Sep 21 07:15:52.230356: FIPS Product: YES Sep 21 07:15:52.230396: FIPS Kernel: NO Sep 21 07:15:52.230400: FIPS Mode: NO Sep 21 07:15:52.230402: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:15:52.230572: Initializing NSS Sep 21 07:15:52.230576: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:15:52.294294: NSS initialized Sep 21 07:15:52.294313: NSS crypto library initialized Sep 21 07:15:52.294316: FIPS HMAC integrity support [enabled] Sep 21 07:15:52.294319: FIPS mode disabled for pluto daemon Sep 21 07:15:52.374841: FIPS HMAC integrity verification self-test FAILED Sep 21 07:15:52.374944: libcap-ng support [enabled] Sep 21 07:15:52.374956: Linux audit support [enabled] Sep 21 07:15:52.374982: Linux audit activated Sep 21 07:15:52.374987: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:11063 Sep 21 07:15:52.374991: core dump dir: /tmp Sep 21 07:15:52.374993: secrets file: /etc/ipsec.secrets Sep 21 07:15:52.374995: leak-detective disabled Sep 21 07:15:52.374997: NSS crypto [enabled] Sep 21 07:15:52.374999: XAUTH PAM support [enabled] Sep 21 07:15:52.375064: | libevent is using pluto's memory allocator Sep 21 07:15:52.375071: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:15:52.375084: | libevent_malloc: new ptr-libevent@0x55c77aff9e80 size 40 Sep 21 07:15:52.375090: | libevent_malloc: new ptr-libevent@0x55c77affb130 size 40 Sep 21 07:15:52.375093: | libevent_malloc: new ptr-libevent@0x55c77affb160 size 40 Sep 21 07:15:52.375096: | creating event base Sep 21 07:15:52.375098: | libevent_malloc: new ptr-libevent@0x55c77affb0f0 size 56 Sep 21 07:15:52.375101: | libevent_malloc: new ptr-libevent@0x55c77affb190 size 664 Sep 21 07:15:52.375112: | libevent_malloc: new ptr-libevent@0x55c77affb430 size 24 Sep 21 07:15:52.375117: | libevent_malloc: new ptr-libevent@0x55c77afecae0 size 384 Sep 21 07:15:52.375126: | libevent_malloc: new ptr-libevent@0x55c77affb450 size 16 Sep 21 07:15:52.375129: | libevent_malloc: new ptr-libevent@0x55c77affb470 size 40 Sep 21 07:15:52.375132: | libevent_malloc: new ptr-libevent@0x55c77affb4a0 size 48 Sep 21 07:15:52.375139: | libevent_realloc: new ptr-libevent@0x55c77af7f370 size 256 Sep 21 07:15:52.375142: | libevent_malloc: new ptr-libevent@0x55c77affb4e0 size 16 Sep 21 07:15:52.375147: | libevent_free: release ptr-libevent@0x55c77affb0f0 Sep 21 07:15:52.375151: | libevent initialized Sep 21 07:15:52.375155: | libevent_realloc: new ptr-libevent@0x55c77affb500 size 64 Sep 21 07:15:52.375159: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:15:52.375174: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:15:52.375177: NAT-Traversal support [enabled] Sep 21 07:15:52.375180: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:15:52.375187: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:15:52.375190: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:15:52.375228: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:15:52.375233: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:15:52.375237: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:15:52.375287: Encryption algorithms: Sep 21 07:15:52.375298: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:15:52.375303: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:15:52.375307: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:15:52.375310: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:15:52.375314: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:15:52.375324: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:15:52.375328: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:15:52.375332: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:15:52.375336: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:15:52.375339: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:15:52.375343: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:15:52.375347: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:15:52.375350: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:15:52.375354: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:15:52.375357: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:15:52.375366: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:15:52.375370: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:15:52.375377: Hash algorithms: Sep 21 07:15:52.375380: MD5 IKEv1: IKE IKEv2: Sep 21 07:15:52.375387: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:15:52.375390: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:15:52.375393: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:15:52.375396: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:15:52.375409: PRF algorithms: Sep 21 07:15:52.375412: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:15:52.375416: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:15:52.375419: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:15:52.375422: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:15:52.375426: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:15:52.375429: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:15:52.375453: Integrity algorithms: Sep 21 07:15:52.375457: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:15:52.375460: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:15:52.375465: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:15:52.375469: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:15:52.375473: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:15:52.375475: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:15:52.375479: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:15:52.375482: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:15:52.375485: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:15:52.375498: DH algorithms: Sep 21 