FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:15985 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55e914a056e8 size 40 | libevent_malloc: new ptr-libevent@0x55e914a05668 size 40 | libevent_malloc: new ptr-libevent@0x55e914a055e8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55e9149f7218 size 56 | libevent_malloc: new ptr-libevent@0x55e914980da8 size 664 | libevent_malloc: new ptr-libevent@0x55e914a3fd08 size 24 | libevent_malloc: new ptr-libevent@0x55e914a3fd58 size 384 | libevent_malloc: new ptr-libevent@0x55e914a3fcc8 size 16 | libevent_malloc: new ptr-libevent@0x55e914a05568 size 40 | libevent_malloc: new ptr-libevent@0x55e914a054e8 size 48 | libevent_realloc: new ptr-libevent@0x55e914980a38 size 256 | libevent_malloc: new ptr-libevent@0x55e914a3ff08 size 16 | libevent_free: release ptr-libevent@0x55e9149f7218 | libevent initialized | libevent_realloc: new ptr-libevent@0x55e9149f7218 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55e9149ff408 | libevent_malloc: new ptr-libevent@0x55e914a3e478 size 128 | libevent_malloc: new ptr-libevent@0x55e914a45508 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55e914a45498 | libevent_malloc: new ptr-libevent@0x55e9149f7ec8 size 128 | libevent_malloc: new ptr-libevent@0x55e914a45168 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55e914a45938 | libevent_malloc: new ptr-libevent@0x55e914a51818 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5cb08 size 16 | libevent_realloc: new ptr-libevent@0x55e914a5cb48 size 256 | libevent_malloc: new ptr-libevent@0x55e914a5cc78 size 8 | libevent_realloc: new ptr-libevent@0x55e914a5ccb8 size 144 | libevent_malloc: new ptr-libevent@0x55e914a039d8 size 152 | libevent_malloc: new ptr-libevent@0x55e914a5cd78 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55e914a5cdb8 size 8 | libevent_malloc: new ptr-libevent@0x55e914981718 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55e914a5cdf8 size 8 | libevent_malloc: new ptr-libevent@0x55e914a5ce38 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55e914a5cf08 size 8 | libevent_realloc: release ptr-libevent@0x55e914a5ccb8 | libevent_realloc: new ptr-libevent@0x55e914a5cf48 size 256 | libevent_malloc: new ptr-libevent@0x55e914a5d078 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:16371) using fork+execve | forked child 16371 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55e914a5d658 | libevent_malloc: new ptr-libevent@0x55e914a51768 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5d6c8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d708 | libevent_malloc: new ptr-libevent@0x55e9149f7f78 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5d778 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d7b8 | libevent_malloc: new ptr-libevent@0x55e9149f7898 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5d828 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d868 | libevent_malloc: new ptr-libevent@0x55e9149ff158 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5d8d8 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d918 | libevent_malloc: new ptr-libevent@0x55e9149ff258 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5d988 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d9c8 | libevent_malloc: new ptr-libevent@0x55e9149ff358 size 128 | libevent_malloc: new ptr-libevent@0x55e914a5da38 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.773 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55e914a51768 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d658 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d658 | libevent_malloc: new ptr-libevent@0x55e914a51768 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55e9149f7f78 