ce 46 7f f9 19 8f 49 da 29 2e 1e 97 cd | CERT 12 42 86 c7 57 fc 4f 0a 19 26 8a a1 0d 26 81 4d | CERT 53 f4 5c 92 a1 03 03 8d 6c 51 33 cc | emitting length of IKEv2 Certificate Payload: 1265 | IKEv2 CERTREQ: send a cert request? | IKEv2 CERTREQ: no CA DN known to send | not sending INITIAL_CONTACT | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for 192.1.2.23->192.1.3.209 of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | #2 spent 9.77 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 44 0b 80 72 6d 24 55 e5 08 6e d0 98 dc d6 1d 62 | rsa signature 5b cd e7 b2 9e 12 ad b0 b4 a9 94 31 38 84 90 99 | rsa signature 3f 86 44 a8 07 81 80 d2 e6 7f 7b 82 80 ac ec d8 | rsa signature d7 02 1b bd 51 80 7a 8a 2e 83 81 fe 53 d9 43 46 | rsa signature 88 88 ba 81 9e 31 34 7c 54 12 40 01 0e b7 a9 17 | rsa signature 42 e1 9b 05 28 f5 e4 7e a3 78 b5 0d 28 cd ee 1f | rsa signature 28 4a 87 92 13 c1 da 71 35 ec 08 82 56 1b 72 c8 | rsa signature 42 0c 76 e9 1b b3 44 dc 37 89 0d 38 3f fa 6c 6a | rsa signature 8b 12 eb 51 3b 32 af b8 89 d2 34 71 f9 97 04 ed | rsa signature 8d 52 17 cf fc e9 a0 80 2f 87 dc c9 86 4c 0a 14 | rsa signature 59 d6 42 48 47 82 30 6e 2f 60 c3 15 69 d2 cf 69 | rsa signature 69 5a ee 54 e0 9d 2b 20 6d 6b 61 b5 bd ea 49 d4 | rsa signature ea 00 8a 9f 83 e6 e2 72 0f 57 94 96 33 f9 5f 37 | rsa signature c7 3d a9 e6 de db 45 b0 04 bf 42 3c a1 fa 06 38 | rsa signature 26 47 ff f9 cd 86 c5 15 89 8b fb da 07 ce 09 27 | rsa signature 75 7e 91 46 86 a8 04 08 1c ec 07 51 13 d4 6f 58 | rsa signature c9 05 72 d8 7f 7a 64 68 46 da 55 61 dc c0 99 62 | rsa signature bf 14 01 ba 5c 50 7f 50 85 66 e1 58 80 65 c7 9f | rsa signature 0f 91 36 bf 8f 38 f2 11 a7 aa 18 5f 31 f9 3c 72 | rsa signature 2f fa 31 30 06 91 10 46 df bf c2 a1 21 b9 08 07 | rsa signature ee ef b3 12 5f 12 cb 9c ae d8 6b ff 4a 7d 09 da | rsa signature 51 0d 12 56 5d 45 ad 38 e9 92 b1 8a af 78 87 71 | rsa signature 75 3e 42 c7 87 51 03 cd 7c b4 98 d2 44 fb a8 e5 | rsa signature 45 c8 02 0d 2a fe 80 be aa 1f d8 c8 36 7d d6 05 | #2 spent 9.94 milliseconds in ikev2_calculate_rsa_hash() | ikev2_calculate_psk_sighash() called from STATE_PARENT_I2 to create PSK with authby=null | emitting length of IKEv2 Authentication Payload: 392 | getting first pending from state #2 | netlink_get_spi: allocated 0x3dd28668 for esp.0@192.1.2.23 | constructing ESP/AH proposals with all DH removed for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals) | converting proposal AES_GCM_16_256-NONE to ikev2 ... | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED | converting proposal AES_GCM_16_128-NONE to ikev2 ... | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209: constructed local ESP/AH proposals for private-or-clear#192.1.3.0/24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED | Emitting ikev2_proposals ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | discarding INTEG=NONE | discarding DH=NONE | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 3d d2 86 68 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | discarding INTEG=NONE | discarding DH=NONE | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | discarding INTEG=NONE | discarding DH=NONE | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 3d d2 86 68 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of IKEv2 Transform Substructure Payload: 12 | discarding INTEG=NONE | discarding DH=NONE | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | discarding DH=NONE | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 3d d2 86 68 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | discarding DH=NONE | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 48 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | discarding DH=NONE | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 3d d2 86 68 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | discarding DH=NONE | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 48 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 164 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 01 02 17 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 01 02 17 | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 01 03 d1 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 01 03 d1 | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED | Adding a v2N Payload | ****emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NULL_AUTH (0xa000) | next payload chain: setting previous 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 64 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 25 f9 35 a4 3e 3f 85 55 e2 83 e7 29 b6 7a 43 50 | Notify data 6e 4a c5 b3 