07:15:52.375501: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:15:52.375504: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:15:52.375507: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:15:52.375513: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:15:52.375516: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:15:52.375519: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:15:52.375522: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:15:52.375525: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:15:52.375528: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:15:52.375531: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:15:52.375534: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:15:52.375536: testing CAMELLIA_CBC: Sep 21 07:15:52.375539: Camellia: 16 bytes with 128-bit key Sep 21 07:15:52.376104: Camellia: 16 bytes with 128-bit key Sep 21 07:15:52.376146: Camellia: 16 bytes with 256-bit key Sep 21 07:15:52.376180: Camellia: 16 bytes with 256-bit key Sep 21 07:15:52.376211: testing AES_GCM_16: Sep 21 07:15:52.376215: empty string Sep 21 07:15:52.376250: one block Sep 21 07:15:52.376277: two blocks Sep 21 07:15:52.376303: two blocks with associated data Sep 21 07:15:52.376332: testing AES_CTR: Sep 21 07:15:52.376335: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:15:52.376363: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:15:52.376391: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:15:52.376420: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:15:52.376446: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:15:52.376474: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:15:52.376500: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:15:52.376527: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:15:52.376552: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:15:52.376575: testing AES_CBC: Sep 21 07:15:52.376577: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:15:52.376599: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:15:52.376624: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:15:52.376651: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:15:52.376697: testing AES_XCBC: Sep 21 07:15:52.376705: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:15:52.376837: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:15:52.376963: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:15:52.377083: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:15:52.377199: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:15:52.377318: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:15:52.377438: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:15:52.377702: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:15:52.377826: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:15:52.377954: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:15:52.378172: testing HMAC_MD5: Sep 21 07:15:52.378176: RFC 2104: MD5_HMAC test 1 Sep 21 07:15:52.378338: RFC 2104: MD5_HMAC test 2 Sep 21 07:15:52.378474: RFC 2104: MD5_HMAC test 3 Sep 21 07:15:52.378649: 8 CPU cores online Sep 21 07:15:52.378653: starting up 7 crypto helpers Sep 21 07:15:52.378696: started thread for crypto helper 0 Sep 21 07:15:52.378720: started thread for crypto helper 1 Sep 21 07:15:52.378739: started thread for crypto helper 2 Sep 21 07:15:52.378759: started thread for crypto helper 3 Sep 21 07:15:52.378777: started thread for crypto helper 4 Sep 21 07:15:52.378817: started thread for crypto helper 5 Sep 21 07:15:52.378848: started thread for crypto helper 6 Sep 21 07:15:52.378855: | checking IKEv1 state table Sep 21 07:15:52.378864: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:15:52.378866: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:15:52.378869: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:15:52.378872: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:15:52.378875: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:15:52.378877: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:15:52.378879: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:15:52.378882: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:15:52.378885: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:15:52.378887: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:15:52.378890: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:15:52.378892: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:15:52.378895: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:15:52.378897: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:15:52.378900: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:15:52.378903: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:15:52.378906: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:15:52.378908: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:15:52.378911: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:15:52.378913: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:15:52.378917: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:15:52.378919: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.378922: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:15:52.378925: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.378928: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:15:52.378931: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:15:52.378934: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:15:52.378936: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:15:52.378938: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:15:52.378941: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:15:52.378944: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:15:52.378946: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:15:52.378949: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:15:52.378952: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.378956: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:15:52.378958: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.378961: | starting up helper thread 3 Sep 21 07:15:52.378964: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:15:52.378982: | starting up helper thread 4 Sep 21 07:15:52.378985: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:15:52.378978: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:15:52.378993: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:15:52.378987: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:15:52.378999: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:15:52.379005: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:15:52.379008: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:15:52.379012: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:15:52.379014: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.379018: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:15:52.379020: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.379023: | INFO: category: informational flags: 0: Sep 21 07:15:52.379026: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.379029: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:15:52.379032: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.379035: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:15:52.379038: | -> XAUTH_R1 EVENT_NULL Sep 21 07:15:52.379041: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:15:52.379044: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:15:52.379047: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:15:52.379050: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:15:52.379053: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:15:52.379060: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:15:52.379063: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:15:52.379066: | -> UNDEFINED EVENT_NULL Sep 21 07:15:52.378993: | crypto helper 3 waiting (nothing to do) Sep 21 07:15:52.379069: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:15:52.379079: | crypto helper 4 waiting (nothing to do) Sep 21 07:15:52.379080: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:15:52.379090: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:15:52.379093: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:15:52.379099: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:15:52.379102: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:15:52.379109: | checking IKEv2 state table Sep 21 07:15:52.379115: | PARENT_I0: category: ignore flags: 0: Sep 21 07:15:52.379119: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:15:52.379123: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:15:52.379126: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:15:52.379130: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:15:52.379133: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:15:52.379137: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:15:52.379140: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:15:52.379143: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:15:52.379147: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:15:52.379150: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:15:52.379154: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:15:52.379157: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:15:52.379160: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:15:52.379163: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:15:52.379166: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:15:52.379169: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:15:52.379172: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:15:52.379176: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:15:52.379179: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:15:52.379182: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:15:52.379186: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:15:52.379189: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:15:52.379192: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:15:52.379195: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:15:52.379199: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:15:52.379202: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:15:52.379205: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:15:52.379209: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:15:52.379212: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:15:52.379215: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:15:52.379219: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:15:52.379222: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:15:52.379226: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:15:52.379232: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:15:52.379235: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:15:52.379239: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:15:52.379243: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:15:52.379246: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:15:52.379249: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:15:52.379253: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:15:52.379257: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:15:52.379260: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:15:52.379264: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:15:52.379267: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:15:52.379270: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:15:52.379274: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:15:52.379316: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:15:52.379371: | Hard-wiring algorithms Sep 21 07:15:52.379375: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:15:52.379379: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:15:52.379382: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:15:52.379385: | adding 3DES_CBC to kernel algorithm db Sep 21 07:15:52.379388: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:15:52.379391: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:15:52.379393: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:15:52.379396: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:15:52.379399: | adding AES_CTR to kernel algorithm db Sep 21 07:15:52.379402: | adding AES_CBC to kernel algorithm db Sep 21 07:15:52.379405: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:15:52.379408: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:15:52.379411: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:15:52.379414: | adding NULL to kernel algorithm db Sep 21 07:15:52.379416: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:15:52.379419: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:15:52.379423: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:15:52.379426: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:15:52.379429: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:15:52.379432: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:15:52.379435: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:15:52.379438: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:15:52.379440: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:15:52.379443: | adding NONE to kernel algorithm db Sep 21 07:15:52.379463: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:15:52.379470: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:15:52.379473: | setup kernel fd callback Sep 21 07:15:52.379477: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55c77b0058b0 Sep 21 07:15:52.379481: | libevent_malloc: new ptr-libevent@0x55c77b00cd80 size 128 Sep 21 07:15:52.379485: | libevent_malloc: new ptr-libevent@0x55c77affb640 size 16 Sep 21 07:15:52.379492: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55c77b000150 Sep 21 07:15:52.379495: | libevent_malloc: new ptr-libevent@0x55c77b00ce10 size 128 Sep 21 07:15:52.379498: | libevent_malloc: new ptr-libevent@0x55c77b0000a0 size 16 Sep 21 07:15:52.379730: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:15:52.379738: selinux support is enabled. Sep 21 07:15:52.379093: | starting up helper thread 0 Sep 21 07:15:52.379773: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:15:52.379777: | crypto helper 0 waiting (nothing to do) Sep 21 07:15:52.379793: | starting up helper thread 5 Sep 21 07:15:52.379801: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:15:52.379803: | crypto helper 5 waiting (nothing to do) Sep 21 07:15:52.380208: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:15:52.380385: | unbound context created - setting debug level to 5 Sep 21 07:15:52.380419: | /etc/hosts lookups activated Sep 21 07:15:52.380431: | /etc/resolv.conf usage activated Sep 21 07:15:52.380447: | starting up helper thread 2 Sep 21 07:15:52.380457: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:15:52.380460: | crypto helper 2 waiting (nothing to do) Sep 21 07:15:52.380494: | outgoing-port-avoid set 0-65535 Sep 21 07:15:52.380524: | outgoing-port-permit set 32768-60999 Sep 21 07:15:52.380527: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:15:52.380531: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:15:52.380534: | Setting up events, loop start Sep 21 07:15:52.380537: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55c77afffea0 Sep 21 07:15:52.380541: | libevent_malloc: new ptr-libevent@0x55c77b017380 size 128 Sep 21 07:15:52.380545: | libevent_malloc: new ptr-libevent@0x55c77b017410 size 16 Sep 21 07:15:52.380552: | libevent_realloc: new ptr-libevent@0x55c77af7d5b0 size 256 Sep 21 07:15:52.380556: | libevent_malloc: new ptr-libevent@0x55c77b017430 size 8 Sep 21 07:15:52.380559: | libevent_realloc: new ptr-libevent@0x55c77b00c080 size 144 Sep 21 07:15:52.380562: | libevent_malloc: new ptr-libevent@0x55c77b017450 size 152 Sep 21 07:15:52.380566: | libevent_malloc: new ptr-libevent@0x55c77b0174f0 size 16 Sep 21 07:15:52.380570: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:15:52.380574: | libevent_malloc: new ptr-libevent@0x55c77b017510 size 8 Sep 21 07:15:52.380577: | libevent_malloc: new ptr-libevent@0x55c77b017530 size 152 Sep 21 07:15:52.380580: | signal event handler PLUTO_SIGTERM installed Sep 21 07:15:52.380583: | libevent_malloc: new ptr-libevent@0x55c77b0175d0 size 8 Sep 21 07:15:52.380586: | libevent_malloc: new ptr-libevent@0x55c77b0175f0 size 152 Sep 21 07:15:52.380591: | signal event handler PLUTO_SIGHUP installed Sep 21 07:15:52.380594: | libevent_malloc: new ptr-libevent@0x55c77b017690 size 8 Sep 21 07:15:52.380597: | libevent_realloc: release ptr-libevent@0x55c77b00c080 Sep 21 07:15:52.380600: | libevent_realloc: new ptr-libevent@0x55c77b0176b0 size 256 Sep 21 07:15:52.380603: | libevent_malloc: new ptr-libevent@0x55c77b00c080 size 152 Sep 21 07:15:52.380607: | signal event handler PLUTO_SIGSYS installed Sep 21 07:15:52.381362: | created addconn helper (pid:11245) using fork+execve Sep 21 07:15:52.381380: | forked child 11245 Sep 21 07:15:52.381430: | starting up helper thread 6 Sep 21 07:15:52.381443: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:15:52.381640: | crypto helper 6 waiting (nothing to do) Sep 21 07:15:52.381430: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:52.381818: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:15:52.381826: listening for IKE messages Sep 21 07:15:52.381879: | Inspecting interface lo Sep 21 07:15:52.381885: | found lo with address 127.0.0.1 Sep 21 07:15:52.381889: | Inspecting interface eth0 Sep 21 07:15:52.381893: | found eth0 with address 192.0.2.254 Sep 21 07:15:52.381896: | Inspecting interface eth1 Sep 21 07:15:52.381900: | found eth1 with address 192.1.2.23 