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d708 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d708 | libevent_malloc: new ptr-libevent@0x55e9149f7f78 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55e9149f7898 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d7b8 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d7b8 | libevent_malloc: new ptr-libevent@0x55e9149f7898 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55e9149ff158 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d868 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d868 | libevent_malloc: new ptr-libevent@0x55e9149ff158 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x55e9149ff258 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d918 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d918 | libevent_malloc: new ptr-libevent@0x55e9149ff258 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55e9149ff358 | free_event_entry: release EVENT_NULL-pe@0x55e914a5d9c8 | add_fd_read_event_handler: new ethX-pe@0x55e914a5d9c8 | libevent_malloc: new ptr-libevent@0x55e9149ff358 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.352 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 16371 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0164 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-usage-server@testing.libreswan.org,CN=usage-server.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'usage-server' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55e914a5fb38 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55e914a5fae8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55e914a5fa98 | unreference key: 0x55e914a5fb88 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x55e914a64278 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.25 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.323 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0525 milliseconds in whack | spent 0.00322 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | f2 0e e9 e8 8b aa e4 0b 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x55e914a65a58 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55e914a637c8 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55e914a5f6c8 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.652 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00305 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 38 a5 21 f9 0d 0c ee ec 41 66 54 0f 16 ab 4e c4 | 6f ec 20 da 3e 0e a2 67 71 64 96 b2 27 52 13 8c | 49 9c 80 99 03 13 25 b3 20 6f 56 7b 91 bb c9 64 | 81 27 c3 ff a6 66 44 68 28 ba 85 75 f5 d1 d8 a1 | ed 08 43 b9 10 d3 06 95 3f ca 12 63 b1 fd ff 5e | 44 a0 4d 3c 72 f6 08 d3 12 c4 42 89 af 2c c6 13 | 20 13 7a ee 02 58 5d 65 c2 a7 41 b4 f2 44 ad 7b | ce 2b 48 ef 20 72 86 85 71 20 95 6f 4c a6 81 6a | 7a 51 63 71 ea 80 bd 1d e1 73 f6 65 45 82 60 16 | e5 7a 42 13 e3 a4 7b 58 00 d5 48 1e 53 16 f9 f5 | 74 3a c5 24 30 c3 26 cc b2 6d 58 5f cd 68 12 4b | 19 29 62 8e 00 ea 60 42 1c ec 1f 4e 77 7f 88 33 | 1d 68 b7 9c 96 85 b9 0f b2 f7 da 71 df 3a f3 c5 | 5f 52 34 d9 18 98 76 a5 49 0b a1 05 1e de 2f 59 | 5d a0 92 7b 34 4f df 25 50 74 88 84 dd 17 f0 db | 26 73 97 7e fc 71 df fa bf 9f 95 0c cc 83 7f 22 | 14 00 00 24 12 a4 76 1b 3f e2 55 a1 e9 3d f3 14 | d3 bd ae 2a 74 71 4c 12 11 37 53 0e 39 b6 ad 2a | aa 74 90 6a 14 00 00 24 94 2d 82 3f 3a f8 68 1c | 3d 86 00 e7 40 6f c3 70 c0 42 08 e0 f5 08 f8 b8 | 17 de 24 21 bd ac e8 32 00 00 00 24 86 cb a7 5e | 82 22 dc 86 30 da 1e 43 c6 b5 59 4e 74 6d a1 e3 | 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55e9140a7ca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | natd_hash: hash= c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | natd_hash: