FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:13154
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x555f241d67f8 size 40
| libevent_malloc: new ptr-libevent@0x555f241d6cd8 size 40
| libevent_malloc: new ptr-libevent@0x555f241d6dd8 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x555f2425b7a8 size 56
| libevent_malloc: new ptr-libevent@0x555f241ff3e8 size 664
| libevent_malloc: new ptr-libevent@0x555f2425b818 size 24
| libevent_malloc: new ptr-libevent@0x555f2425b868 size 384
| libevent_malloc: new ptr-libevent@0x555f2425b768 size 16
| libevent_malloc: new ptr-libevent@0x555f241d6908 size 40
| libevent_malloc: new ptr-libevent@0x555f241d6d38 size 48
| libevent_realloc: new ptr-libevent@0x555f241ff078 size 256
| libevent_malloc: new ptr-libevent@0x555f2425ba18 size 16
| libevent_free: release ptr-libevent@0x555f2425b7a8
| libevent initialized
| libevent_realloc: new ptr-libevent@0x555f2425b7a8 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
started thread for crypto helper 1
| starting up helper thread 0
started thread for crypto helper 2
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 0) 22
| starting up helper thread 1
started thread for crypto helper 3
| status value returned by setting the priority of this thread (crypto helper 1) 22
| starting up helper thread 3
| crypto helper 0 waiting (nothing to do)
| status value returned by setting the priority of this thread (crypto helper 2) 22
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 1 waiting (nothing to do)
started thread for crypto helper 4
| crypto helper 2 waiting (nothing to do)
| crypto helper 4 waiting (nothing to do)
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
| checking IKEv1 state table
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x555f24260478
| libevent_malloc: new ptr-libevent@0x555f24244898 size 128
| libevent_malloc: new ptr-libevent@0x555f24260588 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x555f24260fb8
| libevent_malloc: new ptr-libevent@0x555f24202598 size 128
| libevent_malloc: new ptr-libevent@0x555f24260f78 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x555f24261028
| libevent_malloc: new ptr-libevent@0x555f2426d238 size 128
| libevent_malloc: new ptr-libevent@0x555f24278508 size 16
| libevent_realloc: new ptr-libevent@0x555f24278548 size 256
| libevent_malloc: new ptr-libevent@0x555f24278678 size 8
| libevent_realloc: new ptr-libevent@0x555f24202748 size 144
| libevent_malloc: new ptr-libevent@0x555f241f8678 size 152
| libevent_malloc: new ptr-libevent@0x555f242786b8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x555f242786f8 size 8
| libevent_malloc: new ptr-libevent@0x555f241f8748 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x555f24278738 size 8
| libevent_malloc: new ptr-libevent@0x555f24278778 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x555f24278848 size 8
| libevent_realloc: release ptr-libevent@0x555f24202748
| libevent_realloc: new ptr-libevent@0x555f24278888 size 256
| libevent_malloc: new ptr-libevent@0x555f242789b8 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:13265) using fork+execve
| forked child 13265
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x555f24278e88
| libevent_malloc: new ptr-libevent@0x555f2426d188 size 128
| libevent_malloc: new ptr-libevent@0x555f24278ef8 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x555f24278f38
| libevent_malloc: new ptr-libevent@0x555f24202698 size 128
| libevent_malloc: new ptr-libevent@0x555f24278fa8 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x555f24278fe8
| libevent_malloc: new ptr-libevent@0x555f241ff828 size 128
| libevent_malloc: new ptr-libevent@0x555f24279058 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x555f24279098
| libevent_malloc: new ptr-libevent@0x555f24204268 size 128
| libevent_malloc: new ptr-libevent@0x555f24279108 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x555f24279148
| libevent_malloc: new ptr-libevent@0x555f241d74e8 size 128
| libevent_malloc: new ptr-libevent@0x555f242791b8 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x555f242791f8
| libevent_malloc: new ptr-libevent@0x555f241d71d8 size 128
| libevent_malloc: new ptr-libevent@0x555f24279268 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| id type added to secret(0x555f241d2c48) PKK_PSK: %any
| id type added to secret(0x555f241d2c48) PKK_PSK: %any
| Processing PSK at line 10: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| id type added to secret(0x555f2427a9b8) PKK_PSK: @west
| id type added to secret(0x555f2427a9b8) PKK_PSK: @east
| Processing PSK at line 12: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| id type added to secret(0x555f2427aba8) PKK_PSK: @east
| id type added to secret(0x555f2427aba8) PKK_PSK: @roadrandom
| Processing PSK at line 13: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.905 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x555f2426d188
| free_event_entry: release EVENT_NULL-pe@0x555f24278e88
| add_fd_read_event_handler: new ethX-pe@0x555f24278e88
| libevent_malloc: new ptr-libevent@0x555f2426d188 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x555f24202698
| free_event_entry: release EVENT_NULL-pe@0x555f24278f38
| add_fd_read_event_handler: new ethX-pe@0x555f24278f38
| libevent_malloc: new ptr-libevent@0x555f24202698 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x555f241ff828
| free_event_entry: release EVENT_NULL-pe@0x555f24278fe8
| add_fd_read_event_handler: new ethX-pe@0x555f24278fe8
| libevent_malloc: new ptr-libevent@0x555f241ff828 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x555f24204268
| free_event_entry: release EVENT_NULL-pe@0x555f24279098
| add_fd_read_event_handler: new ethX-pe@0x555f24279098
| libevent_malloc: new ptr-libevent@0x555f24204268 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x555f241d74e8
| free_event_entry: release EVENT_NULL-pe@0x555f24279148
| add_fd_read_event_handler: new ethX-pe@0x555f24279148
| libevent_malloc: new ptr-libevent@0x555f241d74e8 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x555f241d71d8
| free_event_entry: release EVENT_NULL-pe@0x555f242791f8
| add_fd_read_event_handler: new ethX-pe@0x555f242791f8
| libevent_malloc: new ptr-libevent@0x555f241d71d8 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| id type added to secret(0x555f241d2c48) PKK_PSK: %any
| id type added to secret(0x555f241d2c48) PKK_PSK: %any
| Processing PSK at line 10: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| id type added to secret(0x555f2427a9b8) PKK_PSK: @west
| id type added to secret(0x555f2427a9b8) PKK_PSK: @east
| Processing PSK at line 12: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| id type added to secret(0x555f2427aba8) PKK_PSK: @east
| id type added to secret(0x555f2427aba8) PKK_PSK: @roadrandom
| Processing PSK at line 13: passed
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.326 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 13265 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0156 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection road-eastnet-psk with policy PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536
| counting wild cards for @roadrandom is 0
| counting wild cards for @east is 0
| based upon policy, the connection is a template.
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x555f2427a428
added connection description "road-eastnet-psk"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]---192.1.2.45...%virtual[@roadrandom]===vhost:?
