FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:23773 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55b14dc894d8 size 40 | libevent_malloc: new ptr-libevent@0x55b14dc89458 size 40 | libevent_malloc: new ptr-libevent@0x55b14dc893d8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55b14dc7b008 size 56 | libevent_malloc: new ptr-libevent@0x55b14dc04dd8 size 664 | libevent_malloc: new ptr-libevent@0x55b14dcc3af8 size 24 | libevent_malloc: new ptr-libevent@0x55b14dcc3b48 size 384 | libevent_malloc: new ptr-libevent@0x55b14dcc3ab8 size 16 | libevent_malloc: new ptr-libevent@0x55b14dc89358 size 40 | libevent_malloc: new ptr-libevent@0x55b14dc892d8 size 48 | libevent_realloc: new ptr-libevent@0x55b14dc04a68 size 256 | libevent_malloc: new ptr-libevent@0x55b14dcc3cf8 size 16 | libevent_free: release ptr-libevent@0x55b14dc7b008 | libevent initialized | libevent_realloc: new ptr-libevent@0x55b14dc7b008 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 started thread for crypto helper 2 | starting up helper thread 2 | crypto helper 1 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none> | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none> | V2_IPSEC_I: category: established CHILD SA flags: 0: <none> | V2_IPSEC_R: category: established CHILD SA flags: 0: <none> | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: <none> Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55b14dc831f8 | libevent_malloc: new ptr-libevent@0x55b14dcc2268 size 128 | libevent_malloc: new ptr-libevent@0x55b14dcc92f8 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55b14dcc9288 | libevent_malloc: new ptr-libevent@0x55b14dc7bcb8 size 128 | libevent_malloc: new ptr-libevent@0x55b14dcc8f58 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55b14dcc9728 | libevent_malloc: new ptr-libevent@0x55b14dcd5608 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce08f8 size 16 | libevent_realloc: new ptr-libevent@0x55b14dce0938 size 256 | libevent_malloc: new ptr-libevent@0x55b14dce0a68 size 8 | libevent_realloc: new ptr-libevent@0x55b14dce0aa8 size 144 | libevent_malloc: new ptr-libevent@0x55b14dc877c8 size 152 | libevent_malloc: new ptr-libevent@0x55b14dce0b68 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55b14dce0ba8 size 8 | libevent_malloc: new ptr-libevent@0x55b14dc05498 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55b14dce0be8 size 8 | libevent_malloc: new ptr-libevent@0x55b14dce0c28 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55b14dce0cf8 size 8 | libevent_realloc: release ptr-libevent@0x55b14dce0aa8 | libevent_realloc: new ptr-libevent@0x55b14dce0d38 size 256 | libevent_malloc: new ptr-libevent@0x55b14dce0e68 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:23966) using fork+execve | forked child 23966 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.1.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.45 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.45:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.45:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.1.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.1.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55b14dce1448 | libevent_malloc: new ptr-libevent@0x55b14dcd5558 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce14b8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55b14dce14f8 | libevent_malloc: new ptr-libevent@0x55b14dc7bd68 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce1568 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55b14dce15a8 | libevent_malloc: new ptr-libevent@0x55b14dc7b688 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce1618 size 16 | setup callback for interface eth0 192.0.1.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55b14dce1658 | libevent_malloc: new ptr-libevent@0x55b14dc82f48 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce16c8 size 16 | setup callback for interface eth0 192.0.1.