Sep 21 07:15:52.381945: Kernel supports NIC esp-hw-offload Sep 21 07:15:52.381955: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:15:52.381978: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:15:52.381983: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:15:52.381987: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:15:52.382011: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:15:52.382037: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:15:52.382041: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:15:52.382045: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:15:52.382072: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:15:52.382177: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:15:52.382184: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:15:52.382189: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:15:52.382244: | no interfaces to sort Sep 21 07:15:52.382249: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:15:52.382258: | add_fd_read_event_handler: new ethX-pe@0x55c77b000c20 Sep 21 07:15:52.382262: | libevent_malloc: new ptr-libevent@0x55c77b017a20 size 128 Sep 21 07:15:52.382266: | libevent_malloc: new ptr-libevent@0x55c77b017ab0 size 16 Sep 21 07:15:52.382277: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:15:52.382281: | add_fd_read_event_handler: new ethX-pe@0x55c77b017ad0 Sep 21 07:15:52.382284: | libevent_malloc: new ptr-libevent@0x55c77b017b10 size 128 Sep 21 07:15:52.382287: | libevent_malloc: new ptr-libevent@0x55c77b017ba0 size 16 Sep 21 07:15:52.382292: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:15:52.382295: | add_fd_read_event_handler: new ethX-pe@0x55c77b017bc0 Sep 21 07:15:52.382299: | libevent_malloc: new ptr-libevent@0x55c77b017c00 size 128 Sep 21 07:15:52.382302: | libevent_malloc: new ptr-libevent@0x55c77b017c90 size 16 Sep 21 07:15:52.382307: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:15:52.382310: | add_fd_read_event_handler: new ethX-pe@0x55c77b017cb0 Sep 21 07:15:52.382313: | libevent_malloc: new ptr-libevent@0x55c77b017cf0 size 128 Sep 21 07:15:52.382316: | libevent_malloc: new ptr-libevent@0x55c77b017d80 size 16 Sep 21 07:15:52.382321: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:15:52.382324: | add_fd_read_event_handler: new ethX-pe@0x55c77b017da0 Sep 21 07:15:52.382327: | libevent_malloc: new ptr-libevent@0x55c77b017de0 size 128 Sep 21 07:15:52.382330: | libevent_malloc: new ptr-libevent@0x55c77b017e70 size 16 Sep 21 07:15:52.382335: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:15:52.382338: | add_fd_read_event_handler: new ethX-pe@0x55c77b017e90 Sep 21 07:15:52.382342: | libevent_malloc: new ptr-libevent@0x55c77b017ed0 size 128 Sep 21 07:15:52.382345: | libevent_malloc: new ptr-libevent@0x55c77b017f60 size 16 Sep 21 07:15:52.382350: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:15:52.382355: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:15:52.382358: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:15:52.382385: loading secrets from "/etc/ipsec.secrets" Sep 21 07:15:52.382399: | id type added to secret(0x55c77b00cf60) PKK_PSK: @east Sep 21 07:15:52.382404: | id type added to secret(0x55c77b00cf60) PKK_PSK: @west Sep 21 07:15:52.382408: | Processing PSK at line 1: passed Sep 21 07:15:52.382411: | certs and keys locked by 'process_secret' Sep 21 07:15:52.382413: | certs and keys unlocked by 'process_secret' Sep 21 07:15:52.382419: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:15:52.382428: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:15:52.382434: | spent 0.589 milliseconds in whack Sep 21 07:15:52.383083: | starting up helper thread 1 Sep 21 07:15:52.383097: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:15:52.383101: | crypto helper 1 waiting (nothing to do) Sep 21 07:15:52.411458: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:52.411480: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:15:52.411484: listening for IKE messages Sep 21 07:15:52.411514: | Inspecting interface lo Sep 21 07:15:52.411523: | found lo with address 127.0.0.1 Sep 21 07:15:52.411526: | Inspecting interface eth0 Sep 21 07:15:52.411528: | found eth0 with address 192.0.2.254 Sep 21 07:15:52.411530: | Inspecting interface eth1 Sep 21 07:15:52.411532: | found eth1 with address 192.1.2.23 Sep 21 07:15:52.411573: | no interfaces to sort Sep 21 07:15:52.411580: | libevent_free: release ptr-libevent@0x55c77b017a20 Sep 21 07:15:52.411582: | free_event_entry: release EVENT_NULL-pe@0x55c77b000c20 Sep 21 07:15:52.411584: | add_fd_read_event_handler: new ethX-pe@0x55c77b000c20 Sep 21 07:15:52.411586: | libevent_malloc: new ptr-libevent@0x55c77b017a20 size 128 Sep 21 07:15:52.411592: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:15:52.411594: | libevent_free: release ptr-libevent@0x55c77b017b10 Sep 21 07:15:52.411596: | free_event_entry: release EVENT_NULL-pe@0x55c77b017ad0 Sep 21 07:15:52.411597: | add_fd_read_event_handler: new ethX-pe@0x55c77b017ad0 Sep 21 07:15:52.411599: | libevent_malloc: new ptr-libevent@0x55c77b017b10 size 128 Sep 21 07:15:52.411602: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:15:52.411604: | libevent_free: release ptr-libevent@0x55c77b017c00 Sep 21 07:15:52.411606: | free_event_entry: release EVENT_NULL-pe@0x55c77b017bc0 Sep 21 07:15:52.411607: | add_fd_read_event_handler: new ethX-pe@0x55c77b017bc0 Sep 21 07:15:52.411609: | libevent_malloc: new ptr-libevent@0x55c77b017c00 size 128 Sep 21 07:15:52.411612: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:15:52.411614: | libevent_free: release ptr-libevent@0x55c77b017cf0 Sep 21 07:15:52.411615: | free_event_entry: release EVENT_NULL-pe@0x55c77b017cb0 Sep 21 07:15:52.411617: | add_fd_read_event_handler: new ethX-pe@0x55c77b017cb0 Sep 21 07:15:52.411619: | libevent_malloc: new ptr-libevent@0x55c77b017cf0 