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.109 milliseconds in whack
| spent 0.00524 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 452 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   ad ce 63 19  97 a7 3c c1  00 00 00 00  00 00 00 00
|   01 10 04 00  00 00 00 00  00 00 01 c4  04 00 00 34
|   00 00 00 01  00 00 00 01  00 00 00 28  00 01 00 01
|   00 00 00 20  00 01 00 00  80 0b 00 01  80 0c 0e 10
|   80 01 00 05  80 02 00 02  80 03 00 01  80 04 00 05
|   0a 00 00 c4  2a 99 16 b4  0b 14 3d 0d  50 74 e1 fd
|   0d b2 71 1f  71 0f 26 77  0a 31 01 27  11 df d0 5c
|   51 e5 54 c2  bb 92 a6 b7  ab 7c 06 8b  19 bf e9 4f
|   83 dd 7e 4a  3b 77 9a e6  36 5b f7 1a  43 6b df 37
|   fe 83 20 b1  c6 6c 6a cb  53 c4 c8 54  e3 4e 2d 7e
|   c3 1b 36 d9  72 d8 d7 85  73 11 3f f2  9a 34 c1 3e
|   e8 69 11 2b  bb 8c 1b 4a  e0 35 41 8e  ae 32 5e 6a
|   04 75 a4 f8  a9 fc 66 79  b5 f5 ef aa  e1 1a 83 ff
|   02 e9 39 fb  e1 2e 46 00  e9 ec 83 3e  a9 82 50 f8
|   99 c3 3b f6  03 db 30 7b  d1 6c 54 4f  4b e1 0e e0
|   ce a6 8a 0d  ad 87 4f f7  1b 79 d5 5c  3c 4d b4 cd
|   4e 54 98 c8  c0 11 7e 70  bd 77 8f 48  77 b4 5c 6e
|   ac 2d 60 b6  05 00 00 24  09 74 6f 92  c6 52 98 9f
|   c6 d9 0e 7a  85 df 36 3c  da 97 b2 4e  d3 70 2d d4
|   a7 64 d8 29  0c be 0b 7a  0d 00 00 12  02 00 00 00
|   72 6f 61 64  72 61 6e 64  6f 6d 0d 00  00 14 40 48
|   b7 d5 6e bc  e8 85 25 e7  de 7f 00 d6  c2 d3 0d 00
|   00 14 af ca  d7 13 68 a1  f1 c9 6b 86  96 fc 77 57
|   01 00 0d 00  00 14 4a 13  1c 81 07 03  58 45 5c 57
|   28 f2 0e 95  45 2f 0d 00  00 14 7d 94  19 a6 53 10
|   ca 6f 2c 17  9d 92 15 52  9d 56 0d 00  00 14 90 cb
|   80 91 3e bb  69 6e 08 63  81 b5 ec 42  7b 1f 00 00
|   00 14 cd 60  46 43 35 df  21 f8 7c fd  b2 fc 68 b6
|   a4 48 00 00
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_SA (0x1)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_AGGR (0x4)
|    flags: none (0x0)
|    Message ID: 0 (0x0)
|    length: 452 (0x1c4)
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4)
| State DB: IKEv1 state not found (find_state_ikev1_init)
| #null state always idle
| got payload 0x2  (ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000
| ***parse ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_KE (0x4)
|    length: 52 (0x34)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
| got payload 0x10  (ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000
| ***parse ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_NONCE (0xa)
|    length: 196 (0xc4)
| got payload 0x400  (ISAKMP_NEXT_NONCE) needed: 0x420 opt: 0x102000
| ***parse ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_ID (0x5)
|    length: 36 (0x24)
| got payload 0x20  (ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000
| ***parse ISAKMP Identification Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 18 (0x12)
|    ID type: ID_FQDN (0x2)
|    DOI specific A: 0 (0x0)
|    DOI specific B: 0 (0x0)
|      obj:   72 6f 61 64  72 61 6e 64  6f 6d
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 20 (0x14)
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 20 (0x14)
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 20 (0x14)
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 20 (0x14)
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
|    length: 20 (0x14)
| got payload 0x2000  (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 20 (0x14)
| removing 2 bytes of padding
| message 'aggr_inI1_outR1' HASH payload not checked early
| received Vendor ID payload [FRAGMENTATION]
| received Vendor ID payload [Dead Peer Detection]
|  quirks.qnat_traversal_vid set to=117 [RFC 3947]
| received Vendor ID payload [RFC 3947]
| Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
| Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
| Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
| in statetime_start() with no state
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 40 (0x28)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_ISAKMP (0x1)
|    SPI size: 0 (0x0)
|    number of transforms: 1 (0x1)
| *****parse ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 32 (0x20)
|    ISAKMP transform number: 0 (0x0)
|    ISAKMP transform ID: KEY_IKE (0x1)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_TYPE (0x800b)
|    length/value: 1 (0x1)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)
|    length/value: 3600 (0xe10)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)
|    length/value: 5 (0x5)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)
|    length/value: 2 (0x2)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)
|    length/value: 1 (0x1)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
|    length/value: 5 (0x5)
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW but ignoring ports
| find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=PSK+AGGRESSIVE+IKEV1_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
| found policy = PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-psk)
| find_next_host_connection returns road-eastnet-psk
| find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW
| find_next_host_connection returns empty
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x555f2427a898
| rw_instantiate() instantiated "road-eastnet-psk"[1] 192.1.3.209 for 192.1.3.209
packet from 192.1.3.209:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
| creating state object #1 at 0x555f2427cc68
| State DB: adding IKEv1 state #1 in UNDEFINED
| pstats #1 ikev1.isakmp started
| #1 updating local interface from <none> to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| start processing: state #1 from 192.1.3.209:500 (in aggr_inI1_outR1() at ikev1_aggr.c:181)
| parent state #1: UNDEFINED(ignore) => AGGR_R1(open IKE SA)
"road-eastnet-psk"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@roadrandom'
| X509: no CERT payloads to process
"road-eastnet-psk"[1] 192.1.3.209 #1: responding to Aggressive Mode, state #1, connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209
| sender checking NAT-T: enabled; VID 117
| returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC
| enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 40 (0x28)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_ISAKMP (0x1)
|    SPI size: 0 (0x0)
|    number of transforms: 1 (0x1)
| *****parse ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 32 (0x20)
|    ISAKMP transform number: 0 (0x0)
|    ISAKMP transform ID: KEY_IKE (0x1)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_TYPE (0x800b)
|    length/value: 1 (0x1)
|    [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)
|    length/value: 3600 (0xe10)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_3DES_CBC]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)
|    length/value: 2 (0x2)
|    [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)
|    length/value: 1 (0x1)
|    [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for @east->@roadrandom of kind PKK_PSK
| actually looking for secret for @east->@roadrandom of kind PKK_PSK
| line 12: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @roadrandom to @east / @roadrandom -> 004
| 2: compared key @east to @east / @roadrandom -> 014
| line 12: match=014
| match 014 beats previous best_match 000 match=0x555f2427aba8 (line=12)
| line 10: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @east to @east / @roadrandom -> 010
| 2: compared key @west to @east / @roadrandom -> 010
| line 10: match=010
| line 9: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key %any to @east / @roadrandom -> 002
| 2: compared key %any to @east / @roadrandom -> 002
| line 9: match=002
| match 002 loses to best_match 014
| concluding with best_match=014 best=0x555f2427aba8 (lineno=12)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_GROUP_MODP1536]
| OAKLEY proposal verified; matching alg_info found
| Oakley Transform 0 accepted
| adding outI2 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555f2427e418
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x555f2427c968 size 128
| complete v1 state transition with STF_SUSPEND
| crypto helper 0 resuming
| [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2648)
| crypto helper 0 starting work-order 1 for state #1
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1
| stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380)
| stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.857 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.000736 seconds
| (#1) spent 0.737 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f32a8001af8 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x555f23a49b50
| aggr inI1_outR1: calculated ke+nonce, calculating DH
| started looking for secret for @east->@roadrandom of kind PKK_PSK
| actually looking for secret for @east->@roadrandom of kind PKK_PSK
| line 12: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @roadrandom to @east / @roadrandom -> 004
| 2: compared key @east to @east / @roadrandom -> 014
| line 12: match=014
| match 014 beats previous best_match 000 match=0x555f2427aba8 (line=12)
| line 10: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @east to @east / @roadrandom -> 010
| 2: compared key @west to @east / @roadrandom -> 010
| line 10: match=010
| line 9: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key %any to @east / @roadrandom -> 002
| 2: compared key %any to @east / @roadrandom -> 002
| line 9: match=002
| match 002 loses to best_match 014
| concluding with best_match=014 best=0x555f2427aba8 (lineno=12)
| adding aggr outR1 DH work-order 2 for state #1
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x555f2427c968
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555f2427e418
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555f2427e418
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x555f2427c968 size 128
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| resume sending helper answer for #1 suppresed complete_v1_state_transition() and stole MD
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| #1 spent 0.118 milliseconds in resume sending helper answer
| crypto helper 1 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2
| stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f32a8001af8
| crypto helper 1 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.000982 seconds
| (#1) spent 0.988 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f32a0000ed8 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x555f23a49b50
| aggr_inI1_outR1_continue2 for #1: calculated ke+nonce+DH, sending R1
| thinking about whether to send my certificate:
|   I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? 
