FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:16080 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55b5330824c8 size 40 | libevent_malloc: new ptr-libevent@0x55b533082448 size 40 | libevent_malloc: new ptr-libevent@0x55b5330823c8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55b533073ff8 size 56 | libevent_malloc: new ptr-libevent@0x55b532ffddc8 size 664 | libevent_malloc: new ptr-libevent@0x55b5330bcae8 size 24 | libevent_malloc: new ptr-libevent@0x55b5330bcb38 size 384 | libevent_malloc: new ptr-libevent@0x55b5330bcaa8 size 16 | libevent_malloc: new ptr-libevent@0x55b533082348 size 40 | libevent_malloc: new ptr-libevent@0x55b5330822c8 size 48 | libevent_realloc: new ptr-libevent@0x55b532ffda58 size 256 | libevent_malloc: new ptr-libevent@0x55b5330bcce8 size 16 | libevent_free: release ptr-libevent@0x55b533073ff8 | libevent initialized | libevent_realloc: new ptr-libevent@0x55b533073ff8 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55b53307c1e8 | libevent_malloc: new ptr-libevent@0x55b5330bb258 size 128 | libevent_malloc: new ptr-libevent@0x55b5330c22e8 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55b5330c2278 | libevent_malloc: new ptr-libevent@0x55b533074ca8 size 128 | libevent_malloc: new ptr-libevent@0x55b5330c1f48 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | crypto helper 1 waiting (nothing to do) | crypto helper 2 waiting (nothing to do) | crypto helper 3 waiting (nothing to do) | crypto helper 4 waiting (nothing to do) | crypto helper 5 waiting (nothing to do) | crypto helper 6 waiting (nothing to do) | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55b5330c2718 | libevent_malloc: new ptr-libevent@0x55b5330ce5f8 size 128 | libevent_malloc: new ptr-libevent@0x55b5330d98e8 size 16 | libevent_realloc: new ptr-libevent@0x55b5330d9928 size 256 | libevent_malloc: new ptr-libevent@0x55b5330d9a58 size 8 | libevent_realloc: new ptr-libevent@0x55b5330d9a98 size 144 | libevent_malloc: new ptr-libevent@0x55b5330807b8 size 152 | libevent_malloc: new ptr-libevent@0x55b5330d9b58 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55b5330d9b98 size 8 | libevent_malloc: new ptr-libevent@0x55b532ffe488 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55b5330d9bd8 size 8 | libevent_malloc: new ptr-libevent@0x55b5330d9c18 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55b5330d9ce8 size 8 | libevent_realloc: release ptr-libevent@0x55b5330d9a98 | libevent_realloc: new ptr-libevent@0x55b5330d9d28 size 256 | libevent_malloc: new ptr-libevent@0x55b5330d9e58 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:16428) using fork+execve | forked child 16428 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55b5330da438 | libevent_malloc: new ptr-libevent@0x55b5330ce548 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da4a8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55b5330da4e8 | libevent_malloc: new ptr-libevent@0x55b533074d58 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da558 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55b5330da598 | libevent_malloc: new ptr-libevent@0x55b533074678 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da608 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55b5330da648 | libevent_malloc: new ptr-libevent@0x55b53307bf38 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da6b8 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55b5330da6f8 | libevent_malloc: new ptr-libevent@0x55b53307c038 