hasher=0x55e9140a7ca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | natd_hash: hash= 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | expected NAT-D(me): 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | expected NAT-D(me): c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | expected NAT-D(him): | 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | received NAT-D: 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | received NAT-D: c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | received NAT-D: 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | received NAT-D: 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55e914a5f6c8 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55e914a637c8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e914a637c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55e914a63838 size 128 | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (inI2_outR2 KE); request ID 1 | crypto helper 0 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.000896 seconds | (#1) spent 0.904 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f68cc002888 size 128 | crypto helper 0 waiting (nothing to do) | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.13 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.286 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55e913fd2b50 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value dd 22 ea 75 6b 0d d6 b1 0d eb bf 70 b9 16 44 0c | keyex value 39 01 ed 43 ed 67 83 b7 4f d6 91 c3 a9 7f 02 72 | keyex value 4b ba 1e e1 26 bf 7a 6b 39 53 f8 9c de 82 dc 8e | keyex value 86 8e b2 c6 9b 01 30 91 79 94 7f 0d 11 5e 58 fc | keyex value 87 bf 3d 36 d3 a4 1e 01 57 2a f0 59 b5 a6 1b b6 | keyex value 8e c6 c8 de 92 fc 2b b6 f4 77 e3 0e 91 b2 fc e8 | keyex value c3 ac 37 36 71 0f b7 5e 0a 6f 36 f8 b2 eb 51 8a | keyex value 98 79 04 15 8d 56 8a fa d9 bf f5 6f 12 03 6c 14 | keyex value b0 76 06 d5 39 97 50 f6 13 00 9d 0c 83 62 d0 7e | keyex value b4 3a 28 e8 e4 64 97 af cb 4a 17 41 f0 72 d7 f6 | keyex value b6 55 4f de 3f ee a9 f0 33 70 12 8e b6 50 60 7a | keyex value ca 52 12 72 97 3e ea 3e 77 b4 28 a5 fe e4 79 6e | keyex value d7 cd cc 19 df 8f e8 4b 60 bf bf 99 d2 70 7b 69 | keyex value cf fa e7 a1 6c 00 6d 17 b7 97 8a 04 a0 87 b1 1d | keyex value 33 41 38 fb 81 4c 04 bb f5 fb ce f3 97 0f bf a9 | keyex value 15 a0 1d aa e8 df e1 09 ba 06 0d cb 16 f5 d0 f7 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr c5 24 b8 71 a8 c1 56 22 40 05 c6 e1 cb 8c 64 2e | Nr 0f ba e0 c3 15 b4 36 d3 1e d4 28 47 08 51 ce 4d | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x55e9140a7ca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | natd_hash: hash= 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | NAT-D 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55e9140a7ca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | natd_hash: hash= c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | NAT-D c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55e914a63838 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e914a637c8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55e914a637c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55e914a5f6c8 size 128 | #1 main_inI2_outR2_continue1_tail:1165 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55e914a5f6c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55e914a637c8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | dd 22 ea 75 6b 0d d6 b1 0d eb bf 70 b9 16 44 0c | 39 01 ed 43 ed 67 83 b7 4f d6 91 c3 a9 7f 02 72 | 4b ba 1e e1 26 bf 7a 6b 39 53 f8 9c de 82 dc 8e | 86 8e b2 c6 9b 01 30 91 79 94 7f 0d 11 5e 58 fc | 87 bf 3d 