|   sendcert: CERT_ALWAYSSEND and I did not get a certificate request 
|   so do not send cert.
| I did not send a certificate because digital signatures are not being used. (PSK)
|  I am not sending a certificate request
| **emit ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_SA (0x1)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_AGGR (0x4)
|    flags: none (0x0)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_KE (0x4)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
| next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA)
| next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet'
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 40 (0x28)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_ISAKMP (0x1)
|    SPI size: 0 (0x0)
|    number of transforms: 1 (0x1)
| *****parse ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 32 (0x20)
|    ISAKMP transform number: 0 (0x0)
|    ISAKMP transform ID: KEY_IKE (0x1)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_TYPE (0x800b)
|    length/value: 1 (0x1)
|    [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)
|    length/value: 3600 (0xe10)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_3DES_CBC]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)
|    length/value: 2 (0x2)
|    [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)
|    length/value: 1 (0x1)
|    [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for @east->@roadrandom of kind PKK_PSK
| actually looking for secret for @east->@roadrandom of kind PKK_PSK
| line 12: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @roadrandom to @east / @roadrandom -> 004
| 2: compared key @east to @east / @roadrandom -> 014
| line 12: match=014
| match 014 beats previous best_match 000 match=0x555f2427aba8 (line=12)
| line 10: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @east to @east / @roadrandom -> 010
| 2: compared key @west to @east / @roadrandom -> 010
| line 10: match=010
| line 9: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key %any to @east / @roadrandom -> 002
| 2: compared key %any to @east / @roadrandom -> 002
| line 9: match=002
| match 002 loses to best_match 014
| concluding with best_match=014 best=0x555f2427aba8 (lineno=12)
| ******parse ISAKMP Oakley attribute:
|    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_GROUP_MODP1536]
| OAKLEY proposal verified; matching alg_info found
| Oakley Transform 0 accepted
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****emit ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_ISAKMP (0x1)
|    SPI size: 0 (0x0)
|    number of transforms: 1 (0x1)
| last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type'
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP transform number: 0 (0x0)
|    ISAKMP transform ID: KEY_IKE (0x1)
| last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type'
| emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
| attributes  80 0b 00 01  80 0c 0e 10  80 01 00 05  80 02 00 02
| attributes  80 03 00 01  80 04 00 05
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| emitting length of ISAKMP Proposal Payload: 40
| last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0
| emitting length of ISAKMP Security Association Payload: 52
| last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0
| ***emit ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_NONCE (0xa)
| next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE
| next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE)
| next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value  68 67 42 d3  31 5d 80 b4  75 4e 8f 66  a6 38 78 74
| keyex value  b7 b7 ad e9  81 9d 54 76  e9 2a 23 c3  ff 80 31 68
| keyex value  98 0a 33 54  71 d7 f2 ae  be 13 ed e9  23 e3 03 9f
| keyex value  37 1d 1b 9e  52 0f f0 0b  3c 71 94 a6  6d d7 12 33
| keyex value  91 c7 66 54  2b 2e d9 33  71 fe ef 9a  2c c3 a0 b7
| keyex value  fe a4 48 77  10 9e a5 5b  18 5b e3 06  e6 5c 7b f1
| keyex value  cf b8 3e 45  cf 3c 13 6e  c7 0b 1e 51  a9 1f 8a 81
| keyex value  f4 af 48 23  17 58 0a 3a  04 7e c5 87  69 99 d4 e8
| keyex value  da 34 d5 00  8d e7 a5 85  1b d0 99 a1  ec cf c9 68
| keyex value  99 56 61 43  92 e1 d4 62  99 90 38 38  ad e7 7f c3
| keyex value  f7 c1 eb 0f  7a c0 41 64  68 0d e2 28  71 16 71 7a
| keyex value  9a 33 ba 11  aa 3b ef c5  3d 7d 1c a2  3c 43 56 2a
| emitting length of ISAKMP Key Exchange Payload: 196
| ***emit ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_ID (0x5)
| next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID
| next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE)
| next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of Nr into ISAKMP Nonce Payload
| Nr  60 bf 07 79  d0 42 d6 25  d6 cd 9a 39  91 a7 e6 db
| Nr  a6 7c 88 f6  22 e5 9b 14  6d 6f 10 9f  ff a4 58 3e
| emitting length of ISAKMP Nonce Payload: 36
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_HASH (0x8)
|    ID type: ID_FQDN (0x2)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
| next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 8:ISAKMP_NEXT_HASH
| next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
| next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
| my identity  65 61 73 74
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
| next payload chain: ignoring supplied 'ISAKMP Hash Payload'.'next payload type' value 13:ISAKMP_NEXT_VID
| next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
| next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload
| HASH_R  c3 cf e8 fa  eb 3f a8 c7  5c 3e 79 7d  79 8d 13 42
| HASH_R  e3 77 7d d5
| emitting length of ISAKMP Hash Payload: 24
| out_vid(): sending [FRAGMENTATION]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID (0xd)
| next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID
| next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID)
| next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  40 48 b7 d5  6e bc e8 85  25 e7 de 7f  00 d6 c2 d3
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID)
| next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  af ca d7 13  68 a1 f1 c9  6b 86 96 fc  77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID)
| next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet'
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  4a 13 1c 81  07 03 58 45  5c 57 28 f2  0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| sending NAT-D payloads
| natd_hash: hasher=0x555f23b1e800(20)
| natd_hash: icookie=  ad ce 63 19  97 a7 3c c1
| natd_hash: rcookie=  1b 1c ee 08  09 19 e0 e9
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  88 f0 68 bf  86 83 7c b4  b3 b5 c2 8a  8c dd 12 08
| natd_hash: hash=  59 08 b5 4c
| ***emit ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NATD_RFC (0x14)
| next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC
| next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC)
| next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D  88 f0 68 bf  86 83 7c b4  b3 b5 c2 8a  8c dd 12 08
| NAT-D  59 08 b5 4c
| emitting length of ISAKMP NAT-D Payload: 24
| natd_hash: hasher=0x555f23b1e800(20)
| natd_hash: icookie=  ad ce 63 19  97 a7 3c c1
| natd_hash: rcookie=  1b 1c ee 08  09 19 e0 e9
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  80 85 37 92  f2 f4 00 be  7a 84 e7 4f  4f 1b 85 46
| natd_hash: hash=  e4 4b 1e 1a
| ***emit ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC)
| next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D  80 85 37 92  f2 f4 00 be  7a 84 e7 4f  4f 1b 85 46
| NAT-D  e4 4b 1e 1a
| emitting length of ISAKMP NAT-D Payload: 24
| no IKEv1 message padding required
| emitting length of ISAKMP Message: 456
| complete v1 state transition with STF_OK
| [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2673)
| #1 is idle
| doing_xauth:no, t_xauth_client_done:no
| peer supports fragmentation
| peer supports DPD
| IKEv1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
| event_already_set, deleting event
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x555f2427c968
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555f2427e418
| sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 456 bytes for STATE_AGGR_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   01 10 04 00  00 00 00 00  00 00 01 c8  04 00 00 34
|   00 00 00 01  00 00 00 01  00 00 00 28  00 01 00 01
|   00 00 00 20  00 01 00 00  80 0b 00 01  80 0c 0e 10
|   80 01 00 05  80 02 00 02  80 03 00 01  80 04 00 05
|   0a 00 00 c4  68 67 42 d3  31 5d 80 b4  75 4e 8f 66
|   a6 38 78 74  b7 b7 ad e9  81 9d 54 76  e9 2a 23 c3
|   ff 80 31 68  98 0a 33 54  71 d7 f2 ae  be 13 ed e9
|   23 e3 03 9f  37 1d 1b 9e  52 0f f0 0b  3c 71 94 a6
|   6d d7 12 33  91 c7 66 54  2b 2e d9 33  71 fe ef 9a