8c 40 59 3a 5f 35 74 67 70 36 32 50 | Notify data ae 29 f0 53 d3 62 c3 30 5d e2 cc c6 9e d5 a6 b6 | Notify data 6f 9e 48 d9 61 1e 34 0a 24 a0 1b 07 34 92 a8 ca | emitting length of IKEv2 Notify Payload: 72 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1982 | emitting length of ISAKMP Message: 2010 | **parse ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 2010 (0x7da) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 1982 (0x7be) | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 0c 01 00 00 00 c0 01 02 17 27 00 04 f1 | cleartext fragment 04 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 | cleartext fragment 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 | cleartext fragment 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | cleartext fragment 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | cleartext fragment 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | cleartext fragment 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | cleartext fragment 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | cleartext fragment 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | cleartext fragment 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | cleartext fragment 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | cleartext fragment 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | cleartext fragment 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | cleartext fragment 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 22 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 | cleartext fragment 33 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 | cleartext fragment 35 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a | cleartext fragment 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 | cleartext fragment 2a 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d | cleartext fragment 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 | cleartext fragment 8f 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment b3 bf 11 96 94 23 ca 97 5e c7 66 36 55 71 49 95 | cleartext fragment 8d 0c 2a 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46 | cleartext fragment a6 04 63 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a | cleartext fragment a8 e2 da 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a | cleartext fragment 7f 6e 3a 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26 | cleartext fragment 52 f5 57 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7 | cleartext fragment 95 41 a7 a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b | cleartext fragment 4e 04 57 c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb | cleartext fragment 0f f0 63 c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6 | cleartext fragment 2d 00 22 fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4 | cleartext fragment e5 2d 46 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0 | cleartext fragment 5f e0 8d 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6 | cleartext fragment 9d 6b 9f fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0 | cleartext fragment a6 1c 85 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99 | cleartext fragment 17 2d b1 bc e5 7b bd af 0e 28 aa a5 74 ea 69 74 | cleartext fragment 5e fa 2c c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa | cleartext fragment f9 f7 30 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83 | cleartext fragment 17 58 24 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a | cleartext fragment 02 ce 27 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64 | cleartext fragment 59 4e 6c 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d | cleartext fragment fa 4a d7 f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8 | cleartext fragment 32 cd bf a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d | cleartext fragment 32 fc 0f 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67 | cleartext fragment 84 ae b4 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01 | cleartext fragment 00 01 a3 82 01 06 30 82 01 02 30 09 06 03 55 1d | cleartext fragment 13 04 02 30 00 30 47 06 03 55 1d 11 04 40 30 3e | cleartext fragment 82 1a 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 | cleartext fragment 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 | cleartext fragment 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 17 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 1d 06 | cleartext fragment 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 | cleartext fragment 03 01 06 08 2b 06 01 05 05 07 03 02 30 41 06 08 | cleartext fragment 