36 d3 a4 1e 01 57 2a f0 59 b5 a6 1b b6 | 8e c6 c8 de 92 fc 2b b6 f4 77 e3 0e 91 b2 fc e8 | c3 ac 37 36 71 0f b7 5e 0a 6f 36 f8 b2 eb 51 8a | 98 79 04 15 8d 56 8a fa d9 bf f5 6f 12 03 6c 14 | b0 76 06 d5 39 97 50 f6 13 00 9d 0c 83 62 d0 7e | b4 3a 28 e8 e4 64 97 af cb 4a 17 41 f0 72 d7 f6 | b6 55 4f de 3f ee a9 f0 33 70 12 8e b6 50 60 7a | ca 52 12 72 97 3e ea 3e 77 b4 28 a5 fe e4 79 6e | d7 cd cc 19 df 8f e8 4b 60 bf bf 99 d2 70 7b 69 | cf fa e7 a1 6c 00 6d 17 b7 97 8a 04 a0 87 b1 1d | 33 41 38 fb 81 4c 04 bb f5 fb ce f3 97 0f bf a9 | 15 a0 1d aa e8 df e1 09 ba 06 0d cb 16 f5 d0 f7 | 14 00 00 24 c5 24 b8 71 a8 c1 56 22 40 05 c6 e1 | cb 8c 64 2e 0f ba e0 c3 15 b4 36 d3 1e d4 28 47 | 08 51 ce 4d 14 00 00 24 86 cb a7 5e 82 22 dc 86 | 30 da 1e 43 c6 b5 59 4e 74 6d a1 e3 42 4e ca 35 | 71 23 1c 00 f5 c1 1d 01 00 00 00 24 94 2d 82 3f | 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 c0 42 08 e0 | f5 08 f8 b8 17 de 24 21 bd ac e8 32 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55e914a637c8 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55e914a5f6c8 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29928.772845 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.358 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f68cc002888 | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | crypto helper 1 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001049 seconds | (#1) spent 1.04 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f68c4000f48 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55e913fd2b50 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1015) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1028) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0174 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f68c4000f48 | spent 0.00285 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 05 10 02 01 00 00 00 00 00 00 07 5c a1 0a b3 e8 | 31 90 3a 58 07 9c 6c 74 2c 07 7e e5 8e 59 b3 df | aa 88 74 7f 9e a6 47 95 84 1b d2 f9 6b cf 9c e2 | a3 cc 5e 69 dd 27 09 26 e4 70 e2 a6 d0 ea 3b 46 | 07 75 3f a3 3e f0 60 92 79 55 1f 39 69 aa 6f 40 | d9 4b ea 5d 52 70 f3 29 6c a9 09 50 43 ba 1d e8 | ac 57 c5 f9 db bd 4c b9 76 47 86 c3 c0 55 b0 d8 | b2 97 b7 2c b4 79 ce 09 65 ae ce 7a 72 66 fa 7f | 92 c5 5d fd 1d 80 bb 9a 7c 9c 84 09 a8 56 11 0b | 31 7c 99 53 4e 15 10 a1 5f ee f4 23 dc 3a 9f 8d | 7f fd b6 7b fe 9e 2b f7 b9 f0 2f e9 5d 0c 50 8c | 8e 27 cf 32 99 03 e1 df 21 5f 4f 7a e2 35 79 e8 | a7 96 1f eb 45 4f a9 76 5e 3a 3c 3f 86 42 9d 4c | 19 94 ac dd 88 7f d8 2e 31 71 b1 ec 39 51 5e ed | 7d c3 20 91 5d 83 4c 4e bb bf 12 3f fd 47 59 ba | 69 a0 76 a6 65 7a de f8 75 65 80 27 66 b1 f1 ea | 91 80 e8 2d 41 dd a0 bc 30 21 a4 0f 03 71 09 66 | 92 0f c7 d2 63 f7 ac 96 6a 68 82 a1 ce 81 5d 21 | c8 11 a8 ed fa c9 3e ed 2a 24 5a 29 f8 1f ca 95 | 55 20 94 82 f0 55 ac 97 87 45 fc 08 3b 71 8d 67 | 72 2f a2 ae 31 c4 08 d2 d8 bf 2a ca 2f e2 a1 94 | 41 ea f3 ca 21 97 5f df 32 51 00 be 2f b4 a3 ac | 0d 12 b6 a7 d5 1b da 5f 5f e9 84 23 e0 d7 e0 41 | 17 16 6e 86 d2 0b 49 26 8a d8 6d 92 00 0a 44 4d | c7 f0 49 2a b4 3f f9 88 0c bf 07 11 7d 87 d0 db | 79 cf cd 6a 17 1d cd a6 30 40 20 ab 89 02 69 20 | 01 1c 07 5a 69 b9 28 82 56 b5 2d 7f ab 51 b7 ac | 5a 67 95 cb da 67 8d 4a a0 68 e2 0d 4f a4 92 2a | 65 6e 14 4c 19 1a 09 4e 6e c9 67 8a 09 58 2c 78 | 33 6a da 8a 51 9c 31 58 2e 49 c8 73 59 5e 15 49 | 39 bc 88 c6 cc f5 f4 fe fe cd 0c 49 6f 06 9c e9 | 15 0c ce 41 f1 e2 4c f6 7a 7a 28 ae 38 19 41 3f | d2 83 a8 e8 92 07 7e 69 eb cd 1d 0d 74 76 82 19 | 11 34 27 3e 58 22 fc 9e 4a 94 49 4a a2 32 0b 48 | 11 2a 73 21 bc f2 59 ad 82 ce 24 36 3b 6e 4e b5 | 39 d4 45 4d 72 a6 63 72 60 6c b5 f1 1d a3 94 a4 | c8 5d b9 b8 c1 3d 5d af 6b