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da768 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55b5330da7a8 | libevent_malloc: new ptr-libevent@0x55b53307c138 size 128 | libevent_malloc: new ptr-libevent@0x55b5330da818 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.56 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55b5330ce548 | free_event_entry: release EVENT_NULL-pe@0x55b5330da438 | add_fd_read_event_handler: new ethX-pe@0x55b5330da438 | libevent_malloc: new ptr-libevent@0x55b5330ce548 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55b533074d58 | free_event_entry: release EVENT_NULL-pe@0x55b5330da4e8 | add_fd_read_event_handler: new ethX-pe@0x55b5330da4e8 | libevent_malloc: new ptr-libevent@0x55b533074d58 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55b533074678 | free_event_entry: release EVENT_NULL-pe@0x55b5330da598 | add_fd_read_event_handler: new ethX-pe@0x55b5330da598 | libevent_malloc: new ptr-libevent@0x55b533074678 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55b53307bf38 | free_event_entry: release EVENT_NULL-pe@0x55b5330da648 | add_fd_read_event_handler: new ethX-pe@0x55b5330da648 | libevent_malloc: new ptr-libevent@0x55b53307bf38 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x55b53307c038 | free_event_entry: release EVENT_NULL-pe@0x55b5330da6f8 | add_fd_read_event_handler: new ethX-pe@0x55b5330da6f8 | libevent_malloc: new ptr-libevent@0x55b53307c038 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55b53307c138 | free_event_entry: release EVENT_NULL-pe@0x55b5330da7a8 | add_fd_read_event_handler: new ethX-pe@0x55b5330da7a8 | libevent_malloc: new ptr-libevent@0x55b53307c138 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.331 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 16428 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0166 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-usage-server@testing.libreswan.org,CN=usage-server.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'usage-server' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b5330dc918 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b5330dc8c8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b5330dc878 | unreference key: 0x55b5330dc968 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x55b5330e1058 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.1 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.322 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0543 milliseconds in whack | spent 0.00324 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 98 1d 38 ad a2 46 7e 0f 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x55b5330e2838 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | c9 f5 7e a4 dc e2 10 44 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 98 1d 38 ad a2 46 7e 0f c9 f5 7e a4 dc e2 10 44 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55b5330e05a8 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b5330dc4a8 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.68 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00282 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 98 1d 38 ad a2 46 7e 0f c9 f5 7e a4 dc e2 10 44 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 5a 02 03 d1 0c f2 7a d3 da 74 3d ee 23 07 a7 66 | 55 bc 0c 99 cb 1e a4 11 a0 f9 60 ba 8f 3e 4f b5 | f7 2e 5b 78 f6 3a cb 5e 8d 15 7c f1 da d7 2b a5 | a4 47 9c 2c f4 28 64 57 52 3f 62 aa 7d d2 ce 97 | a0 ce bd 3c cd 23 de 88 e6 24 22 11 39 ee 45 