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55b14dce1708 | libevent_malloc: new ptr-libevent@0x55b14dc83048 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce1778 size 16 | setup callback for interface eth1 192.1.2.45:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55b14dce17b8 | libevent_malloc: new ptr-libevent@0x55b14dc83148 size 128 | libevent_malloc: new ptr-libevent@0x55b14dce1828 size 16 | setup callback for interface eth1 192.1.2.45:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 loaded private key for keyid: PKK_RSA:AQOm9dY/4 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.663 milliseconds in whack | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.1.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.45 | no interfaces to sort | libevent_free: release ptr-libevent@0x55b14dcd5558 | free_event_entry: release EVENT_NULL-pe@0x55b14dce1448 | add_fd_read_event_handler: new ethX-pe@0x55b14dce1448 | libevent_malloc: new ptr-libevent@0x55b14dcd5558 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55b14dc7bd68 | free_event_entry: release EVENT_NULL-pe@0x55b14dce14f8 | add_fd_read_event_handler: new ethX-pe@0x55b14dce14f8 | libevent_malloc: new ptr-libevent@0x55b14dc7bd68 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55b14dc7b688 | free_event_entry: release EVENT_NULL-pe@0x55b14dce15a8 | add_fd_read_event_handler: new ethX-pe@0x55b14dce15a8 | libevent_malloc: new ptr-libevent@0x55b14dc7b688 size 128 | setup callback for interface eth0 192.0.1.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55b14dc82f48 | free_event_entry: release EVENT_NULL-pe@0x55b14dce1658 | add_fd_read_event_handler: new ethX-pe@0x55b14dce1658 | libevent_malloc: new ptr-libevent@0x55b14dc82f48 size 128 | setup callback for interface eth0 192.0.1.254:500 fd 19 | libevent_free: release ptr-libevent@0x55b14dc83048 | free_event_entry: release EVENT_NULL-pe@0x55b14dce1708 | add_fd_read_event_handler: new ethX-pe@0x55b14dce1708 | libevent_malloc: new ptr-libevent@0x55b14dc83048 size 128 | setup callback for interface eth1 192.1.2.45:4500 fd 18 | libevent_free: release ptr-libevent@0x55b14dc83148 | free_event_entry: release EVENT_NULL-pe@0x55b14dce17b8 | add_fd_read_event_handler: new ethX-pe@0x55b14dce17b8 | libevent_malloc: new ptr-libevent@0x55b14dc83148 size 128 | setup callback for interface eth1 192.1.2.45:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 loaded private key for keyid: PKK_RSA:AQOm9dY/4 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.433 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 23966 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0132 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | setting ID to ID_DER_ASN1_DN: 'E=user-usage-both@testing.libreswan.org,CN=usage-both.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading left certificate 'usage-both' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b14dce38f8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b14dce38a8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b14dce3858 | unreference key: 0x55b14dce3948 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org is 0 | counting wild cards for %fromcert is 0 | connect_to_host_pair: 192.1.2.45:500 192.1.2.23:500 -> hp@(nil): none | new hp@0x55b14dce8018 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.1.254/32===192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org]...192.1.2.23<192.1.2.23>[%fromcert]===192.0.2.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.16 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.32 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0514 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | dup_any(fd@16) -> fd@23 (in whack_process() at rcv_whack.c:590) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "nss-cert" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'nss-cert' +POLICY_UP | dup_any(fd@23) -> fd@24 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | creating state object #1 at 0x55b14dce83c8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | suspend processing: connection "nss-cert" (in main_outI1() at