fe 6b 43 ad eb 03 4c | 20 5d a1 57 87 41 30 bd 2b 37 04 5f 75 c5 61 56 | e8 ef ce 4f 11 85 53 57 7e fa 47 28 c3 c7 72 77 | 4c c9 dd 93 10 85 f3 a1 63 54 49 ca 72 72 d2 25 | 0c 56 0a 41 39 3d af 44 5e 46 bd 75 30 3f 0b 75 | de b7 09 ce 92 4e cf 12 30 ab cf 60 1d 44 9d fc | 05 25 e9 ed 1b 2c 1e ee 05 1e 5d 1f e3 6f 40 79 | 64 2b 49 b3 1f 61 84 7c c6 a3 9d 07 f0 86 26 4d | 79 c4 45 b4 c2 0e 97 be 2f d3 3d 46 34 d3 6b 3d | 3d 87 e7 93 0b a3 bc 8b b3 42 4e 5a fa 42 a2 06 | 5a b7 91 c8 e6 cb ab ba 4a 38 8d ae bb f3 75 86 | 4a 02 84 77 70 14 e4 87 99 89 ae d6 48 a5 70 de | 4b 92 67 fe 9d c5 cc a5 1b 0a c3 d1 75 c3 02 d9 | 7e 29 4c 2f 16 b0 3c 3a d3 e4 47 97 44 da b2 8f | 28 42 08 69 0f 53 ab 38 39 c0 c3 d8 8f c5 aa 79 | c5 ff 2e 31 c6 f9 2c d1 d6 7d 6e d3 bd 3d 99 25 | 2f a7 2b ea 47 2f 5a c4 e8 39 33 f1 28 b8 a0 59 | 18 40 d8 f1 dc 0f 22 f8 a1 37 4f 5b 34 8d a1 23 | 0f 9e 95 0c 84 b0 29 ca 48 c3 df 31 09 a0 7c 01 | 9d 6c f3 cc 7d 6d 39 9a 88 89 8b 93 e3 a6 b8 4a | 32 84 9a ee 9f ca 49 50 da 3f 14 f5 e4 82 49 c5 | a5 6c 96 00 84 c8 78 98 b7 35 38 4c 1a b1 3b 10 | cd 01 34 cb f8 75 13 4e 92 1a 23 1a aa ca 33 4f | 71 85 37 03 72 3b 77 e0 f0 e7 b0 1a 79 ec d0 33 | ea 0f 3b 87 48 64 d0 57 1b 85 15 ce b6 ac df 6f | 5c 1d 49 93 51 bb ed ef e1 24 40 6e c3 e0 c5 c8 | e5 de a6 9b 05 a2 4f 01 e7 0c 50 67 45 35 ed 75 | e1 84 fe 16 4d 04 31 0a 9a 36 e8 6c c3 7f 45 d3 | 8a 50 9f 19 b5 cf 33 0e 39 aa 05 be 42 72 f7 53 | 8d dd e3 8c 16 5f ee ef 5d 7e a0 dd a3 94 3a 1b | 96 e3 55 d3 4d f3 18 01 9c 48 a9 f0 85 82 f6 dd | d0 e3 c9 5f 3d 64 9d 9c 9c c4 ac f6 8c ea ef c6 | 10 ac 67 4d 07 f0 b2 73 84 b6 31 09 9b 77 53 71 | 49 98 36 ef a8 3a b6 9b ed 6d 44 06 29 6e 7a c1 | db a2 43 9c c1 87 0b 37 34 6c 33 3b d5 78 e8 40 | b6 fe b9 f5 ae fd f4 a5 ec 3c 1b 55 9d f5 e7 5f | 9d ae db f9 ca 04 50 87 9e 49 b1 58 25 3f ca f5 | 17 23 f7 3b d6 d9 10 8d 24 b2 59 4c f6 6a 3b 77 | 3a 74 d5 22 0f 65 dd aa 4d 16 30 b1 0f 9e 97 8a | de b4 74 5a 4a 6c 05 78 a2 a3 3c 10 6a 54 75 f8 | ef 3a 5c 80 62 f8 7c c2 00 84 a1 1e e8 ab 44 f6 | 1d b0 6f d7 05 71 60 48 fa a6 af 81 1e 5f f8 19 | ba cf 70 53 d7 fd d3 5f 12 c8 9f 25 87 d8 c3 39 | 91 ff 39 c0 88 5d b9 45 b1 21 e1 b2 e9 a3 68 6e | 67 9a a1 b5 f7 83 4c 24 df 49 f0 4e e9 3a 74 9c | 42 50 37 7c 9e 51 0d d1 91 3c f0 b3 62 63 3d 03 | af 14 6e 05 36 d9 27 2d 2a 17 9e 31 17 9f 38 0a | e7 f8 b5 18 4e f3 49 7a 3f 9b 78 63 a7 ba a0 39 | 09 d6 eb 5f b3 55 64 32 86 9b ff ef e5 73 d5 99 | 3f 30 49 3d 72 fc 3a 0f 53 5c 0c cb 81 54 a9 43 | 22 57 12 89 78 07 81 b0 b5 e6 0c a8 60 db 49 86 | 09 b9 a6 da e8 68 b3 6b 2b 81 bc 2e 51 e3 5b 48 | c7 aa 77 5f 13 46 d5 65 6a 9e cf 18 24 e7 c5 b7 | 37 2a 32 08 f8 0b c4 cc 39 9f 52 81 15 1d b6 c4 | f0 52 be 6b 4e 3e 71 c0 00 a4 dd 50 53 69 b9 3f | 07 fa 27 12 65 3f dd 06 df d6 e3 bf 7c 55 b0 ea | 3f 57 90 db 58 63 e8 1c 84 db 72 d4 28 ee 9d 09 | bd e7 43 96 83 0f b2 8c 91 8e af 2d d0 be 5d 11 | d8 ce 03 b0 3d 83 6e 70 6e 2f 46 b2 86 85 bf cf | f2 01 7d 25 27 8f 90 64 f1 ff 43 db b8 02 33 8a | a6 da 22 ee 16 91 16 24 51 69 e0 de bd fc 81 2b | 3e 46 8b 0d ac 3b da 6e d7 60 5b 05 3e ee c3 ef | 27 ba c6 68 89 02 4d 4d 3c 7b 9b 82 e7 d8 b3 1f | 3e f2 54 42 d8 bd b9 e0 d2 77 49 84 3b 2f 40 35 | 96 88 f3 89 b1 08 a2 f9 ae 17 76 14 10 3e cc ca | df ac 87 07 fd 93 04 55 6f 19 37 dc 75 0c 49 d8 | 4d b8 1f a7 2f 48 ce 69 53 3a aa ea be 3a f4 de | 63 5b 0a 25 5f 4d f4 ee 4c 3c 56 ff 22 64 04 bb | 0b 55 77 5a a2 df 6c 0b c6 83 e2 03 23 42 65 1c | 01 f3 2b c6 11 1e 48 b3 e4 ae db c0 1a 72 10 4f | df a2 0c 57 8e 2b 1b ba fe 1e 21 dc 59 1f fa 53 | 6e c2 27 1b 82 b2 49 49 67 48 3d c6 9f cf 43 1a | b6 5b 93 ee 84 c6 e9 27 33 01 eb 45 99 69 37 fe | f4 95 6f 6c 27 02 56 bd 63 6c bc 58 6e 21 19 45 | 7c 00 fd 2a 26 50 