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 06 08 | cleartext fragment 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 3a 2f | cleartext fragment 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 30 30 | cleartext fragment 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 a0 2e | cleartext fragment 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73 | cleartext fragment 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c 30 0d | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 | cleartext fragment 00 3a 56 a3 7d b1 4e 62 2f 82 0d e3 fe 74 40 ef | cleartext fragment cb eb 93 ea ad e4 74 8b 80 6f ae 8b 65 87 12 a6 | cleartext fragment 24 0d 21 9c 5f 70 5c 6f d9 66 8d 98 8b ea 59 f8 | cleartext fragment 96 52 6a 6c 86 d6 7d ba 37 a9 8c 33 8c 77 18 23 | cleartext fragment 0b 1b 2a 66 47 e7 95 94 e6 75 84 30 d4 db b8 23 | cleartext fragment eb 89 82 a9 fd ed 46 8b ce 46 7f f9 19 8f 49 da | cleartext fragment 29 2e 1e 97 cd 12 42 86 c7 57 fc 4f 0a 19 26 8a | cleartext fragment a1 0d 26 81 4d 53 f4 5c 92 a1 03 03 8d 6c 51 33 | cleartext fragment cc 21 00 01 88 01 00 00 00 44 0b 80 72 6d 24 55 | cleartext fragment e5 08 6e d0 98 dc d6 1d 62 5b cd e7 b2 9e 12 ad | cleartext fragment b0 b4 a9 94 31 38 84 90 99 3f 86 44 a8 07 81 80 | cleartext fragment d2 e6 7f 7b 82 80 ac ec d8 d7 02 1b bd 51 80 7a | cleartext fragment 8a 2e 83 81 fe 53 d9 43 46 88 88 ba 81 9e 31 34 | cleartext fragment 7c 54 12 40 01 0e b7 a9 17 42 e1 9b 05 28 f5 e4 | cleartext fragment 7e a3 78 b5 0d 28 cd ee 1f 28 4a 87 92 13 c1 da | cleartext fragment 71 35 ec 08 82 56 1b 72 c8 42 0c 76 e9 1b b3 44 | cleartext fragment dc 37 89 0d 38 3f fa 6c 6a 8b 12 eb 51 3b 32 af | cleartext fragment b8 89 d2 34 71 f9 97 04 ed 8d 52 17 cf fc | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment e9 a0 80 2f 87 dc c9 86 4c 0a 14 59 d6 42 48 47 | cleartext fragment 82 30 6e 2f 60 c3 15 69 d2 cf 69 69 5a ee 54 e0 | cleartext fragment 9d 2b 20 6d 6b 61 b5 bd ea 49 d4 ea 00 8a 9f 83 | cleartext fragment e6 e2 72 0f 57 94 96 33 f9 5f 37 c7 3d a9 e6 de | cleartext fragment db 45 b0 04 bf 42 3c a1 fa 06 38 26 47 ff f9 cd | cleartext fragment 86 c5 15 89 8b fb da 07 ce 09 27 75 7e 91 46 86 | cleartext fragment a8 04 08 1c ec 07 51 13 d4 6f 58 c9 05 72 d8 7f | cleartext fragment 7a 64 68 46 da 55 61 dc c0 99 62 bf 14 01 ba 5c | cleartext fragment 50 7f 50 85 66 e1 58 80 65 c7 9f 0f 91 36 bf 8f | cleartext fragment 38 f2 11 a7 aa 18 5f 31 f9 3c 72 2f fa 31 30 06 | cleartext fragment 91 10 46 df bf c2 a1 21 b9 08 07 ee ef b3 12 5f | cleartext fragment 12 cb 9c ae d8 6b ff 4a 7d 09 da 51 0d 12 56 5d | cleartext fragment 45 ad 38 e9 92 b1 8a af 78 87 71 75 3e 42 c7 87 | cleartext fragment 51 03 cd 7c b4 98 d2 44 fb a8 e5 45 c8 02 0d 2a | cleartext fragment fe 80 be aa 1f d8 c8 36 7d d6 05 2c 00 00 a4 02 | cleartext fragment 00 00 20 01 03 04 02 3d d2 86 68 03 00 00 0c 01 | cleartext fragment 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 00 02 | cleartext fragment 00 00 20 02 03 04 02 3d d2 86 68 03 00 00 0c 01 | cleartext fragment 00 00 14 80 0e 00 80 00 00 00 08 05 00 00 00 02 | cleartext fragment 00 00 30 03 03 04 04 3d d2 86 68 03 00 00 0c 01 | cleartext fragment 00 00 0c 80 0e 01 00 03 00 00 08 03 00 00 0e 03 | cleartext fragment 00 00 08 03 00 00 0c 00 00 00 08 05 00 00 00 00 | cleartext fragment 00 00 30 04 03 04 04 3d d2 86 68 03 00 00 0c 01 | cleartext fragment 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 0e 03 | cleartext fragment 00 00 08 03 00 00 0c 00 00 00 08 05 00 00 00 2d | cleartext fragment 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff c0 | cleartext fragment 01 02 17 c0 01 02 17 29 00 00 18 01 00 00 00 07 | cleartext fragment 00 00 10 00 00 ff ff c0 01 03 d1 c0 01 03 d1 00 | cleartext fragment 00 00 48 00 00 a0 00 25 f9 35 a4 3e 3f 85 55 e2 | cleartext fragment 83 e7 29 b6 7a 43 50 6e 4a c5 b3 8c 40 59 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 41 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 3a 5f 35 74 67 70 36 32 50 ae 29 f0 53 d3 62 c3 | cleartext fragment 30 5d e2 cc c6 9e d5 a6 b6 6f 9e 48 d9 61 1e 34 | cleartext fragment 0a 24 a0 1b 07 34 92 a8 ca | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 74 | emitting length of ISAKMP Message: 102 | suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379) | start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379) | #3 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK | IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 | child state #3: UNDEFINED(ignore) => PARENT_I2(open IKE SA) | Message ID: updating counters for #3 to 0 after switching state | Message ID: recv #2.