cc | 8d 79 03 9e 69 13 d0 2e fa b4 02 33 c2 8f 7c 99 | 37 76 0b d7 b7 9b 42 f5 e2 ec 2b c9 25 27 5f d0 | 65 1e 7b 0d 44 b3 71 35 1e 9f 0f 78 53 3a 42 74 | 05 db a6 4b e0 53 44 71 e2 32 a8 3f 69 ef 38 b5 | f1 4c f5 d8 20 49 21 d0 6a 5e 95 3f ed cd 11 ee | 4b 10 c6 1b 5b c0 69 3c 91 46 7c fd 2e 16 59 85 | 16 e2 56 e8 57 49 49 fc f2 c8 d1 ac 8c 0b 9c fe | 0f da 7a 4f c4 45 05 e3 43 f8 66 f6 54 c6 a7 7b | 96 7f 69 c5 35 ce 51 8b 0b fd 64 ab c4 4c 65 4c | 2e da 6c 2a 0a 01 d4 4e 65 7b dc 4a ef 3c c8 e0 | 44 d4 75 52 04 a7 d6 e6 aa 70 20 e1 8b b8 a6 a1 | 14 00 00 24 1e a5 82 71 a5 ef bc ff b4 d4 31 ad | b2 f8 c4 9c fc 32 3c 5b df fd ec e2 14 e2 75 14 | a8 65 d8 65 14 00 00 24 8e c8 a1 41 71 c5 5c ab | 9d 05 07 6c da 73 b0 c2 c6 1e ed 94 22 ee 64 4a | 91 5c d4 65 50 a2 03 05 00 00 00 24 10 d3 c5 20 | 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf 9a f2 05 5f | 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | c9 f5 7e a4 dc e2 10 44 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55b532aefca0(32) | natd_hash: icookie= 98 1d 38 ad a2 46 7e 0f | natd_hash: rcookie= c9 f5 7e a4 dc e2 10 44 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 8e c8 a1 41 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 | natd_hash: hash= c6 1e ed 94 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | natd_hash: hasher=0x55b532aefca0(32) | natd_hash: icookie= 98 1d 38 ad a2 46 7e 0f | natd_hash: rcookie= c9 f5 7e a4 dc e2 10 44 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 10 d3 c5 20 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf | natd_hash: hash= 9a f2 05 5f 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | expected NAT-D(me): 8e c8 a1 41 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 | expected NAT-D(me): c6 1e ed 94 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | expected NAT-D(him): | 10 d3 c5 20 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf | 9a f2 05 5f 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | received NAT-D: 8e c8 a1 41 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 | received NAT-D: c6 1e ed 94 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | received NAT-D: 10 d3 c5 20 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf | received NAT-D: 9a f2 05 5f 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55b5330dc4a8 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55b5330e05a8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b5330e05a8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b5330e0618 size 128 | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (inI2_outR2 KE); request ID 1 | crypto helper 0 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.00101 seconds | (#1) spent 0.997 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3788002888 size 128 | crypto helper 0 waiting (nothing to do) | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.116 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.261 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55b532a1ab50 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | c9 f5 7e a4 dc e2 10 44 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value f8 7e dc eb 68 aa 92 cf 39 1b ad b2 3e e4 61 3f | keyex value 65 94 49 8d 1b a4 9e 4f ae 05 10 2a 99 e3 29 a3 | keyex value d2 9d 7b 0c f7 44 b2 b7 e2 08 43 bf 95 f0 11 3b | keyex value 84 87 73 6f da 7d 8b 0e a5 c8 b4 8f c2 2c 54 28 | keyex value 87 f5 8c 21 44 5b 9f d1 ef 2c 61 ef 31 60 ac 4e | keyex value df 24 49 ba 