54 60 ba 73 ff ac 97 81 a8 a4 | 74 ff 40 b7 0b d8 49 ac dd c5 79 1b c8 47 a5 f7 | a0 3f 48 e3 ce 97 39 df c2 af d5 f1 f0 5c 6c 41 | b3 7d fc d7 c4 20 ac 0e e0 0f a9 7b d7 38 75 66 | 10 23 35 af 3f b6 00 b1 90 ca fd 92 e3 b8 f0 6d | 7c a5 2a 08 65 98 c1 42 5a a3 07 a9 a4 1a d9 15 | 81 87 3a f5 35 5c e1 f8 86 45 14 8e | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 203 (0xcb) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 73 61 | obj: 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e 67 2e | obj: 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 34 30 | obj: 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 75 73 | obj: 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 74 65 | obj: 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | obj: 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1247 (0x4df) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 13 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 73 61 | DER ASN1 DN: 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e 67 2e | DER ASN1 DN: 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 34 30 | DER ASN1 DN: 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 75 73 | DER ASN1 DN: 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 74 65 | DER ASN1 DN: 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | DER ASN1 DN: 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 3.38 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0275 milliseconds in get_root_certs() filtering CAs | #1 spent 3.44 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-usage-both@testing.libreswan.org,CN=usage-both.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.183 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0368 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "nss-cert" #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "nss-cert" #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.403 milliseconds in find_and_verify_certs() calling verify_end_cert() "nss-cert" #1: X509: Certificate rejected for this connection "nss-cert" #1: X509: CERT payload bogus or revoked | Peer ID failed to decode | complete v1 state transition with INVALID_ID_INFORMATION | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle "nss-cert" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.45:500 | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3371151070 (0xc8efaede) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'notification msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 0 (0x0) | Notify Message Type: INVALID_ID_INFORMATION (0x12) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Notification Payload (11:ISAKMP_NEXT_N) | next payload chain: saving location 'ISAKMP Notification Payload'.'next payload type' in 'notification msg' | emitting length of ISAKMP Notification Payload: 12 | send notification HASH(1): | fe be 6e 26 a4 29 b6 54 19 f3 25 71 c5 88 f4 bc | 46 47 64 76 f0 71 55 62 49 ef ce 0f 17 9f b1 2e | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | sending 76 bytes for notification packet through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 08 10 05 01 c8 ef ae de 00 00 00 4c 95 81 34 05 | 76 5b 7b cb a3 c1 75 e4 cb 6b 45 f4 76 66 bb e9 | 9d 05 78 dd 99 78 7f 8f 5a 42 a0 b6 94 83 cd d6 | ca c4 4b 4c ee 20 26 67 97 60 f9 fe | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION | #1 spent 4.36 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 4.73 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00425 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn nss-cert | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1577) | spent 0.0184 milliseconds in global timer EVENT_NAT_T_KEEPALIVE