|   2c c3 a0 b7  fe a4 48 77  10 9e a5 5b  18 5b e3 06
|   e6 5c 7b f1  cf b8 3e 45  cf 3c 13 6e  c7 0b 1e 51
|   a9 1f 8a 81  f4 af 48 23  17 58 0a 3a  04 7e c5 87
|   69 99 d4 e8  da 34 d5 00  8d e7 a5 85  1b d0 99 a1
|   ec cf c9 68  99 56 61 43  92 e1 d4 62  99 90 38 38
|   ad e7 7f c3  f7 c1 eb 0f  7a c0 41 64  68 0d e2 28
|   71 16 71 7a  9a 33 ba 11  aa 3b ef c5  3d 7d 1c a2
|   3c 43 56 2a  05 00 00 24  60 bf 07 79  d0 42 d6 25
|   d6 cd 9a 39  91 a7 e6 db  a6 7c 88 f6  22 e5 9b 14
|   6d 6f 10 9f  ff a4 58 3e  08 00 00 0c  02 00 00 00
|   65 61 73 74  0d 00 00 18  c3 cf e8 fa  eb 3f a8 c7
|   5c 3e 79 7d  79 8d 13 42  e3 77 7d d5  0d 00 00 14
|   40 48 b7 d5  6e bc e8 85  25 e7 de 7f  00 d6 c2 d3
|   0d 00 00 14  af ca d7 13  68 a1 f1 c9  6b 86 96 fc
|   77 57 01 00  14 00 00 14  4a 13 1c 81  07 03 58 45
|   5c 57 28 f2  0e 95 45 2f  14 00 00 18  88 f0 68 bf
|   86 83 7c b4  b3 b5 c2 8a  8c dd 12 08  59 08 b5 4c
|   00 00 00 18  80 85 37 92  f2 f4 00 be  7a 84 e7 4f
|   4f 1b 85 46  e4 4b 1e 1a
| !event_already_set at reschedule
| event_schedule: new EVENT_SO_DISCARD-pe@0x555f2427e418
| inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x555f2427db78 size 128
"road-eastnet-psk"[1] 192.1.3.209 #1: STATE_AGGR_R1: sent AR1, expecting AI2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| resume sending helper answer for #1 suppresed complete_v1_state_transition()
| #1 spent 0.868 milliseconds in resume sending helper answer
| stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f32a0000ed8
| spent 0.00482 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 100 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   14 10 04 01  00 00 00 00  00 00 00 64  32 55 b9 21
|   ef a4 27 98  1e ca 6c a3  25 90 92 c9  f1 e2 4b b8
|   4c 6d 8d b7  13 9c 5e 17  c6 dd 87 90  9d cf a2 c8
|   8a ca 2b 0b  a7 84 ec a6  71 83 6c 05  df 9e b8 1c
|   21 4e 82 28  b8 8c 1e a1  6a 10 45 0a  d1 fc e6 fa
|   ba c8 9b 09
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_NATD_RFC (0x14)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_AGGR (0x4)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 0 (0x0)
|    length: 100 (0x64)
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4)
| State DB: found IKEv1 state #1 in AGGR_R1 (find_state_ikev1)
| start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1459)
| #1 is idle
| #1 idle
| received encrypted packet from 192.1.3.209:500
| got payload 0x100000  (ISAKMP_NEXT_NATD_RFC) needed: 0x100 opt: 0x102000
| ***parse ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NATD_RFC (0x14)
|    length: 24 (0x18)
| got payload 0x100000  (ISAKMP_NEXT_NATD_RFC) needed: 0x100 opt: 0x102000
| ***parse ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_HASH (0x8)
|    length: 24 (0x18)
| got payload 0x100  (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x102000
| ***parse ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 24 (0x18)
| message 'aggr_inI2' HASH payload not checked early
| init checking NAT-T: enabled; RFC 3947 (NAT-Traversal)
| natd_hash: hasher=0x555f23b1e800(20)
| natd_hash: icookie=  ad ce 63 19  97 a7 3c c1
| natd_hash: rcookie=  1b 1c ee 08  09 19 e0 e9
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  80 85 37 92  f2 f4 00 be  7a 84 e7 4f  4f 1b 85 46
| natd_hash: hash=  e4 4b 1e 1a
| natd_hash: hasher=0x555f23b1e800(20)
| natd_hash: icookie=  ad ce 63 19  97 a7 3c c1
| natd_hash: rcookie=  1b 1c ee 08  09 19 e0 e9
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  88 f0 68 bf  86 83 7c b4  b3 b5 c2 8a  8c dd 12 08
| natd_hash: hash=  59 08 b5 4c
| expected NAT-D(me):  80 85 37 92  f2 f4 00 be  7a 84 e7 4f  4f 1b 85 46
| expected NAT-D(me):  e4 4b 1e 1a
| expected NAT-D(him):
|   88 f0 68 bf  86 83 7c b4  b3 b5 c2 8a  8c dd 12 08
|   59 08 b5 4c
| received NAT-D:  80 85 37 92  f2 f4 00 be  7a 84 e7 4f  4f 1b 85 46
| received NAT-D:  e4 4b 1e 1a
| received NAT-D:  88 f0 68 bf  86 83 7c b4  b3 b5 c2 8a  8c dd 12 08
| received NAT-D:  59 08 b5 4c
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
|  NAT_T_WITH_KA detected
| global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds
| next payload chain: creating a fake payload for hashing identity
| **emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ID type: ID_FQDN (0x2)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
| next payload chain: no previous for current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID); assumed to be fake
| emitting 10 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
| my identity  72 6f 61 64  72 61 6e 64  6f 6d
| emitting length of ISAKMP Identification Payload (IPsec DOI): 18
| ***parse ISAKMP Identification Payload:
|    next payload type: 250?? (0xfa)
|    length: 18 (0x12)
|    ID type: ID_FQDN (0x2)
|    DOI specific A: 0 (0x0)
|    DOI specific B: 0 (0x0)
"road-eastnet-psk"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@roadrandom'
| X509: no CERT payloads to process
| received 'Aggr' message HASH_I data ok
| phase 1 complete
| FOR_EACH_CONNECTION_... in ISAKMP_SA_established
| complete v1 state transition with STF_OK
| [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2673)
| #1 is idle
| doing_xauth:no, t_xauth_client_done:no
| IKEv1: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
| parent state #1: AGGR_R1(open IKE SA) => AGGR_R2(established IKE SA)
| event_already_set, deleting event
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x555f2427db78
| free_event_entry: release EVENT_SO_DISCARD-pe@0x555f2427e418
| !event_already_set at reschedule
| event_schedule: new EVENT_SA_REPLACE-pe@0x555f2427e418
| inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f32a0000ed8 size 128
| pstats #1 ikev1.isakmp established
"road-eastnet-psk"[1] 192.1.3.209 #1: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
| DPD: dpd_init() called on ISAKMP SA
| DPD: Peer supports Dead Peer Detection
| DPD: not initializing DPD because DPD is disabled locally
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| unpending state #1
| #1 spent 0.37 milliseconds in process_packet_tail()
| stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380)
| stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.558 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00493 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 396 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   08 10 20 01  f6 ca 60 c4  00 00 01 8c  83 14 41 01
|   89 1a c1 1f  90 0c 51 57  95 ec dc 10  63 1e ae 8f
|   32 4d a0 a4  83 a1 6d b6  e2 6d dd 01  c4 d6 2b d5
|   f3 2c 53 0d  64 c9 c2 2d  21 0d e9 b3  54 ce 3b 13
|   64 c5 e2 42  ed 4b a7 5a  ac d7 17 b1  82 9d 6b c3
|   8c 98 ed 51  6c 48 f0 5f  86 20 1c 1b  26 a4 a9 0c
|   5d be 01 d3  c7 84 a7 0f  70 9c da 3b  73 c2 d8 2f
|   24 94 a1 f1  11 8d 31 2a  6a 98 ef 68  24 4c ca 8b
|   b7 81 ad 83  e8 e9 82 94  5e 8e 19 df  29 4c 20 52
|   c7 a2 0a ec  f2 2a 3f 8c  b1 8f de ef  78 db 3c 3e
|   78 9f af 4a  33 93 ef ea  c5 e0 47 c5  65 a2 1e d9
|   66 6e 8b 8b  4d ab b3 d8  32 4e 31 f7  a0 93 f7 4c
|   d6 4d 58 1d  18 2e 59 9f  4d 57 6a 4c  e4 e8 8c 11
|   39 3b f7 94  0f d0 eb 1a  61 0b 54 20  e6 61 98 e3
|   d9 80 f0 4c  6d 41 e9 fc  fb a8 03 5c  48 e1 9b 2d
|   30 ad a0 ad  31 d2 fc 0d  6e d5 41 50  04 4e 8a c0
|   02 27 2f 4c  14 aa 8e a2  8d c7 58 3e  78 4c 82 7c
|   53 e9 70 bf  2b 57 d8 e3  2b 81 4e 2b  4b af ea 2a
|   6e 77 3e 7a  c7 5c 11 74  e2 fe 44 b5  cc da c1 77
|   7c 80 a3 10  77 e1 49 e5  cf 10 b8 8c  96 d3 ee 00
|   4b 5f 33 55  40 22 ce d5  ca db 22 63  32 0f 7f cf
|   3c fe 27 07  aa 71 4e f2  de c6 9e d3  37 9d 26 fd
|   13 5b b7 08  47 de 14 a8  3b 6f 49 0a  35 03 0d 76
|   9c 27 e4 82  12 73 3c 94  0b da a3 68
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_HASH (0x8)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_QUICK (0x20)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 4140458180 (0xf6ca60c4)
|    length: 396 (0x18c)
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32)
| State DB: IKEv1 state not found (find_state_ikev1)
| State DB: found IKEv1 state #1 in AGGR_R2 (find_state_ikev1)
| start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1607)
| #1 is idle
| #1 idle
| received encrypted packet from 192.1.3.209:500
| got payload 0x100  (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030
| ***parse ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_SA (0x1)
|    length: 24 (0x18)
| got payload 0x2  (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030
| ***parse ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_NONCE (0xa)
|    length: 84 (0x54)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
| got payload 0x400  (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030
| ***parse ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_KE (0x4)