size 128 Sep 21 07:15:52.411621: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:15:52.411623: | libevent_free: release ptr-libevent@0x55c77b017de0 Sep 21 07:15:52.411625: | free_event_entry: release EVENT_NULL-pe@0x55c77b017da0 Sep 21 07:15:52.411626: | add_fd_read_event_handler: new ethX-pe@0x55c77b017da0 Sep 21 07:15:52.411628: | libevent_malloc: new ptr-libevent@0x55c77b017de0 size 128 Sep 21 07:15:52.411631: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:15:52.411633: | libevent_free: release ptr-libevent@0x55c77b017ed0 Sep 21 07:15:52.411635: | free_event_entry: release EVENT_NULL-pe@0x55c77b017e90 Sep 21 07:15:52.411636: | add_fd_read_event_handler: new ethX-pe@0x55c77b017e90 Sep 21 07:15:52.411638: | libevent_malloc: new ptr-libevent@0x55c77b017ed0 size 128 Sep 21 07:15:52.411640: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:15:52.411642: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:15:52.411644: forgetting secrets Sep 21 07:15:52.411650: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:15:52.411661: loading secrets from "/etc/ipsec.secrets" Sep 21 07:15:52.411667: | id type added to secret(0x55c77b00cf60) PKK_PSK: @east Sep 21 07:15:52.411669: | id type added to secret(0x55c77b00cf60) PKK_PSK: @west Sep 21 07:15:52.411672: | Processing PSK at line 1: passed Sep 21 07:15:52.411674: | certs and keys locked by 'process_secret' Sep 21 07:15:52.411675: | certs and keys unlocked by 'process_secret' Sep 21 07:15:52.411678: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:15:52.411684: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:15:52.411689: | spent 0.238 milliseconds in whack Sep 21 07:15:52.412099: | processing signal PLUTO_SIGCHLD Sep 21 07:15:52.412116: | waitpid returned pid 11245 (exited with status 0) Sep 21 07:15:52.412121: | reaped addconn helper child (status 0) Sep 21 07:15:52.412126: | waitpid returned ECHILD (no child processes left) Sep 21 07:15:52.412132: | spent 0.0193 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:15:52.493681: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:52.493707: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:15:52.493711: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:15:52.493713: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:15:52.493715: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:15:52.493719: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:15:52.493727: | Added new connection westnet-eastnet-ipv4-psk-ikev2 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:15:52.493779: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:15:52.493789: | from whack: got --esp= Sep 21 07:15:52.493826: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:15:52.493831: | counting wild cards for @west is 0 Sep 21 07:15:52.493834: | counting wild cards for @east is 0 Sep 21 07:15:52.493845: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Sep 21 07:15:52.493848: | new hp@0x55c77afe41c0 Sep 21 07:15:52.493852: added connection description "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:15:52.493862: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:15:52.493873: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Sep 21 07:15:52.493882: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:15:52.493888: | spent 0.214 milliseconds in whack Sep 21 07:15:52.581027: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:52.581351: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:15:52.581357: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:15:52.581424: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:15:52.581434: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:15:52.581442: | spent 0.416 milliseconds in whack Sep 21 07:15:55.166640: | spent 0.00271 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:15:55.166667: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:15:55.166671: | f7 f8 9a 6c 87 12 2b d5 00 00 00 00 00 00 00 00 Sep 21 07:15:55.166673: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:15:55.166675: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:15:55.166678: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:15:55.166680: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:15:55.166682: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:15:55.166684: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:15:55.166686: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:15:55.166689: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:15:55.166691: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:15:55.166693: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:15:55.166695: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:15:55.166697: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:15:55.166700: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:15:55.166702: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:15:55.166704: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:15:55.166706: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:15:55.166712: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:15:55.166715: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:15:55.166717: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:15:55.166719: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:15:55.166721: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:15:55.166723: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:15:55.166726: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:15:55.166728: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:15:55.166730: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:15:55.166732: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:15:55.166735: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:15:55.166737: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:15:55.166739: | 28 00 01 08 00 0e 00 00 5f f1 ef 6e b2 6e e7 80 Sep 21 07:15:55.166741: | ab 1b 84 e1 5c c8 6b 1d b6 fc 2e 85 50 6a 9c 7e Sep 21 07:15:55.166743: | ab c1 b9 d6 77 81 28 46 10 35 bc f4 bb a6 85 ef Sep 21 07:15:55.166746: | 6c 1a 44 54 d3 64 78 07 b4 40 f1 23 44 74 ed 2f Sep 21 07:15:55.166748: | 77 98 b4 a2 12 f0 82 f8 90 6c 2a 27 5a 61 1b 95 Sep 21 07:15:55.166750: | 2c 23 94 0a 7d 12 27 68 2d 83 23 89 0c 4e d2 69 Sep 21 07:15:55.166752: | 6f b7 96 48 e2 1a 74 c3 11 50 3a c2 48 5b fc 44 Sep 21 07:15:55.166755: | f8 40 de e9 3d b3 01 33 6c f2 2f ec a8 b9 75 12 Sep 21 07:15:55.166757: | d9 a0 b2 83 c1 c1 0a 27 1c b9 73 9f 45 eb d3 b6 Sep 21 07:15:55.166759: | 3d 40 30 2e 36 ac 5f 4b 48 7d 97 d1 e8 f0 6c 9a Sep 21 07:15:55.166761: | 31 df 49 09 97 db fc ad 93 6e f7 a7 d3 2b c5 a8 Sep 21 07:15:55.166763: | 9b ae 6a cb 34 d9 ee 37 06 29 35 06 c6 11 d6 d0 Sep 21 07:15:55.166766: | 8c 4b 93 1c 1d 03 58 0a 40 20 aa 36 36 96 ce 60 Sep 21 07:15:55.166768: | 42 62 82 ca f3 dd fa 58 f6 73 13 00 ab 0e 37 5c Sep 21 07:15:55.166770: | 14 94 6b 21 8f e9 a5 68 3b 80 e6 d3 2c 84 12 cb Sep 21 07:15:55.166772: | 8e 3f 6b 9e c1 2a 5a 65 db e8 6d 4c 24 b8 62 25 Sep 21 07:15:55.166775: | f1 23 3f fd ec 6b e0 95 29 00 00 24 43 7b 8a 14 Sep 21 07:15:55.166777: | b7 45 e8 ce b4 06 60 52 03 e6 ee 96 3b b7 e2 63 Sep 21 07:15:55.166779: | 4e 96 70 2c c7 f7 9a 1b c1 9c 8b 3d 29 00 00 08 Sep 21 07:15:55.166781: | 00 00 40 2e 29 00 00 1c 00 00 40 04 df e1 82 da Sep 21 07:15:55.166799: | da 02 eb 9b eb a1 d8 d9 5c c1 d5 c1 71 1b a4 6a Sep 21 07:15:55.166801: | 00 00 00 1c 00 00 40 05 8a 8b 08 98 73 b3 64 a3 Sep 21 07:15:55.166803: | 39 6b b8 2e 13 f8 50 27 53 9a d1 d8 Sep 21 07:15:55.166810: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:15:55.166814: | **parse ISAKMP Message: Sep 21 07:15:55.166817: | initiator cookie: Sep 21 07:15:55.166819: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.166821: | responder cookie: Sep 21 07:15:55.166823: | 00 00 00 00 00 00 00 00 Sep 21 07:15:55.166826: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:15:55.166829: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:55.166831: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:15:55.166834: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:15:55.166836: | Message ID: 0 (0x0) Sep 21 07:15:55.166839: | length: 828 (0x33c) Sep 21 07:15:55.166841: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:15:55.166845: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:15:55.166848: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:15:55.166851: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:15:55.166854: | ***parse IKEv2 Security Association Payload: Sep 21 07:15:55.166856: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:15:55.166859: | flags: none (0x0) Sep 21 07:15:55.166861: | length: 436 (0x1b4) Sep 21 07:15:55.166865: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:15:55.166868: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:15:55.166871: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:15:55.166873: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:15:55.166875: | flags: none (0x0) Sep 21 07:15:55.166877: | length: 264 (0x108) Sep 21 07:15:55.166880: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.166882: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:15:55.166884: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:15:55.166887: | ***parse IKEv2 Nonce Payload: Sep 21 07:15:55.166889: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:15:55.166891: | flags: none (0x0) Sep 21 07:15:55.166894: | length: 36 (0x24) Sep 21 07:15:55.166896: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:15:55.166898: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:15:55.166901: | ***parse IKEv2 Notify Payload: Sep 21 07:15:55.166903: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:15:55.166905: | flags: none (0x0) Sep 21 07:15:55.166907: | length: 8 (0x8) Sep 21 07:15:55.166910: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.166912: | SPI size: 0 (0x0) Sep 21 07:15:55.166915: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:15:55.166917: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:15:55.166919: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:15:55.166922: | ***parse IKEv2 Notify Payload: Sep 21 07:15:55.166924: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:15:55.166926: | flags: none (0x0) Sep 21 07:15:55.166929: | length: 28 (0x1c) Sep 21 07:15:55.166931: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.166933: | SPI size: 0 (0x0) Sep 21 07:15:55.166936: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:15:55.166938: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:15:55.166940: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:15:55.166943: | ***parse IKEv2 Notify Payload: Sep 21 07:15:55.166945: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.166947: | flags: none (0x0) Sep 21 07:15:55.166949: | length: 28 (0x1c) Sep 21 07:15:55.166952: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.166954: | SPI size: 0 (0x0) Sep 21 07:15:55.166956: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:15:55.166959: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:15:55.166961: | DDOS disabled and no cookie sent, continuing Sep 21 07:15:55.166967: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:15:55.166972: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:15:55.166975: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:15:55.166978: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:15:55.166981: | find_next_host_connection returns empty Sep 21 07:15:55.166985: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:15:55.166988: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:15:55.166990: | find_next_host_connection returns empty Sep 21 