45 1a c2 46 17 fd 9f af ce b1 8b 34 | keyex value 64 b3 2f 2d 73 6c b5 27 ea 6b 86 b5 5c 61 c7 10 | keyex value 07 c2 5a ab 86 a7 96 26 7d e2 09 9a 1c bb fd 0a | keyex value 29 34 74 0d 35 63 63 d0 3d 21 39 80 6e a8 d6 67 | keyex value 34 4c af 25 fb d7 be ac 27 cc ef 72 f6 e8 a9 9d | keyex value d3 01 7d 75 3a e5 64 b3 49 0e 45 46 02 e7 8c e0 | keyex value eb a9 d2 59 31 38 85 44 51 26 27 98 37 27 73 81 | keyex value 01 60 27 16 75 04 90 3f 24 cf 77 3f ab af da e0 | keyex value 42 fb 9e f9 19 d9 37 64 c6 62 5f 9b 34 a3 5e 9f | keyex value 22 7e 4f 86 c2 1a 2c a7 a1 c4 bf e7 ec 51 82 23 | keyex value 8b 1f fe f2 09 1f 15 64 46 ea 35 60 7b c4 a0 53 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 1e 0d 31 8e 26 f0 36 7c f2 13 42 0d b7 47 7d 07 | Nr 67 0f 5e 3c 05 ee 81 90 16 7d 38 4e 63 1c d4 77 | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x55b532aefca0(32) | natd_hash: icookie= 98 1d 38 ad a2 46 7e 0f | natd_hash: rcookie= c9 f5 7e a4 dc e2 10 44 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 10 d3 c5 20 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf | natd_hash: hash= 9a f2 05 5f 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 10 d3 c5 20 5e d5 e1 db fc 5c 7e 8c 2b 7d 3a bf | NAT-D 9a f2 05 5f 05 27 f9 a1 f0 c2 3e ce b8 17 3b 56 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55b532aefca0(32) | natd_hash: icookie= 98 1d 38 ad a2 46 7e 0f | natd_hash: rcookie= c9 f5 7e a4 dc e2 10 44 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 8e c8 a1 41 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 | natd_hash: hash= c6 1e ed 94 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 8e c8 a1 41 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 | NAT-D c6 1e ed 94 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55b5330e0618 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b5330e05a8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b5330e05a8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b5330dc4a8 size 128 | #1 main_inI2_outR2_continue1_tail:1165 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55b5330dc4a8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b5330e05a8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 98 1d 38 ad a2 46 7e 0f c9 f5 7e a4 dc e2 10 44 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | f8 7e dc eb 68 aa 92 cf 39 1b ad b2 3e e4 61 3f | 65 94 49 8d 1b a4 9e 4f ae 05 10 2a 99 e3 29 a3 | d2 9d 7b 0c f7 44 b2 b7 e2 08 43 bf 95 f0 11 3b | 84 87 73 6f da 7d 8b 0e a5 c8 b4 8f c2 2c 54 28 | 87 f5 8c 21 44 5b 9f d1 ef 2c 61 ef 31 60 ac 4e | df 24 49 ba 45 1a c2 46 17 fd 9f af ce b1 8b 34 | 64 b3 2f 2d 73 6c b5 27 ea 6b 86 b5 5c 61 c7 10 | 07 c2 5a ab 86 a7 96 26 7d e2 09 9a 1c bb fd 0a | 29 34 74 0d 35 63 63 d0 3d 21 39 80 6e a8 d6 67 | 34 4c af 25 fb d7 be ac 27 cc ef 72 f6 e8 a9 9d | d3 01 7d 75 3a e5 64 b3 49 0e 45 46 02 e7 8c e0 | eb a9 d2 59 31 38 85 44 51 26 27 98 37 27 73 81 | 01 60 27 16 75 04 90 3f 24 cf 77 3f ab af da e0 | 42 fb 9e f9 19 d9 37 64 c6 62 5f 9b 34 a3 5e 9f | 22 7e 4f 86 c2 1a 2c a7 a1 c4 bf e7 ec 51 82 23 | 8b 1f fe f2 09 1f 15 64 46 ea 35 60 7b c4 a0 53 | 14 00 00 24 1e 0d 31 8e 26 f0 36 7c f2 13 42 0d | b7 47 7d 07 67 0f 5e 3c 05 ee 81 90 16 7d 38 4e | 63 1c d4 77 14 00 00 24 10 d3 c5 20 5e d5 e1 db | fc 5c 7e 8c 2b 7d 3a bf 9a f2 05 5f 05 27 f9 a1 | f0 c2 3e ce b8 17 3b 56 00 00 00 24 8e c8 a1 41 | 71 c5 5c ab 9d 05 07 6c da 73 b0 c2 c6 1e ed 94 | 22 ee 64 4a 91 5c d4 65 50 a2 03 05 