#3 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1 | Message ID: sent #2.#3 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1 | STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending fragments ... | sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 db 73 a6 bf d9 8b 0b a1 26 bb bc 87 | 1e 67 f7 fd 55 9e ad 00 40 f2 89 93 ad d3 94 87 | e6 8c 00 82 78 27 80 31 16 cf a4 e6 10 9f 23 ab | 4e 7a c1 2c 8f 14 db cc 29 85 b5 ce 41 86 59 24 | 69 79 6d 70 1c 5f 91 65 b1 bd d6 bd 7d a9 da 5c | 4d 34 73 2c 7a f4 b7 ca fd 6a 9e 23 59 fa de 59 | c1 52 78 47 52 ba 4d e1 17 d0 74 0a 64 de 20 7c | 80 9f 70 62 2e de 6d 05 39 44 31 42 d8 34 3c 77 | b0 ce 7a 5d df a9 83 48 c4 ce 8d 8a d4 43 13 01 | 13 7b 27 a3 93 fb 0b 4c b9 de 06 6c 9c 03 43 57 | 49 93 fd 46 6d 4b 1a 96 83 5a 2f 93 08 45 c4 ec | b6 63 a4 d8 14 84 32 03 d7 52 53 92 2e 1b 3a bd | 2f 38 a4 7d 15 0f 48 7e 39 eb a4 54 65 75 83 bc | 01 e2 1e fd 28 01 d8 8d 5a 13 d2 e1 ee 1d ad 50 | 53 f8 77 32 87 de e5 44 dc 59 58 f1 f0 1f 40 63 | 2e c9 cb e5 8d 34 e4 e1 1f 08 8d 1a d4 39 19 81 | 5d 14 c9 2c 34 af 1d 2f 76 e7 c9 1b 54 3c 1b 26 | 30 23 41 16 02 22 dc d9 fd a9 60 67 e4 67 ed 77 | a3 ee 5b 40 9d 26 93 b9 66 ce b4 c3 41 a1 36 c3 | 6f 41 fe 6d 5d 2f 77 ff dc 8f 11 b3 0a 45 72 61 | 7a 4a fb 1c 09 32 a6 fa ac 9e 29 2f 32 4a 44 71 | 7a 39 79 97 b1 ea 44 e9 eb f2 46 89 5a 92 6c dc | 9b ec 7a 7e 92 7b d9 6c f4 98 37 0b 2c 43 cd 95 | e3 46 b7 de 10 05 65 99 f6 ba 66 78 15 cf 61 8b | fa 1e ab 5e 40 d2 36 19 b4 87 4d e4 82 0f b0 95 | 86 0f ba 73 66 53 12 6e 69 c9 99 a5 98 fc cf db | 9a e5 7b ab f1 e9 ce 3a 86 86 5a 7d 57 e0 1a 19 | 0e df 58 25 27 6f 1d cc 04 b3 29 27 7e 2d 38 4b | d0 5f ed c3 75 2b 58 e6 c6 7b 38 1e 7e 89 d4 29 | fd c6 78 ce a4 70 67 f1 9f 6e cb 1e 53 13 0b 53 | 82 f7 5e f4 70 a1 0f 53 12 0f 6a 4d 13 3b a1 b0 | 56 db 87 0e dc 8d 78 de 2d a3 72 | sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 17 25 c9 47 5e 43 42 f4 a3 65 d4 57 | 8f ea f1 e7 69 60 84 e9 d3 ef 33 56 f6 04 de 1b | e5 78 ca f3 29 ab 94 b1 87 6a 8b 81 72 58 2b 2c | 5c a5 82 52 34 46 54 c8 21 7f d4 15 56 a9 59 06 | 3d d0 3b 7f e7 66 8b 4e 43 46 1c 24 27 2d 99 79 | 75 c0 e1 5b 2c 60 fc 0c 00 bd eb 41 96 a3 69 8e | 0b 00 8f bf d4 7c 70 04 b9 7c fa 13 8e 97 a1 e2 | 81 d1 18 5e 90 bc b2 68 03 f2 b5 2d 40 df 67 0b | 1c 24 96 d9 09 9f 46 16 69 ad f5 3e 99 50 6d 9b | bc 32 a0 b1 d2 58 14 a9 f0 25 8b 4c d2 5b 0e 4e | b5 8a e1 de 35 7e 10 d3 09 b0 7b 49 7b 90 34 cb | 72 b7 50 7f 7b 2e 73 93 e6 37 4f 05 a6 75 ac 98 | 7a e2 1d 30 37 d0 08 05 c4 99 95 69 35 e1 23 86 | 95 0b 77 e5 62 b2 25 45 12 68 54 40 7e a1 b7 89 | 9f 66 08 a5 da c9 b1 e4 77 a3 1b 62 ff 5c d2 0d | f6 ea 3d 2b bc 61 c7 2e cb d7 3e f5 66 4c e5 60 | 80 cc 67 09 cc fe e3 9b 7f 43 0a aa 13 74 65 f5 | da 32 75 fb 4e 7c 87 0b 5b b6 5a 1e 1c 56 20 ae | af 92 ed ae 87 64 e5 db 77 fe 7f 86 4d 4d 03 14 | 2f 21 57 75 6b b9 c9 9a 80 61 8f d3 25 f7 0b bd | 91 c0 a1 ef d6 3f 3d 1f 21 99 83 17 6b a7 f0 2a | ce 63 c6 62 65 15 8b e4 5b b3 36 71 59 54 cb ba | 51 a8 71 f7 a2 53 ae 39 0a 8d 7e 16 27 45 30 72 | 47 83 b3 82 6c 19 40 a7 4b b5 ad ee 88 c9 3b ba | 98 a3 f3 bf 09 8f b6 ae e8 c7 1f ef 06 24 7e f7 | 17 54 46 55 8f a8 5b 07 1a a1 05 b4 40 61 ae e6 | 5f f6 de 6d 42 00 29 43 06 67 bf c0 d8 29 1b 68 | 5f 37 fd ed 0b 1c e3 57 fc ff 78 43 db 3b fe c1 | d4 e2 fb 02 06 5f 10 56 64 b1 76 b3 b5 02 8c 56 | 50 f0 90 98 d9 32 3d 35 da a4 46 05 42 ba ec 08 | 2e cb 19 36 61 8f 62 ca fe 0d 4e fe 51 2c b5 ef | 6e 5b fb f9 99 fe b8 f9 43 f9 af | sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 5a db c8 d4 04 50 a5 18 6f 94 53 3c | ca 0f 21 90 bd 30 c0 4d a4 cd 08 82 82 33 1f 98 | 34 53 44 49 3d 42 a3 d0 48 e5 36 a4 70 17 e9 cf | 6c 12 be 50 3f ce 9f b9 63 cf c9 46 ac 99 f5 00 | 48 eb e3 6e 2f 85 90 d8 4d 0b c6 91 1b 40 8b b0 | 7b 55 84 7c 6c 6b 4c de 04 7f 69 df ea 1d 46 dd | 16 2b 91 c9 83 33 47 3f 1a 15 36 f5 3f 25 60 e0 | 84 cb 72 58 91 44 5d 2e 89 66 b7 5d ef 13 7a da | 90 ba ed 2b 21 68 c0 40 5d 1f 74 f4 df 61 7b f4 | 6e c2 73 83 db 32 bf 38 f3 db b3 6f bb ed 45 5b | 8d b2 57 40 36 76 99 68 31 38 61 0c 85 cf 4e 4b | 0e a8 d8 8a 51 37 35 b5 14 e3 c9 3a aa 2d f8 56 | 7a c1 bf e7 30 4f 81 69 01 3a 62 9f 89 35 98 43 | c4 34 20 09 d4 b2 da bc b7 92 10 c6 ef cb 04 6a | 30 56 51 05 11 5f 59 fd a4 67 86 d1 e2 9e d0 f6 | f3 1b bc 60 65 49 ba 27 1a e9 8a 2e 68 c3 81 cd | 20 64 e2 a1 30 b0 14 f3 23 60 6c 34 72 5d 92 27 | 79 e6 35 db 9e 35 a3 d7 01 73 99 77 46 ab 40 de | d4 07 8b 6a 39 aa c5 2c 8b 14 e5 e8 e1 76 ec 52 | 5c 09 40 e8 f9 79 b4 15 81 69 6b 62 ca fa 5e 07 | c1 46 4f 3c 9c 13 57 22 7a 37 ff 4d 38 2c 03 56 | a2 4b 36 73 a3 12 0d eb 64 59 e2 f3 34 