ikev1_main.c:118) | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in main_outI1() at ikev1_main.c:118) | parent state #1: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) | dup_any(fd@24) -> fd@25 (in main_outI1() at ikev1_main.c:123) | Queuing pending IPsec SA negotiating with 192.1.2.23 "nss-cert" IKE SA #1 "nss-cert" "nss-cert" #1: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | no specific IKE algorithms specified - using defaults | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x55b14dcea828 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 18 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 632 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 644 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 792 | sending 792 bytes for reply packet for main_outI1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b14dceb378 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b14dce3458 size 128 | #1 STATE_MAIN_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29928.767796 | #1 spent 1.54 milliseconds in main_outI1() | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in main_outI1() at ikev1_main.c:228) | resume processing: connection "nss-cert" (in main_outI1() at ikev1_main.c:228) | stop processing: connection "nss-cert" (in initiate_a_connection() at initiate.c:349) | close_any(fd@23) (in initiate_connection() at initiate.c:372) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.6 milliseconds in whack | spent 0.00205 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 144 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 144 (0x90) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_I1 (find_state_ikev1_init) | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | adding outI2 KE work-order 1 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x55b14dce3458 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55b14dceb378 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b14dceb378 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b14dce3458 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.116 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.256 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 resuming | crypto helper 1 starting work-order 1 for state #1 | crypto helper 1 doing build KE and nonce (outI2 KE); request ID 1 | crypto helper 1 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.000925 seconds | (#1) spent 0.932 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 1 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f668c002888 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 1 | calling continuation function 0x55b14bf48b50 | main_inR1_outI2_continue for #1: calculated ke+nonce, sending I2 | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 38 a5 21 f9 0d 0c ee ec 41 66 54 0f 16 ab 4e c4 | keyex value 6f ec 20 da 3e 0e a2 67 71 64 96 b2 27 52 13 8c | keyex value 49 9c 80 99 03 13 25 b3 20 6f 56 7b 91 bb c9 64 | keyex value 81 27 c3 ff a6 66 44 68 28 ba 85 75 f5 d1 d8 a1 | keyex value ed 08 43 b9 10 d3 06 95 3f ca 12 63 b1 fd ff 5e | keyex value 44 a0 4d 3c 72 f6 08 d3 12 c4 42 89 af 2c c6 13 | keyex value 20 13 7a ee 02 58 5d 65 c2 a7 41 b4 f2 44 ad 7b | keyex value ce 2b 48 ef 20 72 86 85 71 20 95 6f 4c a6 81 6a | keyex value 7a 51 63 71 ea 80 bd 1d e1 73 f6 65 45 82 60 16 | keyex value e5 7a 42 13 e3 a4 7b 58 00 d5 48 1e 53 16 f9 f5 | keyex value 74 3a c5 24 30 c3 26 cc b2 6d 58 5f cd 68 12 4b | keyex value 19 29 62 8e 00 ea 60 42 1c ec 1f 4e 77 7f 88 33 | keyex value 1d 68 b7 9c 96 85 b9 0f b2 f7 da 71 df 3a f3 c5 | keyex value 5f 52 34 d9 18 98 76 a5 49 0b a1 05 1e de 2f 59 | keyex value 5d a0 92 7b 34 4f df 25 50 74 88 84 dd 17 f0 db | keyex value 26 73 97 7e fc 71 df fa bf 9f 95 0c cc 83 7f 22 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 12 a4 76 1b 3f e2 55 a1 e9 3d f3 14 d3 bd ae 2a | Ni 74 71 4c 12 11 37 53 0e 39 b6 ad 2a aa 74 90 6a | emitting length of ISAKMP Nonce Payload: 36 | NAT-T checking st_nat_traversal | NAT-T found (implies NAT_T_WITH_NATD) | sending NAT-D payloads | natd_hash: hasher=0x55b14c01dca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | natd_hash: hash= c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | NAT-D c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55b14c01dca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | natd_hash: hash= 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | NAT-D 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | State DB: re-hashing IKEv1 state #1 IKE SPIi and SPI[ir] | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 | parent state #1: MAIN_I1(half-open IKE SA) => MAIN_I2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55b14dce3458 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b14dceb378 | sending reply packet to 192.1.2.23:500 (from 192.1.2.45:500) | sending 396 bytes for STATE_MAIN_I1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 38 a5 21 f9 0d 0c ee ec 41 66 54 0f 16 ab 4e c4 | 6f ec 20 da 3e 0e a2 67 71 64 96 b2 27 52 13 8c | 49 9c 80 99 03 13 25 b3 20 6f 56 7b 91 bb c9 64 | 81 27 c3 ff a6 66 44 68 28 ba 85 75 f5 d1 d8 a1 | ed 08 43 b9 10 d3 06 95 3f ca 12 63 b1 fd ff 5e | 44 a0 4d 3c 72 f6 08 d3 12 c4 42 89 af 2c c6 13 | 20 13 7a ee 02 58 5d 65 c2 a7 41 b4 f2 44 ad 7b | ce 2b 48 ef 20 72 86 85 71 20 95 6f 4c a6 81 6a | 7a 51 63 71 ea 80 bd 1d e1 73 f6 65 45 82 60 16 | e5 7a 42 13 e3 a4 7b 58 00 d5 48 1e 53 16 f9 f5 | 74 3a c5 24 30 c3 26 cc b2 6d 58 5f cd 68 12 4b | 19 29 62 8e 00 ea 60 42 1c ec 1f 4e 77 7f 88 33 | 1d 68 b7 9c 96 85 b9 0f b2 f7 da 71 df 3a f3 c5 | 5f 52 34 d9 18 98 76 a5 49 0b a1 05 1e de 2f 59 | 5d a0 92 7b 34 4f df 25 50 74 88 84 dd 17 f0 db | 26 73 97 7e fc 71 df fa bf 9f 95 0c cc 83 7f 22 | 14 00 00 24 12 a4 76 1b 3f e2 55 a1 e9 3d f3 14 | d3 bd ae 2a 74 71 4c 12 11 37 53 0e 39 b6 ad 2a | aa 74 90 6a 14 00 00 24 94 2d 82 3f 3a f8 68 1c | 3d 86 00 e7 40 6f c3 70 c0 42 08 e0 f5 08 f8 b8 | 17 de 24 21 bd ac e8 32 00 00 00 24 86 cb a7 5e | 82 22 dc 86 30 da 1e 43 c6 b5 59 4e 74 6d a1 e3 | 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b14dceb378 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b14dce7b58 size 128 | #1 STATE_MAIN_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29928.77016 "nss-cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.314 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f668c002888 | spent 0.00321 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | dd 22 ea 75 6b 0d d6 b1 0d eb bf 70 b9 16 44 0c | 39 01 ed 43 ed 67 83 b7 4f d6 91 c3 a9 7f 02 72 | 4b ba 1e e1 26 bf 7a 6b 39 53 f8 9c de 82 dc 8e | 86 8e b2 c6 9b 01 30 91 79 94 7f 0d 11 5e 58 fc | 87 bf 3d 36 d3 a4 1e 01 57 2a f0 59 b5 a6 1b b6 | 8e c6 c8 de 92 fc 2b b6 f4 77 e3 0e 91 b2 fc e8 | c3 ac 37 36 71 0f b7 5e 0a 6f 36 f8 b2 eb 51 8a | 98 79 04 15 8d 56 8a fa d9 bf f5 6f 12 03 6c 14 | b0 76 06 d5 39 97 50 f6 13 00 9d 0c 83 62 d0 7e | b4 3a 28 e8 e4 64 97 af cb 4a 17 41 f0 72 d7 f6 | b6 55 4f de 3f ee a9 f0 33 70 12 8e b6 50 60 7a | ca 52 12 72 97 3e ea 3e 77 b4 28 a5 fe e4 79 6e | d7 cd cc 19 df 8f e8 4b 60 bf bf 99 d2 70 7b 69 | cf fa e7 a1 6c 00 6d 17 b7 97 8a 04 a0 87 b1 1d | 33 41 38 fb 81 4c 04 bb f5 fb ce f3 97 0f bf a9 | 15 a0 1d aa e8 df e1 09 ba 06 0d cb 16 f5 d0 f7 | 14 00 00 24 c5 24 b8 71 a8 c1 56 22 40 05 c6 e1 | cb 8c 64 2e 0f ba e0 c3 15 b4 36 d3 1e d4 28 47 | 08 51 ce 4d 14 00 00 24 86 cb a7 5e 82 22 dc 86 | 30 da 1e 43 c6 b5 59 4e 74 6d a1 e3 42 4e ca 35 | 71 23 1c 00 f5 c1 1d 01 00 00 00 24 94 2d 82 3f | 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 c0 42 08 e0 | f5 08 f8 b8 17 de 24 21 bd ac e8 32 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR2_outI3' HASH payload not checked early | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x55b14dce7b58 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55b14dceb378 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b14dceb378 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f668c002888 size 128 | crypto helper 2 resuming | crypto helper 2 starting work-order 2 for state #1 | crypto helper 2 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | crypto helper 2 