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b5330e05a8 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b5330dc4a8 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29928.767321 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.339 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3788002888 | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | crypto helper 1 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001177 seconds | (#1) spent 1.18 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3780000f48 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55b532a1ab50 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1015) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1028) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0181 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3780000f48 | spent 0.00355 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 98 1d 38 ad a2 46 7e 0f c9 f5 7e a4 dc e2 10 44 | 05 10 02 01 00 00 00 00 00 00 07 5c 5c d9 23 d9 | a4 00 e9 f2 20 50 84 a7 05 74 3b 25 a2 e6 80 fc | 7b 22 e3 28 a1 55 79 ce a7 ff 85 35 0f dc 0c 89 | fb b8 0e e8 6a c8 f4 e7 6c 1f ef 41 ea 3c 5f 66 | f4 5b 73 52 02 b6 73 a2 98 33 90 3d 54 35 48 e3 | 92 69 42 58 09 05 8e da 57 37 ae 4e f5 55 b5 c1 | a3 5e e4 f1 ef 6b cd 53 d5 15 75 87 e2 fd 7d 27 | 6b f4 52 74 97 61 3c 84 4a 9a 2a 50 73 c6 5f 5f | d4 72 ad 2e cc ae ab c8 96 29 c1 95 21 f0 af 0f | d2 25 2e f7 e6 61 19 12 3b 00 4d 1f b1 fe 4e 31 | 5a 4d e2 fe 72 3f 95 1b 62 34 d8 90 51 b5 df 30 | 89 87 21 0e 6b 33 43 39 59 ac b9 da 75 03 9f 32 | 00 56 70 13 55 08 bb b8 df 9e 43 a5 17 ae be 46 | 82 92 f2 ea 5a 64 93 a8 67 70 df de 5c 43 c9 0b | 0f 24 a6 92 42 e0 f9 c7 bc 70 82 68 bb 25 50 97 | ee 1e 5b 0b bc fa 38 0e 73 1c 53 a1 21 01 b5 07 | ce fa 71 d4 32 12 a9 8b 3f 93 37 58 79 11 b8 3e | e8 06 2b 9e 1c 8c 0c 5e 19 35 2d 75 0f ee 70 62 | 9b 3b 88 6f f4 7e 5b 92 26 6e 13 5d 92 a1 36 86 | 9e 3e 6a 5a 45 1f 26 91 26 dc 2c fb 57 7d 72 66 | f6 da ca b2 49 b9 0e 61 19 c3 2d 0b 0f b8 82 fc | 50 69 41 eb a3 1b 66 f1 8b fc cd bb bd 52 7d bf | 55 95 25 57 23 ee 80 0d 64 21 c9 98 43 1f d8 c7 | e3 69 2c 2b 5a 5d 4b f0 a4 2e 7c e8 15 67 56 25 | 84 a4 8c 8c f9 74 01 10 9b 71 f9 8b e0 57 8e 02 | ff 0f 67 d0 0f d5 c8 4e a1 e2 2a 94 cb 9f ca bb | e5 cd 78 7f 28 c6 fe 31 a3 38 f0 20 2f 98 68 8d | f0 6a d6 0e c5 40 1c 95 78 a8 22 db c0 6b d9 a8 | 33 d5 9b 8e 1d 46 40 f3 74 de c3 6c 2b c3 8c b2 | 95 f9 9b f9 ac 40 71 9e 16 1b ed 38 36 30 38 ac | 73 4a fc 96 7d e3 1e 02 88 e7 46 18 61 e7 b6 31 | a1 bb 6f 56 b1 c9 f9 1e 50 8b c2 6c af ae a5 d1 | fb 4a 74 46 b9 76 d4 41 a3 ac 09 2b 11 94 84 1e | 5a 32 c2 6f 2f 9c 97 b9 e7 d0 8f 31 c0 69 e9 26 | 6b 0f ee b3 14 62 e2 c9 75 20 06 30 60 d6 c1 9a | 03 08 4c 92 98 40 84 3b bc 4f f7 82 b0 3f 59 c7 | 50 4c 78 4d ee 59 b5 54 98 85 10 91 57 fc 39 1d | c6 13 bb 5f 97 be fd a7 3e 0e 85 3d 6c 60 dd 25 | bc 0c 9d 0c 6b 22 6e 07 51 3d 4b 45 3d 68 cc c3 | 2a 9e 5b a0 db ca cb ec 31 7b 1e dc a9 36 e1 39 | 4c ab 94 aa 3d b0 78 cf 97 53 e2 69 de 9f f3 83 | 6d 2e 1f ff c2 c1 3a 5c 74 06 6f 58 58 fa fa eb | d7 a2 2a 3f 89 5c 8a c4 98 55 34 7c 73 d4 b3 3c | 8f d9 04 e8 f2 d0 59 8b 6a 2c ca d0 8e 2e 1a 48 | 68 16 d7 32 bd c0 84 dc fa 3b 3e 60 97 f9 45 98 | e8 c7 c4 1e b6 ad ae 81 ff 24 85 b1 2c d8 29 f7 | 7c d3 92 66 d1 f5 bf f9 94 b2 ff bd 60 b8 01 f3 | d6 c1 41 db ee cb dd 60 a0 97 a2 62 69 19 90 b9 | 18 1f d1 93 4b 9d a1 c5 c5 8a 2d ce 00 90 c0 e1 | f1 1e 7d 8b e0 47 cf 3f c6 31 8d 1b 6d 55 3d 5a | e3 87 5c f4 68 47 7e a8 83 fe c7 80 55 