|    length: 36 (0x24)
| got payload 0x10  (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030
| ***parse ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_ID (0x5)
|    length: 196 (0xc4)
| got payload 0x20  (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030
| ***parse ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_ID (0x5)
|    length: 12 (0xc)
|    ID type: ID_IPV4_ADDR (0x1)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
|      obj:   c0 01 03 d1
| got payload 0x20  (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030
| ***parse ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 16 (0x10)
|    ID type: ID_IPV4_ADDR_SUBNET (0x4)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
|      obj:   c0 00 02 00  ff ff ff 00
| quick_inI1_outR1 HASH(1):
|   b4 0d 04 13  a5 b0 91 97  fc 97 bd 5e  68 18 d9 c5
|   68 cd ec 5b
| received 'quick_inI1_outR1' message HASH(1) data ok
| parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address
| ID address  c0 01 03 d1
| peer client is 192.1.3.209/32
| peer client protocol/port is 0/0
| parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address
| ID address  c0 00 02 00
| parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask
| ID mask  ff ff ff 00
| our client is subnet 192.0.2.0/24
| our client protocol/port is 0/0
"road-eastnet-psk"[1] 192.1.3.209 #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.1.3.209/32:0/0
| find_client_connection starting with road-eastnet-psk
|   looking for 192.0.2.0/24:0/0 -> 192.1.3.209/32:0/0
|   concrete checking against sr#0 192.0.2.0/24 -> 0.0.0.0/32
|    match_id a=@roadrandom
|             b=@roadrandom
|    results  matched
|   fc_try trying road-eastnet-psk:192.0.2.0/24:0/0 -> 192.1.3.209/32:0/0(virt) vs road-eastnet-psk:192.0.2.0/24:0/0 -> 0.0.0.0/32:0/0(virt)
| FOR_EACH_CONNECTION_... in is_virtual_net_used
|   fc_try concluding with road-eastnet-psk [129]
|   fc_try road-eastnet-psk gives road-eastnet-psk
|   concluding with d = road-eastnet-psk
| client wildcard: no  port wildcard: no  virtual: yes
| setting phase 2 virtual values to 192.1.3.209[@roadrandom]
| creating state object #2 at 0x555f2427e488
| State DB: adding IKEv1 state #2 in UNDEFINED
| pstats #2 ikev1.ipsec started
| duplicating state object #1 "road-eastnet-psk"[1] 192.1.3.209 as #2 for IPSEC SA
| #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484)
| suspend processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295)
| start processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295)
| child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA)
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 72 (0x48)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_IPSEC_ESP (0x3)
|    SPI size: 4 (0x4)
|    number of transforms: 2 (0x2)
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI  45 83 f8 0a
| *****parse ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_T (0x3)
|    length: 32 (0x20)
|    ESP transform number: 0 (0x0)
|    ESP transform ID: ESP_AES (0xc)
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+GROUP_DESCRIPTION (0x8003)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_GROUP_MODP1536]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+ENCAPSULATION_MODE (0x8004)
|    length/value: 1 (0x1)
|    [1 is ENCAPSULATION_MODE_TUNNEL]
| NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+SA_LIFE_TYPE (0x8001)
|    length/value: 1 (0x1)
|    [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
|    length/value: 28800 (0x7080)
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+AUTH_ALGORITHM (0x8005)
|    length/value: 2 (0x2)
|    [2 is AUTH_ALGORITHM_HMAC_SHA1]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+KEY_LENGTH (0x8006)
|    length/value: 128 (0x80)
| ESP IPsec Transform verified unconditionally; no alg_info to check against
| adding quick_outI1 KE work-order 3 for state #2
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555f2427d848
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x555f2427e0c8 size 128
| complete v1 state transition with STF_SUSPEND
| [RE]START processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2648)
| suspending state #2 and saving MD
| #2 is busy; has a suspended MD
| #1 spent 0.285 milliseconds in process_packet_tail()
| stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380)
| stop processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.635 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 2 resuming
| crypto helper 2 starting work-order 3 for state #2
| crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3
| crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000632 seconds
| (#2) spent 0.64 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr)
| crypto helper 2 sending results from work-order 3 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7f32a4001af8 size 128
| libevent_realloc: release ptr-libevent@0x555f2425b7a8
| libevent_realloc: new ptr-libevent@0x7f32a4001a48 size 128
| crypto helper 2 waiting (nothing to do)
| processing resume sending helper answer for #2
| start processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 2 replies to request ID 3
| calling continuation function 0x555f23a49b50
| quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH
| started looking for secret for @east->@roadrandom of kind PKK_PSK
| actually looking for secret for @east->@roadrandom of kind PKK_PSK
| line 12: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @roadrandom to @east / @roadrandom -> 004
| 2: compared key @east to @east / @roadrandom -> 014
| line 12: match=014
| match 014 beats previous best_match 000 match=0x555f2427aba8 (line=12)
| line 10: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key @east to @east / @roadrandom -> 010
| 2: compared key @west to @east / @roadrandom -> 010
| line 10: match=010
| line 9: key type PKK_PSK(@east) to type PKK_PSK
| 1: compared key %any to @east / @roadrandom -> 002
| 2: compared key %any to @east / @roadrandom -> 002
| line 9: match=002
| match 002 loses to best_match 014
| concluding with best_match=014 best=0x555f2427aba8 (lineno=12)
| adding quick outR1 DH work-order 4 for state #2
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x555f2427e0c8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555f2427d848
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555f2427d848
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x555f2427e0c8 size 128
| suspending state #2 and saving MD
| #2 is busy; has a suspended MD
| resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD
| #2 spent 0.115 milliseconds in resume sending helper answer
| stop processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f32a4001af8
| crypto helper 4 resuming
| crypto helper 4 starting work-order 4 for state #2
| crypto helper 4 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4
| crypto helper 4 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000616 seconds
| (#2) spent 0.622 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr)
| crypto helper 4 sending results from work-order 4 for state #2 to event queue
| scheduling resume sending helper answer for #2
| libevent_malloc: new ptr-libevent@0x7f3298003148 size 128
| crypto helper 4 waiting (nothing to do)
| processing resume sending helper answer for #2
| start processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 4 replies to request ID 4
| calling continuation function 0x555f23a49b50
| quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1
| **emit ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_QUICK (0x20)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 4140458180 (0xf6ca60c4)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
| next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet'
| emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_NONCE (0xa)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
| next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE
| next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA)
| next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet'
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 72 (0x48)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_IPSEC_ESP (0x3)
|    SPI size: 4 (0x4)
|    number of transforms: 2 (0x2)
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI  45 83 f8 0a
| *****parse ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_T (0x3)
|    length: 32 (0x20)
|    ESP transform number: 0 (0x0)
|    ESP transform ID: ESP_AES (0xc)
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+GROUP_DESCRIPTION (0x8003)
|    length/value: 5 (0x5)
|    [5 is OAKLEY_GROUP_MODP1536]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+ENCAPSULATION_MODE (0x8004)