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.001135 seconds | (#1) spent 1.14 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 2 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f6684000f48 size 128 | crypto helper 2 waiting (nothing to do) | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.0679 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.209 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 2 | calling continuation function 0x55b14bf48b50 | main_inR2_outI3_cryptotail for #1: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so send cert. | I am sending a certificate request | I will NOT send an initial contact payload | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55b14c01dca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | natd_hash: hash= 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | natd_hash: hasher=0x55b14c01dca0(32) | natd_hash: icookie= f2 0e e9 e8 8b aa e4 0b | natd_hash: rcookie= 20 89 2c a1 61 82 f0 e2 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | natd_hash: hash= c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | expected NAT-D(me): 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | expected NAT-D(me): 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | expected NAT-D(him): | 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | received NAT-D: 86 cb a7 5e 82 22 dc 86 30 da 1e 43 c6 b5 59 4e | received NAT-D: 74 6d a1 e3 42 4e ca 35 71 23 1c 00 f5 c1 1d 01 | received NAT-D: 94 2d 82 3f 3a f8 68 1c 3d 86 00 e7 40 6f c3 70 | received NAT-D: c0 42 08 e0 f5 08 f8 b8 17 de 24 21 bd ac e8 32 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_CERT (0x6) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 6:ISAKMP_NEXT_CERT | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 195 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 73 61 | my identity 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e 67 2e | my identity 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 34 30 | my identity 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 75 73 | my identity 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 74 65 | my identity 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | my identity 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 203 "nss-cert" #1: I am sending my cert | ***emit ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Certificate Payload (6:ISAKMP_NEXT_CERT) | next payload chain: saving location 'ISAKMP Certificate Payload'.'next payload type' in 'reply packet' | emitting 1242 raw bytes of CERT into ISAKMP Certificate Payload | CERT 30 82 04 d6 30 82 04 3f a0 03 02 01 02 02 01 2d | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33 | CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35 | CERT 33 5a 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 | CERT 73 61 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e | CERT 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | CERT 34 30 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 | CERT 75 73 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 01 05 00 03 82 01 8f 00 30 82 01 | CERT 8a 02 82 01 81 00 fb 0c 38 12 b3 e0 b1 77 4d 8d | CERT 52 e9 9f 45 93 6c ff f3 af 25 bf 3a de f1 e8 85 | CERT 37 a7 cc 82 ee 08 96 d8 1e 0b 8e a9 d9 82 17 bd | CERT 8b ae da 26 d8 de 87 a1 3d 69 2b e2 59 a8 ac 6d | CERT 17 d6 d9 ef 43 c7 74 85 ae a0 5f 10 88 40 84 65 | CERT 8c 90 7c 1c 2a 53 d2 54 9c d5 f7 00 a9 d3 58 d0 | CERT a1 78 c6 96 81 aa 66 0f 70 c6 d1 36 ef 58 9d 58 | CERT 16 73 fb 2c 00 69 05 16 53 a5 35 fa 28 e0 64 10 | CERT 60 3b d6 35 d9 c2 e0 4e 88 c2 ff 67 04 28 3e 84 | CERT 31 2c c7 d1 88 82 e4 ac 4e 96 eb 0f 2b 69 28 a6 | CERT 6c d9 23 a5 37 42 64 a8 36 36 15 7a 80 5d 7d 88 | CERT b6 aa c6 3c 33 a4 e5 81 11 34 ce 60 a4 57 13 d4 | CERT 61 99 50 2d b0 b4 13 d5 1e 50 83 d0 cf 31 e2 1c | CERT 92 03 7b 8e 79 1f e5 23 d9 23 bf 7e 04 8b 65 9c | CERT 5e 33 37 24 83 54 9b 1a 31 62 46 1e c6 07 16 83 | CERT 9c 2a 42 3d 78 f0 c4 0a 54 6b 8c 09 af 18 fe fe | CERT 9a 60 30 0c f9 25 05 61 b6 