c5 f6 1e | 5f 6c 7a 2d 61 3c c2 ab 2e 8a 57 76 ba c7 37 6f | bc d2 8b b4 65 d4 72 59 5a 63 8e b9 37 74 2c 55 | d6 74 00 65 36 5c 46 80 d3 73 d3 4e d3 3d e4 16 | db 3f 49 e4 da be 03 6f 34 aa cd c2 af 4b 1a 1c | 7b e2 9f 9e 0e 71 86 10 06 fc a4 20 c5 e1 b4 76 | ae 5c c7 e0 48 fb ab 50 12 5a dc 8f 5a fe c9 2f | 02 65 2a db 3a 02 67 6b 91 ec e2 94 fe 91 e7 b8 | 93 b6 2e 28 90 70 67 5d eb 93 76 66 4a fc 80 90 | 1e ee 76 ee 7b 84 d3 4f 4d db ea 79 5c 98 bc 7d | b4 5e 93 e3 7c fa 08 4b 36 ef 5a 07 5a b4 8e 66 | 1b 13 d6 9c eb 26 ee c8 0b 1a 13 50 a6 f4 56 5e | fd 3b 12 b2 69 a7 fb 05 90 1c eb 61 d5 7b 6f 94 | d0 02 40 d7 da f1 62 e1 56 09 41 2a 17 c9 9d d1 | 4b 42 66 04 92 98 8e 90 f3 a4 60 86 6d 47 1d 6d | 46 ab d9 a2 95 71 2d 66 94 53 a9 07 2a ab fe 25 | 89 43 bd 13 33 9b bd f2 3f 81 4f 99 2d 3b 43 68 | 86 c7 91 5f 94 9b 7d 0e f2 fe a5 da 39 d0 98 af | 41 35 ce 4d 42 c1 e8 7d df bd a8 1e 5e 2c 21 e1 | 0c 8b be 01 5c 10 87 f6 e8 cd 53 96 02 63 3d 8a | 82 8f b7 b2 fb 5a cc 19 b5 0c 9a ec 9d 21 a0 fb | 23 3c 6a d5 fb 5c dc df 7a ca 91 88 85 a6 1d 2b | fa 70 56 e9 fa 59 13 5c 34 4c 0b 47 73 b2 58 9e | 16 26 49 f9 bf 48 31 6a 6f d2 cd 82 68 f0 b3 e6 | 09 a1 b8 f7 4b 47 d9 a6 19 18 aa df 33 a9 32 ec | 93 09 7a 99 6d 25 04 3c a9 c1 42 5d ec ff 03 bc | 61 7b 55 b2 37 7d 6d a4 11 6c 62 18 80 cc 54 63 | d7 29 4c a0 95 28 3c 25 75 71 b5 f4 12 59 0f eb | fb e0 5a d9 6a bd 9a 2b 2b 19 22 10 ba 00 01 16 | 6d 70 21 5a 1f 27 28 4a dc ac 95 c3 f3 52 18 f1 | 82 8a 6a 8e 7d 54 f3 ae 0e e0 b0 25 37 b3 6c de | b8 ac 2d 44 88 19 3a a3 3a 7b 76 40 4e f2 95 b0 | c1 58 bd 5d 1a db 11 9b f7 89 2a 5d ad e6 47 8f | a5 f6 6a e9 f3 f1 b3 68 05 69 d5 6d cd 91 e3 2a | f7 c1 7e 68 10 95 d2 e2 a3 7d 6b 1b bc 88 a8 c8 | 9d f5 d8 de 05 36 52 07 03 37 d6 67 fe 0b 0d ca | 48 be 59 3a 79 d0 e5 3e cf e3 03 55 77 c8 95 d7 | d4 83 fa 03 b3 ac 22 14 d8 95 9f fa 6f a1 40 ab | 2d ab 26 ff 37 64 a7 74 d7 ba fa 4b 96 c8 03 7a | 0c 68 42 24 60 f3 9d 2f fb fd 0d 95 63 6b 34 61 | 00 4b 11 58 76 3b 9c b3 d2 4b 5a 73 0c c4 38 f4 | 82 3f b7 49 00 0c 6f a6 b1 54 39 c8 e2 6c 26 97 | 1b 23 fe d5 27 16 58 4e fc 40 70 3d 15 9e 3f 63 | be a2 03 b6 12 fb c5 b1 b0 d9 0b 79 4c 47 a0 7b | 7b be 20 b1 cf fa ff 07 b5 f4 42 03 47 cb 7d ad | b0 3c 67 79 35 48 1f e5 4f 69 c8 35 eb ab e1 34 | a8 28 a7 23 a7 d2 cb 5d 5f 1a 4c 95 4d ef 2b 51 | 6c cc 3b 0b 41 ba ac 5f 1a a2 d8 13 cf 13 10 c5 | d0 7a 3b d0 b2 9b 4b 36 1e 3b a2 2a db 7c 72 57 | 22 ab 18 d6 c0 da 75 86 d0 33 cc 00 a8 75 d8 f4 | cd d0 45 c9 b2 e3 a0 e6 32 6b 77 f7 d6 86 33 41 | a9 0a 46 58 69 6a aa 72 fb b2 89 86 47 aa f0 d4 | d9 b3 0a 12 90 30 69 dc dd e2 68 70 59 6d 42 d9 | 7c f3 5c 6c bc 25 c7 58 da 33 0e 1d af 81 2a 8b | f1 92 5b 7d 20 f7 5a 9c 7e be 55 58 05 69 a2 ba | 0e 38 fb 5f 23 b2 1d 64 8c 96 51 8e fe bc 14 e5 | af 17 f8 f1 5c 00 0c 87 bf c7 63 11 d6 08 0a 87 | ab b9 9d 9a 0b 0b 90 f3 50 9d 2e f8 85 af 84 20 | 5b d2 22 e5 1d aa 1b 80 68 51 b8 95 34 cc 59 04 | b2 79 72 01 a8 54 7a e0 87 2a 3d 11 a6 79 91 2b | 02 f4 73 6a 8d 98 d3 9b c8 46 61 b0 de 0c 65 a9 | 81 99 1a 0d 4b 14 e2 e6 a5 04 4b 7f 50 ed 92 34 | 71 50 9d ab 8c 07 46 00 ce fc 3f 9d 29 d8 8e d4 | 9f af 1b 60 b1 32 e9 07 62 63 01 e7 51 72 52 5d | 5c 96 8c 33 61 fd 00 38 8e b0 46 33 69 27 46 ba | 5b 7a 49 a8 04 29 76 36 16 ed 98 a4 2e 1b 92 21 | 80 a0 78 0b f2 8c 8c e8 40 ea 8a 5f | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | c9 f5 7e a4 dc e2 10 44 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 207 (0xcf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 