78 fb b6 | dc 0b 83 2e e4 d9 ee 25 c8 0c 63 cd 82 11 50 ac | ef 62 24 d2 27 29 9b 17 9e b6 24 9c 0d 3e 89 58 | 2c 70 16 43 d4 32 58 62 1e 22 a2 40 4f 46 a4 9a | 27 36 ab 72 4f c1 40 a8 dc 52 e4 f2 3f 22 dd cf | e3 c1 25 50 71 ef 37 82 c8 df a5 65 d4 22 73 b0 | 03 52 cc 42 f6 a6 95 01 03 96 c2 f6 21 e1 74 97 | 1c ff ed 6e 22 5f 65 98 5a 45 0c 5a 90 58 f8 ce | 2f b5 0d 41 c8 15 48 c8 a2 9d aa d6 0f f6 81 a7 | 42 ad 13 29 28 30 15 d6 fb b8 1a 26 d3 bd 07 7d | a8 09 f3 81 4b 43 9b 6f ae f2 c4 | sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 e4 fb 1d 27 fd 82 e5 10 ad 1c 6c a0 | 03 60 18 ea 61 7c 43 42 3b 88 ea 37 08 49 44 a4 | bc 5c 59 e9 13 e4 39 22 03 2d 7a c3 dd 39 97 5a | 8c 9f f6 ab 55 d7 cd 46 91 cd 7b 59 b3 0a 49 dc | 0d 8a b4 b5 a2 6d c0 60 a3 45 63 c4 1c 91 aa 07 | 4a 32 33 06 a9 7d 51 a4 ea 59 51 1c e5 5a d5 71 | b9 bc dd 2f 22 22 10 88 35 1d f6 0a 44 2b 2b 71 | 4a 65 b8 07 38 c4 f3 b8 3c a4 9d e5 df e9 53 21 | a8 98 da ee ef bc 9e 85 d1 50 f4 fb 87 b5 63 e7 | b3 42 db 1c ae 4c 9a a7 91 c2 ed c2 29 3c 06 1f | 22 91 c4 cb 73 f0 51 f8 bd 12 a5 f0 ae 66 1b ec | 1b ba 1b 55 91 da 53 4d 82 eb 9c 74 23 9d f6 2a | 32 5d d0 c9 2d 06 e6 75 7e e8 da 3d c9 50 92 ba | 27 75 0a dc 81 15 60 5d 52 b1 9a e4 c8 da 30 13 | fb 87 71 31 e9 f1 96 9f 5a 0c a8 7b fe a2 10 52 | d5 b9 7e 9e 93 57 0e 9d 5c 36 22 f7 f0 7d 3c c6 | b0 cd 13 82 39 38 b1 2c 43 33 89 8d cf 92 97 7e | 8f f4 ee 79 5c 81 1b e2 1a 57 91 8b 56 df a7 8d | b0 ab 68 ca 0d 9e 18 e8 5f 36 1e 83 2a 5e f5 27 | 04 dd fd d1 ca b0 4b 93 87 b8 52 b9 e2 cc c1 52 | 77 14 60 51 09 97 af fd ae 20 67 9c c5 01 d0 80 | 01 90 79 8e 8e 38 62 b7 46 44 93 07 10 10 fb 00 | f8 5f b7 dd 12 9e b2 39 da 35 53 e3 cd 33 e6 a2 | c6 7e 07 67 fb 23 c5 c4 ff 2d ed 50 5d e0 68 bb | 31 74 31 51 43 6b 97 53 b7 f7 1b 67 ce 59 21 30 | 27 2f c2 c4 24 e7 f5 ae 14 ca f4 6b fe 93 61 f0 | e7 6f 40 62 f5 5c a0 b0 48 ba b5 64 72 dc 9b b8 | 30 82 10 7c f1 25 b3 d3 a4 ca 8e dd 95 5b 46 54 | 95 ae 20 c7 4c 92 70 bf 3e c1 2d 9f 56 87 ae 9d | 39 1f cf 36 f2 34 cd 36 9a e6 97 23 77 6e 3b 23 | a6 e4 72 e1 a9 19 e9 3d 17 c6 14 7e a6 d6 b6 64 | 38 c6 54 5d 4b d6 6a af 97 67 1a | sending 102 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 35 20 23 08 00 00 00 01 00 00 00 66 00 00 00 4a | 00 05 00 05 a3 33 37 56 a9 ab ef 31 79 26 42 fc | 1f 23 3a 4f 0b ea 05 aa e8 b2 0a ef 18 c8 66 c6 | 9c d0 88 a7 8c 21 a5 30 82 12 bf 95 85 d3 11 58 | 5f 42 b3 c1 7e dc 63 6b b1 34 db cc bf 8d d4 2a | 20 23 c0 03 0e 63 | sent 5 fragments | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x562875178b08 size 128 | #3 STATE_PARENT_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29642.168353 | resume sending helper answer for #2 suppresed complete_v2_state_transition() | #2 spent 1.59 milliseconds | #2 spent 11.9 milliseconds in resume sending helper answer | stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd550000f48 | spent 0.00289 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 65 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 7b 6a 2a dd 5c 7a c7 69 09 8a aa 72 c2 0f 6a aa | 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25 | fd 7a 57 34 60 56 83 cb 35 06 6c b1 c4 33 b6 7b | 70 c3 1d 7f 05 09 49 f9 32 09 95 12 ee 6b d8 79 | a2 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7b 6a 2a dd 5c 7a c7 69 | responder cookie: | 09 8a aa 72 c2 0f 6a aa | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response | State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_ike_sa) | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016) | State DB: found IKEv2 state #3 in PARENT_I2 (find_v2_sa_by_initiator_wip) | suspend processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062) | start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2062) | #3 is idle | #3 idle | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #3 in state PARENT_I2: sent v2I2, expected v2R2 | #3 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2N) | **parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18) | processing payload: ISAKMP_NEXT_v2N (len=0) | selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification | Now let's proceed with state specific processing | calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED | pstats #2 ikev2.ike failed auth-failed "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: scheduling retry attempt 1 of an unlimited number | release_pending_whacks: state #3 has no whack fd | release_pending_whacks: IKE SA #2 fd@-1 has pending CHILD SA with socket fd@-1 | libevent_free: release ptr-libevent@0x562875178b08 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78 | event_schedule: new