|    length/value: 1 (0x1)
|    [1 is ENCAPSULATION_MODE_TUNNEL]
| NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+SA_LIFE_TYPE (0x8001)
|    length/value: 1 (0x1)
|    [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
|    length/value: 28800 (0x7080)
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+AUTH_ALGORITHM (0x8005)
|    length/value: 2 (0x2)
|    [2 is AUTH_ALGORITHM_HMAC_SHA1]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AF+KEY_LENGTH (0x8006)
|    length/value: 128 (0x80)
| ESP IPsec Transform verified unconditionally; no alg_info to check against
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
| ****emit ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    proposal number: 0 (0x0)
|    protocol ID: PROTO_IPSEC_ESP (0x3)
|    SPI size: 4 (0x4)
|    number of transforms: 1 (0x1)
| last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type'
| netlink_get_spi: allocated 0x33ab6f92 for esp.0@192.1.2.23
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI  33 ab 6f 92
| *****emit ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ESP transform number: 0 (0x0)
|    ESP transform ID: ESP_AES (0xc)
| last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type'
| emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP)
| attributes  80 03 00 05  80 04 00 01  80 01 00 01  80 02 70 80
| attributes  80 05 00 02  80 06 00 80
| emitting length of ISAKMP Transform Payload (ESP): 32
| emitting length of ISAKMP Proposal Payload: 44
| last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0
| emitting length of ISAKMP Security Association Payload: 56
| last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0
"road-eastnet-psk"[1] 192.1.3.209 #2: responding to Quick Mode proposal {msgid:f6ca60c4}
"road-eastnet-psk"[1] 192.1.3.209 #2:     us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]
"road-eastnet-psk"[1] 192.1.3.209 #2:   them: 192.1.3.209[@roadrandom]
| ***emit ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_KE (0x4)
| next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE
| next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE)
| next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of Nr into ISAKMP Nonce Payload
| Nr  68 c8 89 67  e3 54 1c 68  ff fd 8b 77  4f 24 9d cf
| Nr  5f 99 5e 4c  e0 af ac 94  51 07 ec 59  85 45 fc 30
| emitting length of ISAKMP Nonce Payload: 36
| ***emit ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_ID (0x5)
| next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID
| next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE)
| next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value  68 0f bb 14  65 a3 de 62  09 05 38 02  4a 38 47 5e
| keyex value  53 c1 d3 67  77 ee ea b3  13 69 59 e7  03 21 de 49
| keyex value  1a ff 5a 3e  40 5c 40 13  ec dc ae 12  79 87 61 92
| keyex value  4e af ad f5  c1 5c dd 3b  39 0c e2 94  2b 45 75 fb
| keyex value  40 1e 60 d7  bd 46 3a 00  cd af 97 21  a0 48 36 48
| keyex value  6f 7f ad 7a  97 30 d4 14  55 f5 03 32  11 2c c8 f3
| keyex value  e4 fb 77 9d  8b a9 37 62  4c 99 76 ae  d4 f9 e3 17
| keyex value  32 cf 35 49  d5 35 af 61  c8 54 c3 ac  e9 33 69 8a
| keyex value  a8 a6 29 c5  ac d8 42 b1  aa bc cd 20  c5 e5 80 7e
| keyex value  76 d8 e6 81  54 b1 e7 37  aa 18 40 58  20 95 59 ca
| keyex value  01 1e b4 63  d9 6e d7 1b  bb 5c 26 11  24 ec e6 d1
| keyex value  98 e3 3a 12  4d 04 45 3a  c5 e6 f8 27  77 74 cc d9
| emitting length of ISAKMP Key Exchange Payload: 196
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_ID (0x5)
|    ID type: ID_IPV4_ADDR (0x1)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
| next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID
| next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
| next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI)
| ID body  c0 01 03 d1
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ID type: ID_IPV4_ADDR_SUBNET (0x4)
|    Protocol ID: 0 (0x0)
|    port: 0 (0x0)
| next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
| next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
| emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI)
| ID body  c0 00 02 00  ff ff ff 00
| emitting length of ISAKMP Identification Payload (IPsec DOI): 16
| quick inR1 outI2 HASH(2):
|   c8 00 5f 3c  d4 55 43 58  25 81 c5 8f  c1 8b 38 89
|   d8 1e bd 5b
| compute_proto_keymat: needed_len (after ESP enc)=16
| compute_proto_keymat: needed_len (after ESP auth)=36
| install_inbound_ipsec_sa() checking if we can route
| could_route called for road-eastnet-psk (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
| route owner of "road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
|    routing is easy, or has resolvable near-conflict
| checking if this is a replacement state
|   st=0x555f2427e488 ost=(nil) st->serialno=#2 ost->serialno=#0
| installing outgoing SA now as refhim=0
| looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96
| encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12
| st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-psk' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.4583f80a@192.1.3.209 included non-error error
| outgoing SA has refhim=0
| looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96
| encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12
| st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-psk' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.33ab6f92@192.1.2.23 included non-error error
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| add inbound eroute 192.1.3.209/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| no IKEv1 message padding required
| emitting length of ISAKMP Message: 372
| finished processing quick inI1
| complete v1 state transition with STF_OK
| [RE]START processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2673)
| #2 is idle
| doing_xauth:no, t_xauth_client_done:no
| IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
| child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA)
| event_already_set, deleting event
| state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x555f2427e0c8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555f2427d848
| sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 372 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   08 10 20 01  f6 ca 60 c4  00 00 01 74  08 a4 a7 ee
|   ae 30 a4 ce  02 d7 b2 b4  27 cd a8 35  94 88 9a 2c
|   ee f4 08 e2  a5 b3 b1 b5  37 c9 e7 5c  65 d7 a0 4f
|   6f 0f eb d8  cc 32 78 1c  cb 63 07 13  55 97 58 a2
|   8c 38 fa f2  4f 19 e7 38  0a a8 fe 2e  e0 5b 45 ab
|   bc 9d 01 65  e3 84 57 92  4e b1 44 f9  0c b2 a5 bd
|   59 3c bb ee  4f e2 b7 3f  04 85 ba 64  d6 1a ac aa
|   ad be 04 5c  5f 6a 4a ab  2f 3a c0 24  cd 3e a9 41
|   2b 64 43 00  da 0b cc 56  36 70 1d 03  c6 09 e9 9d
|   55 66 c4 27  4d 51 40 00  89 cb 22 7f  13 cc 35 3a
|   b4 27 1f 3f  b4 c1 d0 95  f2 fe 75 4f  68 d5 f9 f2
|   8d a2 28 3e  4f ef 8c a8  db 52 e7 c2  3e fa d1 1c
|   b3 98 90 a2  56 62 7b d2  8a 8a ea 5b  c0 c8 77 a1
|   85 ac ec 77  e0 31 46 ed  c3 df ea 3f  73 06 bf ae
|   9f bf fa 86  66 8b c9 25  09 9a 26 ec  f3 f5 60 f2
|   01 d5 6e 4e  c4 a5 c6 d1  89 3f 9f af  b8 50 f1 ac
|   89 5d 78 79  70 61 1b 9d  ca d7 c0 ec  12 3d 7c 6f
|   24 98 c2 bb  95 03 00 ac  b0 5e 86 20  92 46 a9 6b
|   62 df c8 03  b9 95 c5 0c  c4 c7 89 17  ba 62 73 1c
|   0b f3 6e ea  a0 d3 87 6d  97 c1 f9 0d  2f f5 fd 63
|   94 99 77 24  8c 43 99 50  cd f8 f0 2b  7d eb 0b 4e
|   72 f5 8a 82  bf ec 19 17  7f 7d 97 6e  b7 11 1e 04
|   17 b0 8f e7
| !event_already_set at reschedule
| event_schedule: new EVENT_RETRANSMIT-pe@0x555f2427d848
| inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2
| libevent_malloc: new ptr-libevent@0x7f32a4001af8 size 128
| #2 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29815.246233
| pstats #2 ikev1.ipsec established
| NAT-T: encaps is 'auto'
"road-eastnet-psk"[1] 192.1.3.209 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x4583f80a <0x33ab6f92 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| resume sending helper answer for #2 suppresed complete_v1_state_transition()
| #2 spent 1.21 milliseconds in resume sending helper answer
| stop processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f3298003148
| spent 0.00584 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 52 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   08 10 20 01  f6 ca 60 c4  00 00 00 34  f5 1f a8 b0
|   f2 ef c3 f3  0e e4 c5 c7  f3 68 d2 f1  14 f0 57 fa
|   05 41 56 9c
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_HASH (0x8)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_QUICK (0x20)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 4140458180 (0xf6ca60c4)
|    length: 52 (0x34)
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32)