3a af ec fc 0e 10 99 | CERT ec 68 da 12 49 9a 63 2f 3d af 7e 95 61 e5 7a 64 | CERT 2c a7 5a 1f 8b 6e 3c f4 c6 65 b5 0a eb bb ae 9b | CERT 84 8b 1a 7c 10 4a 0e 80 38 71 4f 8d 99 47 61 ce | CERT 33 7c ec ab e4 e6 42 a3 49 24 f2 eb 63 2b 2b d2 | CERT 21 c1 02 93 e3 f1 d9 47 7e 76 61 9e 36 8a 0f 9b | CERT 2e 25 34 4f f9 46 ed 42 43 fc cc e8 d2 1a 6c 18 | CERT 43 66 91 b5 4b a9 60 48 15 f9 3d cc e3 87 c6 3f | CERT d6 22 f0 11 43 91 02 03 01 00 01 a3 81 e9 30 81 | CERT e6 30 09 06 03 55 1d 13 04 02 30 00 30 2b 06 03 | CERT 55 1d 11 04 24 30 22 82 20 75 73 61 67 65 2d 62 | CERT 6f 74 68 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 16 30 | CERT 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 | CERT 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 07 01 | CERT 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 30 | CERT 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f 04 | CERT 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 3a | CERT 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 | CERT 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 6f | CERT 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 | CERT 0d 01 01 0b 05 00 03 81 81 00 40 e1 06 20 0d a8 | CERT a5 48 3c a5 78 fa 49 5c 4e 04 e0 b7 16 17 db b9 | CERT 9c bb 56 6c 2c 10 e3 b0 ba 1a 70 b1 2f db 62 c2 | CERT b4 6d c9 a8 df 10 4a 76 95 51 99 8d 6d f9 3e c4 | CERT 20 52 91 a9 2e 8e 0f 5f 28 a0 d6 84 6a ca df 9d | CERT 3b c1 f7 3f a8 27 ea 76 6b 6e 4f 55 27 12 86 6b | CERT 4d 49 b9 87 e9 85 76 af 1f 1d 27 93 8d 56 c1 11 | CERT ea f1 bc f1 2f 37 bb 87 1a 69 2a 10 22 10 56 69 | CERT 9c 57 a5 77 69 b8 db 06 a9 17 | emitting length of ISAKMP Certificate Payload: 1247 "nss-cert" #1: I am sending a certificate request | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate RequestPayload'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Certificate Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting length of ISAKMP Certificate RequestPayload: 5 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org->%fromcert of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAfsMO vs PKK_RSA:AwEAAfsMO | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_I into ISAKMP Signature Payload | SIG_I 64 42 c5 29 44 01 26 23 e0 5a 96 cf d8 be c9 9f | SIG_I e6 17 61 db dc 7e db 4f 79 a6 b2 b4 6c ad 5b 2c | SIG_I 27 e0 1d 38 b2 db b4 e9 4f 59 8d 68 98 eb d2 9d | SIG_I 7a d7 2e fd 25 b8 b6 8b 85 07 07 05 e5 15 c3 cd | SIG_I 5c 66 70 be 06 e8 c6 59 61 9f 96 2e 3e 66 79 c1 | SIG_I e9 c1 b7 37 c4 de 49 92 e5 29 5b c2 16 81 83 b2 | SIG_I ca 93 8e 61 8d 20 0c 71 30 f8 6c 93 ed e6 08 fa | SIG_I e4 ce 89 63 cb 61 7a 45 74 3f c0 b4 5f 00 cf b7 | SIG_I 77 08 db 3c b8 9e cf d3 33 f0 3f 22 b0 f6 e7 01 | SIG_I 8e 45 86 15 c9 fb f0 f3 35 8c 47 00 d9 75 7a 03 | SIG_I 9c 97 c1 67 ab 5b 0c 25 f4 5e 85 84 8c af 1f 5a | SIG_I 30 e8 38 0f 98 f0 19 2a a2 1a 01 8f 54 3b 16 24 | SIG_I 23 90 0b eb de 39 44 d3 85 a5 29 d1 98 a5 6d 10 | SIG_I ca ff d7 82 cc 7a b6 03 b5 90 01 76 30 aa 8b b0 | SIG_I 39 ce c0 0b 84 5d 7a 62 35 8c c9 15 68 20 95 c6 | SIG_I 5d 22 c2 61 b2 0b fe ea d9 f4 31 54 de 5b 94 6b | SIG_I fc 05 7c 3b 3e 24 91 dd 53 6d 6a 32 74 e7 ad c5 | SIG_I a1 b7 b7 52 6a 38 d0 c2 96 bb b8 a7 fe 72 48 52 | SIG_I 0d 97 c2 b4 ad 69 3e be a7 d7 5c fc e2 25 01 3a | SIG_I 47 13 e8 d0 ed 66 a6 e2 7e f1 00 68 f1 1b 10 f7 | SIG_I d6 ec 7a d2 f7 65 7a 17 00 30 5a 43 0b 71 36 13 | SIG_I b1 70 f7 39 88 07 f0 71 30 2d 37 ff fd ac e7 21 | SIG_I b3 df 19 b6 5e 07 89 21 0c a5 38 65 0f 99 72 31 | SIG_I 70 ae f7 d8 6b 56 55 0a 05 8d 1d 09 a5 d8 98 22 | emitting length of ISAKMP Signature Payload: 388 | Not sending INITIAL_CONTACT | emitting 13 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 1884 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 | parent state #1: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f668c002888 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b14dceb378 | sending reply packet to 192.1.2.23:500 (from 192.1.2.45:500) | sending 1884 bytes for STATE_MAIN_I2 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 