EVENT_RETRANSMIT-pe@0x7fd55c002b78 | inserting event EVENT_RETRANSMIT, timeout in 59.991397 seconds for #3 | libevent_malloc: new ptr-libevent@0x7fd550000f48 size 128 "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: STATE_PARENT_I2: suppressing retransmits; will wait 59.991397 seconds for retry | #3 spent 0.0372 milliseconds in processing: Initiator: process AUTHENTICATION_FAILED AUTH notification in ikev2_process_state_packet() | [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in complete_v2_state_transition() at ikev2.c:3379) | #3 complete_v2_state_transition() PARENT_I2->PARENT_I2 with status STF_IGNORE | stop processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2018) | #2 spent 0.193 milliseconds in ikev2_process_packet() | stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.203 milliseconds in comm_handle_cb() reading and processing packet | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.71 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) destroying root certificate cache | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x5628751551b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x562875154af8 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x562875158ce8 @east.testing.libreswan.org cnt 1-- | unreference key: 0x5628751574f8 east@testing.libreswan.org cnt 1-- | unreference key: 0x562875157038 192.1.2.23 cnt 1-- | start processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in delete_connection() at connections.c:189) | removing pending policy for no connection {0x56287512a558} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #3 | suspend processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #3 ikev2.child deleted other | #3 spent 0.0372 milliseconds in total | [RE]START processing: state #3 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879) "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: deleting state (STATE_PARENT_I2) aged 12.587s and NOT sending notification | child state #3: PARENT_I2(open IKE SA) => delete | child state #3: PARENT_I2(open IKE SA) => CHILDSA_DEL(informational) | state #3 requesting EVENT_RETRANSMIT to be deleted | #3 STATE_CHILDSA_DEL: retransmits: cleared | libevent_free: release ptr-libevent@0x7fd550000f48 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fd55c002b78 | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf | delete inbound eroute 192.1.3.209/32:0 --0-> 192.1.2.23/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | stop processing: connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection private-or-clear#192.1.3.0/24 | State DB: deleting IKEv2 state #3 in CHILDSA_DEL | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) | stop processing: state #3 from 192.1.3.209 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #2 | start processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev2.ike deleted auth-failed | #2 spent 16.4 milliseconds in total | [RE]START processing: state #2 connection "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 from 192.1.3.209 (in delete_state() at state.c:879) "private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #2: deleting state (STATE_PARENT_I2) aged 12.596s and NOT sending notification | parent state #2: PARENT_I2(open IKE SA) => delete | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7fd55c002888 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fd558001f18 | State DB: IKEv2 state not found (flush_incomplete_children) | in connection_discard for connection private-or-clear#192.1.3.0/24 | State DB: deleting IKEv2 state #2 in PARENT_I2 | parent state #2: PARENT_I2(open IKE SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.3.209 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf | netlink_raw_eroute: SPI_PASS | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfdf | netlink_raw_eroute: SPI_PASS | free hp@0x5628751613a8 | flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | flush revival: connection 'private-or-clear-all' wasn't on the list | stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249) | start processing: connection "block" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | flush revival: connection 'block' wasn't on the list | stop processing: connection "block" (in discard_connection() at connections.c:249) | start processing: connection "private" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | flush revival: connection 'private' wasn't on the list | stop processing: connection "private" (in discard_connection() at connections.c:249) | start processing: connection "private-or-clear#192.1.3.0/24" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'private-or-clear#192.1.3.