| State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1)
| start processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1633)
| #2 is idle
| #2 idle
| received encrypted packet from 192.1.3.209:500
| got payload 0x100  (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
| ***parse ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    length: 24 (0x18)
| quick_inI2 HASH(3):
|   4b ca ad 44  1d 0d d6 55  3b 05 3f c1  84 5e d1 c0
|   8f c8 67 7a
| received 'quick_inI2' message HASH(3) data ok
| install_ipsec_sa() for #2: outbound only
| could_route called for road-eastnet-psk (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
| route owner of "road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| sr for #2: unrouted
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
| route owner of "road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: road-eastnet-psk (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.1.3.209/32:0 => tun.0@192.1.3.209 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| running updown command "ipsec _updown" for verb up 
| command executing up-client
| executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='
| popen cmd is 1055 chars long
| cmd(   0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' P:
| cmd(  80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY:
| cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO:
| cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA:
| cmd( 320):_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road:
| cmd( 400):random' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' P:
| cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=:
| cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P:
| cmd( 640):SK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' :
| cmd( 720):PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_:
| cmd( 800):IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BA:
| cmd( 880):NNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IF:
| cmd( 960):ACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4583f80a SPI_OUT=0x33ab6f92 ips:
| cmd(1040):ec _updown 2>&1:
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-client
| executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VT
| popen cmd is 1060 chars long
| cmd(   0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-p:
| cmd(  80):sk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLU:
| cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' :
| cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU:
| cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=':
| cmd( 400):@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.2:
| cmd( 480):09' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROT:
| cmd( 560):OCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLI:
| cmd( 640):CY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN:
| cmd( 720):_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 P:
| cmd( 800):LUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PE:
| cmd( 880):ER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' V:
| cmd( 960):TI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4583f80a SPI_OUT=0x33ab6f9:
| cmd(1040):2 ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-client
| executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH
| popen cmd is 1058 chars long
| cmd(   0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk:
| cmd(  80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO:
| cmd( 160):_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PL:
| cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO:
| cmd( 320):_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@r:
| cmd( 400):oadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209:
| cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC:
| cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY:
| cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_N:
| cmd( 720):O' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLU:
| cmd( 800):TO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER:
| cmd( 880):_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI:
| cmd( 960):_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4583f80a SPI_OUT=0x33ab6f92 :
| cmd(1040):ipsec _updown 2>&1:
| route_and_eroute: instance "road-eastnet-psk"[1] 192.1.3.209, setting eroute_owner {spd=0x555f2427c358,sr=0x555f2427c358} to #2 (was #0) (newest_ipsec_sa=#0)
| #1 spent 2.36 milliseconds in install_ipsec_sa()
| inI2: instance road-eastnet-psk[1], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1
| DPD: dpd_init() called on IPsec SA
| DPD: Peer does not support Dead Peer Detection
| complete v1 state transition with STF_OK
| [RE]START processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2673)
| #2 is idle
| doing_xauth:no, t_xauth_client_done:no
| IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
| child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA)
| event_already_set, deleting event
| state #2 requesting EVENT_RETRANSMIT to be deleted
| #2 STATE_QUICK_R2: retransmits: cleared
| libevent_free: release ptr-libevent@0x7f32a4001af8
| free_event_entry: release EVENT_RETRANSMIT-pe@0x555f2427d848
| !event_already_set at reschedule
| event_schedule: new EVENT_SA_REPLACE-pe@0x555f2427d848
| inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2
| libevent_malloc: new ptr-libevent@0x7f3298003148 size 128
| pstats #2 ikev1.ipsec established
| NAT-T: encaps is 'auto'
"road-eastnet-psk"[1] 192.1.3.209 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4583f80a <0x33ab6f92 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| #2 spent 2.46 milliseconds in process_packet_tail()
| stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380)
| stop processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 2.75 milliseconds in comm_handle_cb() reading and processing packet
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00459 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00291 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00292 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| get_sa_info esp.33ab6f92@192.1.2.23
| get_sa_info esp.4583f80a@192.1.3.209
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.507 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| start processing: connection "road-eastnet-psk"[1] 192.1.3.209 (in delete_connection() at connections.c:189)
"road-eastnet-psk"[1] 192.1.3.209: deleting connection "road-eastnet-psk"[1] 192.1.3.209 instance with peer 192.1.3.209 {isakmp=#1/ipsec=#2}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #2
| suspend processing: connection "road-eastnet-psk"[1] 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev1.ipsec deleted completed
| [RE]START processing: state #2 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-psk"[1] 192.1.3.209 #2: deleting state (STATE_QUICK_R2) aged 4.904s and sending notification
| child state #2: QUICK_R2(established CHILD SA) => delete
| get_sa_info esp.4583f80a@192.1.3.209
| get_sa_info esp.33ab6f92@192.1.2.23
"road-eastnet-psk"[1] 192.1.3.209 #2: ESP traffic information: in=336B out=336B
| #2 send IKEv1 delete notification for STATE_QUICK_R2
| FOR_EACH_STATE_... in find_phase1_state
| **emit ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_INFO (0x5)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 2282927422 (0x8812b53e)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
| next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg'
| emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Delete Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
|    protocol ID: 3 (0x3)
|    SPI size: 4 (0x4)
|    number of SPIs: 1 (0x1)
| next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D)
| next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg'
| emitting 4 raw bytes of delete payload into ISAKMP Delete Payload
| delete payload  33 ab 6f 92
| emitting length of ISAKMP Delete Payload: 16
| send delete HASH(1):
|   1e 1a 47 16  67 ef 08 1b  b5 e2 f8 a0  61 bb 4a be
|   63 cc 31 84
| no IKEv1 message padding required
| emitting length of ISAKMP Message: 68
| sending 68 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   08 10 05 01  88 12 b5 3e  00 00 00 44  2f 5a c6 1b
|   91 39 72 e9  a6 6c 88 0b  af be 84 29  4a 0f d9 35
|   ee 61 75 9b  2a 2b d6 32  04 ab e2 92  9f 25 48 e2
|   88 2c a7 4f
| state #2 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7f3298003148
| free_event_entry: release EVENT_SA_REPLACE-pe@0x555f2427d848
| running updown command "ipsec _updown" for verb down 
| command executing down-client
| executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844529' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n