05 10 02 01 00 00 00 00 00 00 07 5c a1 0a b3 e8 | 31 90 3a 58 07 9c 6c 74 2c 07 7e e5 8e 59 b3 df | aa 88 74 7f 9e a6 47 95 84 1b d2 f9 6b cf 9c e2 | a3 cc 5e 69 dd 27 09 26 e4 70 e2 a6 d0 ea 3b 46 | 07 75 3f a3 3e f0 60 92 79 55 1f 39 69 aa 6f 40 | d9 4b ea 5d 52 70 f3 29 6c a9 09 50 43 ba 1d e8 | ac 57 c5 f9 db bd 4c b9 76 47 86 c3 c0 55 b0 d8 | b2 97 b7 2c b4 79 ce 09 65 ae ce 7a 72 66 fa 7f | 92 c5 5d fd 1d 80 bb 9a 7c 9c 84 09 a8 56 11 0b | 31 7c 99 53 4e 15 10 a1 5f ee f4 23 dc 3a 9f 8d | 7f fd b6 7b fe 9e 2b f7 b9 f0 2f e9 5d 0c 50 8c | 8e 27 cf 32 99 03 e1 df 21 5f 4f 7a e2 35 79 e8 | a7 96 1f eb 45 4f a9 76 5e 3a 3c 3f 86 42 9d 4c | 19 94 ac dd 88 7f d8 2e 31 71 b1 ec 39 51 5e ed | 7d c3 20 91 5d 83 4c 4e bb bf 12 3f fd 47 59 ba | 69 a0 76 a6 65 7a de f8 75 65 80 27 66 b1 f1 ea | 91 80 e8 2d 41 dd a0 bc 30 21 a4 0f 03 71 09 66 | 92 0f c7 d2 63 f7 ac 96 6a 68 82 a1 ce 81 5d 21 | c8 11 a8 ed fa c9 3e ed 2a 24 5a 29 f8 1f ca 95 | 55 20 94 82 f0 55 ac 97 87 45 fc 08 3b 71 8d 67 | 72 2f a2 ae 31 c4 08 d2 d8 bf 2a ca 2f e2 a1 94 | 41 ea f3 ca 21 97 5f df 32 51 00 be 2f b4 a3 ac | 0d 12 b6 a7 d5 1b da 5f 5f e9 84 23 e0 d7 e0 41 | 17 16 6e 86 d2 0b 49 26 8a d8 6d 92 00 0a 44 4d | c7 f0 49 2a b4 3f f9 88 0c bf 07 11 7d 87 d0 db | 79 cf cd 6a 17 1d cd a6 30 40 20 ab 89 02 69 20 | 01 1c 07 5a 69 b9 28 82 56 b5 2d 7f ab 51 b7 ac | 5a 67 95 cb da 67 8d 4a a0 68 e2 0d 4f a4 92 2a | 65 6e 14 4c 19 1a 09 4e 6e c9 67 8a 09 58 2c 78 | 33 6a da 8a 51 9c 31 58 2e 49 c8 73 59 5e 15 49 | 39 bc 88 c6 cc f5 f4 fe fe cd 0c 49 6f 06 9c e9 | 15 0c ce 41 f1 e2 4c f6 7a 7a 28 ae 38 19 41 3f | d2 83 a8 e8 92 07 7e 69 eb cd 1d 0d 74 76 82 19 | 11 34 27 3e 58 22 fc 9e 4a 94 49 4a a2 32 0b 48 | 11 2a 73 21 bc f2 59 ad 82 ce 24 36 3b 6e 4e b5 | 39 d4 45 4d 72 a6 63 72 60 6c b5 f1 1d a3 94 a4 | c8 5d b9 b8 c1 3d 5d af 6b fe 6b 43 ad eb 03 4c | 20 5d a1 57 87 41 30 bd 2b 37 04 5f 75 c5 61 56 | e8 ef ce 4f 11 85 53 57 7e fa 47 28 c3 c7 72 77 | 4c c9 dd 93 10 85 f3 a1 63 54 49 ca 72 72 d2 25 | 0c 56 0a 41 39 3d af 44 5e 46 bd 75 30 3f 0b 75 | de b7 09 ce 92 4e cf 12 30 ab cf 60 1d 44 9d fc | 05 25 e9 ed 1b 2c 1e ee 05 1e 5d 1f e3 6f 40 79 | 64 2b 49 b3 1f 61 84 7c c6 a3 9d 07 f0 86 26 4d | 79 c4 45 b4 c2 0e 97 be 2f d3 3d 46 34 d3 6b 3d | 3d 87 e7 93 0b a3 bc 8b b3 42 4e 5a fa 42 a2 06 | 5a b7 91 c8 e6 cb ab ba 4a 38 8d ae bb f3 75 86 | 4a 02 84 77 70 14 e4 87 99 89 ae d6 48 a5 70 de | 4b 92 67 fe 9d c5 cc a5 1b 0a c3 d1 75 c3 02 d9 | 7e 29 4c 2f 16 b0 3c 3a d3 e4 47 97 44 da b2 8f | 28 42 08 69 0f 53 ab 38 39 c0 c3 d8 8f c5 aa 79 | c5 ff 2e 31 c6 f9 2c d1 d6 7d 6e d3 bd 3d 99 25 | 2f a7 2b ea 47 2f 5a c4 e8 39 33 f1 28 b8 a0 59 | 18 40 d8 f1 dc 0f 22 f8 a1 37 4f 5b 34 8d a1 23 | 0f 9e 95 0c 84 b0 29 ca 48 c3 df 31 09 a0 7c 01 | 9d 6c f3 cc 7d 6d 39 9a 88 89 8b 93 e3 a6 b8 4a | 32 84 9a ee 9f ca 49 50 da 3f 14 f5 e4 82 49 c5 | a5 6c 96 00 84 c8 78 98 b7 35 38 4c 1a b1 3b 10 | cd 01 34 cb f8 75 13 4e 92 1a 23 1a aa ca 33 4f | 71 85 37 03 72 3b 77 e0 f0 e7 b0 1a 79 ec d0 33 | ea 0f 3b 87 48 64 d0 57 1b 85 15 ce b6 ac df 6f | 5c 1d 49 93 51 bb ed ef e1 24 40 6e c3 e0 c5 c8 | e5 de a6 9b 05 a2 4f 01 e7 0c 50 67 45 35 ed 75 | e1 84 fe 16 4d 04 31 0a 9a 36 e8 6c c3 7f 45 d3 | 8a 50 9f 19 b5 cf 33 0e 39 aa 05 be 42 72 f7 53 | 8d dd e3 8c 16 5f ee ef 5d 7e a0 dd a3 94 3a 1b | 96 e3 55 d3 4d f3 18 01 9c 48 a9 f0 85 82 f6 dd | d0 e3 c9 5f 3d 64 9d 9c 9c c4 ac f6 8c ea ef c6 | 10 ac 67 4d 07 f0 b2 73 84 b6 31 09 9b 77 53 71 | 49 98 36 ef a8 3a b6 9b ed 6d 44 06 29 6e 7a c1 | db a2 43 9c c1 87 0b 37 34 6c 33 3b d5 78 e8 40 | b6 fe b9 f5 ae fd f4 a5 ec 3c 1b 55 9d f5 e7 5f | 9d ae db f9 ca 04 50 87 9e 49 b1 58 25 3f ca f5 | 17 23 f7 3b d6 d9 10 8d 24 b2 59 4c f6 6a 3b 77 | 3a 74 d5 22 0f 65 dd aa 4d 16 30 b1 0f 9e 97 8a | de b4 74 5a 4a 6c 05 78 a2 a3 3c 10 6a 54 75 f8 | ef 3a 5c 80 62 f8 7c c2 00 84 a1 1e e8 ab 44 f6 | 1d b0 6f d7 05 71 60 48 fa a6 af 81 1e 5f f8 19 | ba cf 70 53 d7 fd d3 5f 12 c8 9f 25 87 d8 c3 39 | 91 ff 39 c0 88 5d b9 45 b1 21 e1 b2 e9 a3 68 6e | 67 9a a1 b5 f7 83 4c 24 df 49 f0 4e