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7 | netlink_raw_eroute: SPI_PASS | priority calculation of connection "private-or-clear#192.1.3.0/24" is 0x1fdfe7 | netlink_raw_eroute: SPI_PASS | FOR_EACH_CONNECTION_... in route_owner | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn private-or-clear#192.1.3.0/24 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "private-or-clear#192.1.3.0/24" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' | popen cmd is 1104 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear: | cmd( 80):#192.1.3.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192: | cmd( 160):.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIEN: | cmd( 240):T_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUT: | cmd( 320):O_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.: | cmd( 400):0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.0/24' PLUTO_PEER_CLIENT_NET: | cmd( 480):='192.1.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PE: | cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CO: | cmd( 640):NN_POLICY='RSASIG+AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTA: | cmd( 720):NCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND=': | cmd( 800):CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0': | cmd( 880): PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG: | cmd( 960):_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTIN: | cmd(1040):G='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. "private-or-clear#192.1.3.0/24": unroute-host output: Error: Peer netns reference is invalid. | flush revival: connection 'private-or-clear#192.1.3.0/24' wasn't on the list | stop processing: connection "private-or-clear#192.1.3.0/24" (in discard_connection() at connections.c:249) | start processing: connection "private-or-clear" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | flush revival: connection 'private-or-clear' wasn't on the list | stop processing: connection "private-or-clear" (in discard_connection() at connections.c:249) | start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in delete_connection() at connections.c:189) "clear#192.1.2.253/32" 0.0.0.0: deleting connection "clear#192.1.2.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.253/32" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O | popen cmd is 1018 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING: | cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO: | cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE: | cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no': | cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. | flush revival: connection 'clear#192.1.2.253/32' wasn't on the list | stop processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in discard_connection() at connections.c:249) | start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in delete_connection() at connections.c:189) "clear#192.1.3.253/32" 0.0.0.0: deleting connection "clear#192.1.3.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.253/32" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O | popen cmd is 1018 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING: | cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO: | cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE: | cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no': | cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. | flush revival: connection 'clear#192.1.3.253/32' wasn't on the list | stop processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in discard_connection() at connections.c:249) | start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in delete_connection() at connections.c:189) "clear#192.1.3.254/32" 0.0.0.0: deleting connection "clear#192.1.3.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.254/32" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O | popen cmd is 1018 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING: | cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO: | cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE: | cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no': | cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. | flush revival: connection 'clear#192.1.3.254/32' wasn't on the list | stop processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in discard_connection() at connections.c:249) | start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in delete_connection() at connections.c:189) "clear#192.1.2.254/32" 0.0.0.0: deleting connection "clear#192.1.2.