| popen cmd is 1068 chars long
| cmd(   0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk':
| cmd(  80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_:
| cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLU:
| cmd( 240):TO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_:
| cmd( 320):SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@ro:
| cmd( 400):adrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209':
| cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO:
| cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844529' PLUTO_CON:
| cmd( 640):N_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALL:
| cmd( 720):OW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 800):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 880):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd( 960):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4583f80a SPI_OUT=0:
| cmd(1040):x33ab6f92 ipsec _updown 2>&1:
| shunt_eroute() called for connection 'road-eastnet-psk' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| IPsec Sa SPD priority set to 1042399
| delete esp.4583f80a@192.1.3.209
| netlink response for Del SA esp.4583f80a@192.1.3.209 included non-error error
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| delete inbound eroute 192.1.3.209/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute)
| raw_eroute result=success
| delete esp.33ab6f92@192.1.2.23
| netlink response for Del SA esp.33ab6f92@192.1.2.23 included non-error error
| stop processing: connection "road-eastnet-psk"[1] 192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection road-eastnet-psk
| State DB: deleting IKEv1 state #2 in QUICK_R2
| child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #1 ikev1.isakmp deleted completed
| [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-psk"[1] 192.1.3.209 #1: deleting state (STATE_AGGR_R2) aged 4.920s and sending notification
| parent state #1: AGGR_R2(established IKE SA) => delete
| #1 send IKEv1 delete notification for STATE_AGGR_R2
| **emit ISAKMP Message:
|    initiator cookie:
|   ad ce 63 19  97 a7 3c c1
|    responder cookie:
|   1b 1c ee 08  09 19 e0 e9
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
|    exchange type: ISAKMP_XCHG_INFO (0x5)
|    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
|    Message ID: 2539025556 (0x97567494)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
| next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg'
| emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Delete Payload:
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    DOI: ISAKMP_DOI_IPSEC (0x1)
|    protocol ID: 1 (0x1)
|    SPI size: 16 (0x10)
|    number of SPIs: 1 (0x1)
| next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D)
| next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg'
| emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload
| initiator SPI  ad ce 63 19  97 a7 3c c1
| emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload
| responder SPI  1b 1c ee 08  09 19 e0 e9
| emitting length of ISAKMP Delete Payload: 28
| send delete HASH(1):
|   f6 10 02 1d  ef 73 92 57  c8 e5 dc fd  f0 6f f6 4b
|   14 92 3a 6f
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| no IKEv1 message padding required
| emitting length of ISAKMP Message: 84
| sending 84 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   ad ce 63 19  97 a7 3c c1  1b 1c ee 08  09 19 e0 e9
|   08 10 05 01  97 56 74 94  00 00 00 54  a6 ab 4a 34
|   ae f2 49 23  64 a9 0c fa  66 5e 48 b5  3e 71 48 ba
|   8b 09 5d 1d  80 cc 8d c1  0f ef a0 2e  c6 f2 11 2f
|   51 64 63 cf  3d 4a c7 6d  92 22 1a f6  92 05 be 43
|   c7 ee d5 9a
| state #1 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7f32a0000ed8
| free_event_entry: release EVENT_SA_REPLACE-pe@0x555f2427e418
| State DB: IKEv1 state not found (flush_incomplete_children)
| in connection_discard for connection road-eastnet-psk
| State DB: deleting IKEv1 state #1 in AGGR_R2
| parent state #1: AGGR_R2(established IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| shunt_eroute() called for connection 'road-eastnet-psk' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| priority calculation of connection "road-eastnet-psk" is 0xfe7df
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
|  conn road-eastnet-psk mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-psk mark 0/00000000, 0/00000000
| route owner of "road-eastnet-psk" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-client
| executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no'
| popen cmd is 1049 chars long
| cmd(   0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-p:
| cmd(  80):sk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLU:
| cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' :
| cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU:
| cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=:
| cmd( 400):'@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.:
| cmd( 480):209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO:
| cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POL:
| cmd( 640):ICY='PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ES:
| cmd( 720):N_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=:
| cmd( 800):0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO:
| cmd( 880):_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0:
| cmd( 960):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _up:
| cmd(1040):down 2>&1:
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
| free hp@0x555f2427a898
| flush revival: connection 'road-eastnet-psk' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "road-eastnet-psk" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x555f2427a428
| flush revival: connection 'road-eastnet-psk' wasn't on the list
| stop processing: connection "road-eastnet-psk" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x555f2426d188
| free_event_entry: release EVENT_NULL-pe@0x555f24278e88
| libevent_free: release ptr-libevent@0x555f24202698
| free_event_entry: release EVENT_NULL-pe@0x555f24278f38
| libevent_free: release ptr-libevent@0x555f241ff828
| free_event_entry: release EVENT_NULL-pe@0x555f24278fe8
| libevent_free: release ptr-libevent@0x555f24204268
| free_event_entry: release EVENT_NULL-pe@0x555f24279098
| libevent_free: release ptr-libevent@0x555f241d74e8
| free_event_entry: release EVENT_NULL-pe@0x555f24279148
| libevent_free: release ptr-libevent@0x555f241d71d8
| free_event_entry: release EVENT_NULL-pe@0x555f242791f8
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x555f2426d238
| free_event_entry: release EVENT_NULL-pe@0x555f24261028
| libevent_free: release ptr-libevent@0x555f24202598
| free_event_entry: release EVENT_NULL-pe@0x555f24260fb8
| libevent_free: release ptr-libevent@0x555f24244898
| free_event_entry: release EVENT_NULL-pe@0x555f24260478
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x555f241f8678
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x555f241f8748
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x555f24278778
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x555f242789b8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x555f24278888
| libevent_free: release ptr-libevent@0x555f2425b868
| libevent_free: release ptr-libevent@0x555f2425b818
| libevent_free: release ptr-libevent@0x7f32a4001a48
| libevent_free: release ptr-libevent@0x555f2425b768
| libevent_free: release ptr-libevent@0x555f24278508
| libevent_free: release ptr-libevent@0x555f242786b8
| libevent_free: release ptr-libevent@0x555f2425ba18
| libevent_free: release ptr-libevent@0x555f24260588
| libevent_free: release ptr-libevent@0x555f24260f78
| libevent_free: release ptr-libevent@0x555f24279268
| libevent_free: release ptr-libevent@0x555f242791b8
| libevent_free: release ptr-libevent@0x555f24279108
| libevent_free: release ptr-libevent@0x555f24279058
| libevent_free: release ptr-libevent@0x555f24278fa8
| libevent_free: release ptr-libevent@0x555f24278ef8
| libevent_free: release ptr-libevent@0x555f241ff078
| libevent_free: release ptr-libevent@0x555f24278738
| libevent_free: release ptr-libevent@0x555f242786f8
| libevent_free: release ptr-libevent@0x555f24278678
| libevent_free: release ptr-libevent@0x555f24278848
| libevent_free: release ptr-libevent@0x555f24278548
| libevent_free: release ptr-libevent@0x555f241d6908
| libevent_free: release ptr-libevent@0x555f241d6d38
| libevent_free: release ptr-libevent@0x555f241ff3e8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x555f241d67f8
| libevent_free: release ptr-libevent@0x555f241d6cd8
| libevent_free: release ptr-libevent@0x555f241d6dd8
leak: virtual description, item size: 4
leak detective found 1 leaks, total size 4