c4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 2b 30 29 06 03 55 04 03 0c 22 75 73 61 | obj: 67 65 2d 63 6c 69 65 6e 74 2e 74 65 73 74 69 6e | obj: 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | obj: 36 30 34 06 09 2a 86 48 86 f7 0d 01 09 01 16 27 | obj: 75 73 65 72 2d 75 73 61 67 65 2d 63 6c 69 65 6e | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1253 (0x4e5) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 3 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 c4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 2b 30 29 06 03 55 04 03 0c 22 75 73 61 | DER ASN1 DN: 67 65 2d 63 6c 69 65 6e 74 2e 74 65 73 74 69 6e | DER ASN1 DN: 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | DER ASN1 DN: 36 30 34 06 09 2a 86 48 86 f7 0d 01 09 01 16 27 | DER ASN1 DN: 75 73 65 72 2d 75 73 61 67 65 2d 63 6c 69 65 6e | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-client.testing.libreswan.org, E=user-usage-client@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 3.68 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.024 milliseconds in get_root_certs() filtering CAs | #1 spent 3.74 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-usage-client@testing.libreswan.org,CN=usage-client.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.19 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0384 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "nss-cert" #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "nss-cert" #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.402 milliseconds in find_and_verify_certs() calling verify_end_cert() "nss-cert" #1: X509: Certificate rejected for this connection "nss-cert" #1: X509: CERT payload bogus or revoked | Peer ID failed to decode | complete v1 state transition with INVALID_ID_INFORMATION | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle "nss-cert" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.45:500 | **emit ISAKMP Message: | initiator cookie: | 98 1d 38 ad a2 46 7e 0f | responder cookie: | c9 f5 7e a4 dc e2 10 44 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3224131413 (0xc02c5755) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'notification msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 0 (0x0) | Notify Message Type: INVALID_ID_INFORMATION (0x12) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Notification Payload (11:ISAKMP_NEXT_N) | next payload chain: saving location 'ISAKMP Notification Payload'.'next payload type' in 'notification msg' | emitting length of ISAKMP Notification Payload: 12 | send notification HASH(1): | d2 2c 7e 99 b5 23 9f a2 4e b7 9b 50 c2 f0 1a f5 | e2 de 71 f8 d0 e6 55 fb fe dc 3c 0f 66 9a 96 fb | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | sending 76 bytes for notification packet through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 98 1d 38 ad a2 46 7e 0f c9 f5 7e a4 dc e2 10 44 | 08 10 05 01 c0 2c 57 55 00 00 00 4c 4b 45 4b be | 4d af ad 39 ac 04 ee 30 7b e5 d5 0b 1d d2 6f 15 | e9 04 1d 12 e5 cc c4 4d 75 d0 7c ea c4 1a c1 41 | 3a b2 25 2f f5 67 1c 00 57 a5 ac c5 | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION | #1 spent 5.02 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 5.39 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00312 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn nss-cert | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1577) | spent 0.0148 milliseconds in global timer EVENT_NAT_T_KEEPALIVE