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf | priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.254/32" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O | popen cmd is 1018 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25: | cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING: | cmd( 720):_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO: | cmd( 800):_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVE: | cmd( 880):R='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no': | cmd( 960): VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. "clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid. | flush revival: connection 'clear#192.1.2.254/32' wasn't on the list | stop processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in discard_connection() at connections.c:249) | start processing: connection "clear" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | flush revival: connection 'clear' wasn't on the list | stop processing: connection "clear" (in discard_connection() at connections.c:249) | start processing: connection "clear-or-private" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | free hp@0x56287514ec58 | flush revival: connection 'clear-or-private' wasn't on the list | stop processing: connection "clear-or-private" (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x562875151848 | free_event_entry: release EVENT_NULL-pe@0x56287514da18 | libevent_free: release ptr-libevent@0x5628750e8638 | free_event_entry: release EVENT_NULL-pe@0x56287514dac8 | libevent_free: release ptr-libevent@0x5628750e86e8 | free_event_entry: release EVENT_NULL-pe@0x56287514db78 | libevent_free: release ptr-libevent@0x5628750e7658 | free_event_entry: release EVENT_NULL-pe@0x56287514dc28 | libevent_free: release ptr-libevent@0x5628750ef968 | free_event_entry: release EVENT_NULL-pe@0x56287514dcd8 | libevent_free: release ptr-libevent@0x5628750f0488 | free_event_entry: release EVENT_NULL-pe@0x56287514dd88 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x562875141e98 | free_event_entry: release EVENT_NULL-pe@0x562875136038 | libevent_free: release ptr-libevent@0x56287512eb38 | free_event_entry: release EVENT_NULL-pe@0x562875135b98 | libevent_free: release ptr-libevent@0x56287512ea88 | free_event_entry: release EVENT_NULL-pe@0x5628750efb28 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x5628750f40f8 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x562875060ec8 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x562875076858 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x56287514d4f8 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x56287514d3c8 | libevent_free: release ptr-libevent@0x562875130458 | libevent_free: release ptr-libevent@0x562875130408 | libevent_free: release ptr-libevent@0x5628750e7938 | libevent_free: release ptr-libevent@0x5628751303c8 | libevent_free: release ptr-libevent@0x56287514d188 | libevent_free: release ptr-libevent@0x56287514d2c8 | libevent_free: release ptr-libevent@0x562875130608 | libevent_free: release ptr-libevent@0x562875135c08 | libevent_free: release ptr-libevent@0x562875135868 | libevent_free: release ptr-libevent@0x56287514ddf8 | libevent_free: release ptr-libevent@0x56287514dd48 | libevent_free: release ptr-libevent@0x56287514dc98 | libevent_free: release ptr-libevent@0x56287514dbe8 | libevent_free: release ptr-libevent@0x56287514db38 | libevent_free: release ptr-libevent@0x56287514da88 | libevent_free: release ptr-libevent@0x562875071d88 | libevent_free: release ptr-libevent@0x56287514d348 | libevent_free: release ptr-libevent@0x56287514d308 | libevent_free: release ptr-libevent@0x56287514d1c8 | libevent_free: release ptr-libevent@0x56287514d388 | libevent_free: release ptr-libevent@0x56287507d768 | libevent_free: release ptr-libevent@0x5628750f5c88 | libevent_free: release ptr-libevent@0x5628750f5c08 | libevent_free: release ptr-libevent@0x5628750714c8 | releasing global libevent data | libevent_free: release ptr-libevent@0x5628750f5e08 | libevent_free: release ptr-libevent@0x5628750f5d88 | libevent_free: release ptr-libevent@0x5628750f5d08 leak: group instance name, item size: 30 leak: cloned from groupname, item size: 17 leak: group instance name, item size: 21 leak: cloned from groupname, item size: 6 leak: group instance name, item size: 21 leak: cloned from groupname, item size: 6 leak: group instance name, item size: 21 leak: cloned from groupname, item size: 6 leak: group instance name, item size: 21 leak: cloned from groupname, item size: 6 leak: policy group path, item size: 54 leak detective found 11 leaks, total size 209