e9 3a 74 9c | 42 50 37 7c 9e 51 0d d1 91 3c f0 b3 62 63 3d 03 | af 14 6e 05 36 d9 27 2d 2a 17 9e 31 17 9f 38 0a | e7 f8 b5 18 4e f3 49 7a 3f 9b 78 63 a7 ba a0 39 | 09 d6 eb 5f b3 55 64 32 86 9b ff ef e5 73 d5 99 | 3f 30 49 3d 72 fc 3a 0f 53 5c 0c cb 81 54 a9 43 | 22 57 12 89 78 07 81 b0 b5 e6 0c a8 60 db 49 86 | 09 b9 a6 da e8 68 b3 6b 2b 81 bc 2e 51 e3 5b 48 | c7 aa 77 5f 13 46 d5 65 6a 9e cf 18 24 e7 c5 b7 | 37 2a 32 08 f8 0b c4 cc 39 9f 52 81 15 1d b6 c4 | f0 52 be 6b 4e 3e 71 c0 00 a4 dd 50 53 69 b9 3f | 07 fa 27 12 65 3f dd 06 df d6 e3 bf 7c 55 b0 ea | 3f 57 90 db 58 63 e8 1c 84 db 72 d4 28 ee 9d 09 | bd e7 43 96 83 0f b2 8c 91 8e af 2d d0 be 5d 11 | d8 ce 03 b0 3d 83 6e 70 6e 2f 46 b2 86 85 bf cf | f2 01 7d 25 27 8f 90 64 f1 ff 43 db b8 02 33 8a | a6 da 22 ee 16 91 16 24 51 69 e0 de bd fc 81 2b | 3e 46 8b 0d ac 3b da 6e d7 60 5b 05 3e ee c3 ef | 27 ba c6 68 89 02 4d 4d 3c 7b 9b 82 e7 d8 b3 1f | 3e f2 54 42 d8 bd b9 e0 d2 77 49 84 3b 2f 40 35 | 96 88 f3 89 b1 08 a2 f9 ae 17 76 14 10 3e cc ca | df ac 87 07 fd 93 04 55 6f 19 37 dc 75 0c 49 d8 | 4d b8 1f a7 2f 48 ce 69 53 3a aa ea be 3a f4 de | 63 5b 0a 25 5f 4d f4 ee 4c 3c 56 ff 22 64 04 bb | 0b 55 77 5a a2 df 6c 0b c6 83 e2 03 23 42 65 1c | 01 f3 2b c6 11 1e 48 b3 e4 ae db c0 1a 72 10 4f | df a2 0c 57 8e 2b 1b ba fe 1e 21 dc 59 1f fa 53 | 6e c2 27 1b 82 b2 49 49 67 48 3d c6 9f cf 43 1a | b6 5b 93 ee 84 c6 e9 27 33 01 eb 45 99 69 37 fe | f4 95 6f 6c 27 02 56 bd 63 6c bc 58 6e 21 19 45 | 7c 00 fd 2a 26 50 54 60 ba 73 ff ac 97 81 a8 a4 | 74 ff 40 b7 0b d8 49 ac dd c5 79 1b c8 47 a5 f7 | a0 3f 48 e3 ce 97 39 df c2 af d5 f1 f0 5c 6c 41 | b3 7d fc d7 c4 20 ac 0e e0 0f a9 7b d7 38 75 66 | 10 23 35 af 3f b6 00 b1 90 ca fd 92 e3 b8 f0 6d | 7c a5 2a 08 65 98 c1 42 5a a3 07 a9 a4 1a d9 15 | 81 87 3a f5 35 5c e1 f8 86 45 14 8e | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b14dceb378 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b14dcea488 size 128 | #1 STATE_MAIN_I3: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29928.791458 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 10.7 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f6684000f48 | spent 0.00194 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | f2 0e e9 e8 8b aa e4 0b 20 89 2c a1 61 82 f0 e2 | 08 10 05 01 c8 ef ae de 00 00 00 4c 95 81 34 05 | 76 5b 7b cb a3 c1 75 e4 cb 6b 45 f4 76 66 bb e9 | 9d 05 78 dd 99 78 7f 8f 5a 42 a0 b6 94 83 cd d6 | ca c4 4b 4c ee 20 26 67 97 60 f9 fe | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | f2 0e e9 e8 8b aa e4 0b | responder cookie: | 20 89 2c a1 61 82 f0 e2 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3371151070 (0xc8efaede) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_MAIN_I3 | State DB: found IKEv1 state #1 in MAIN_I3 (find_v1_info_state) | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1479) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_N (0xb) | length: 36 (0x24) | got payload 0x800 (ISAKMP_NEXT_N) needed: 0x0 opt: 0x0 | ***parse ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 0 (0x0) | Notify Message Type: INVALID_ID_INFORMATION (0x12) | informational HASH(1): | fe be 6e 26 a4 29 b6 54 19 f3 25 71 c5 88 f4 bc | 46 47 64 76 f0 71 55 62 49 ef ce 0f 17 9f b1 2e | received 'informational' message HASH(1) data ok "nss-cert" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12 | ISAKMP Notification Payload | 00 00 00 0c 00 00 00 01 01 00 00 12 | info: | processing informational INVALID_ID_INFORMATION (18) "nss-cert" #1: received and ignored notification payload: INVALID_ID_INFORMATION | complete v1 state transition with STF_IGNORE | #1 spent 0.011 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.172 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00403 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "nss-cert" from 192.1.2.23 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn nss-cert | stop processing: state #1 connection "nss-cert" from 192.1.2.23 (in for_each_state() at state.c:1577) | spent 0.0183 milliseconds in global timer EVENT_NAT_T_KEEPALIVE