07:15:55.166994: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:15:55.166999: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:15:55.167003: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:15:55.167006: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:15:55.167009: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:15:55.167013: | find_next_host_connection returns empty Sep 21 07:15:55.167016: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:15:55.167019: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:15:55.167021: | find_next_host_connection returns empty Sep 21 07:15:55.167025: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:15:55.167029: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:15:55.167034: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:15:55.167036: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:15:55.167039: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:15:55.167042: | find_next_host_connection returns westnet-eastnet-ipv4-psk-ikev2 Sep 21 07:15:55.167044: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:15:55.167046: | find_next_host_connection returns empty Sep 21 07:15:55.167049: | found connection: westnet-eastnet-ipv4-psk-ikev2 with policy PSK+IKEV2_ALLOW Sep 21 07:15:55.167075: | creating state object #1 at 0x55c77b01b0e0 Sep 21 07:15:55.167079: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:15:55.167086: | pstats #1 ikev2.ike started Sep 21 07:15:55.167090: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:15:55.167093: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:15:55.167098: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:15:55.167107: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:15:55.167111: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:15:55.167115: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:15:55.167118: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:15:55.167122: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:15:55.167127: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:15:55.167130: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:15:55.167132: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:15:55.167135: | Now let's proceed with state specific processing Sep 21 07:15:55.167137: | calling processor Respond to IKE_SA_INIT Sep 21 07:15:55.167143: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:15:55.167146: | constructing local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals) Sep 21 07:15:55.167153: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:15:55.167161: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:15:55.167165: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:15:55.167170: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:15:55.167174: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:15:55.167181: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:15:55.167185: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:15:55.167190: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:15:55.167201: "westnet-eastnet-ipv4-psk-ikev2": constructed local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:15:55.167205: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:15:55.167209: | local proposal 1 type ENCR has 1 transforms Sep 21 07:15:55.167212: | local proposal 1 type PRF has 2 transforms Sep 21 07:15:55.167214: | local proposal 1 type INTEG has 1 transforms Sep 21 07:15:55.167217: | local proposal 1 type DH has 8 transforms Sep 21 07:15:55.167219: | local proposal 1 type ESN has 0 transforms Sep 21 07:15:55.167222: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:15:55.167225: | local proposal 2 type ENCR has 1 transforms Sep 21 07:15:55.167227: | local proposal 2 type PRF has 2 transforms Sep 21 07:15:55.167229: | local proposal 2 type INTEG has 1 transforms Sep 21 07:15:55.167232: | local proposal 2 type DH has 8 transforms Sep 21 07:15:55.167234: | local proposal 2 type ESN has 0 transforms Sep 21 07:15:55.167237: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:15:55.167240: | local proposal 3 type ENCR has 1 transforms Sep 21 07:15:55.167242: | local proposal 3 type PRF has 2 transforms Sep 21 07:15:55.167244: | local proposal 3 type INTEG has 2 transforms Sep 21 07:15:55.167247: | local proposal 3 type DH has 8 transforms Sep 21 07:15:55.167249: | local proposal 3 type ESN has 0 transforms Sep 21 07:15:55.167252: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:15:55.167254: | local proposal 4 type ENCR has 1 transforms Sep 21 07:15:55.167257: | local proposal 4 type PRF has 2 transforms Sep 21 07:15:55.167259: | local proposal 4 type INTEG has 2 transforms Sep 21 07:15:55.167261: | local proposal 4 type DH has 8 transforms Sep 21 07:15:55.167264: | local proposal 4 type ESN has 0 transforms Sep 21 07:15:55.167266: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:15:55.167269: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.167272: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.167274: | length: 100 (0x64) Sep 21 07:15:55.167277: | prop #: 1 (0x1) Sep 21 07:15:55.167279: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:15:55.167281: | spi size: 0 (0x0) Sep 21 07:15:55.167284: | # transforms: 11 (0xb) Sep 21 07:15:55.167287: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:15:55.167290: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167292: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167295: | length: 12 (0xc) Sep 21 07:15:55.167297: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.167299: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.167304: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.167306: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.167309: | length/value: 256 (0x100) Sep 21 07:15:55.167313: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:15:55.167316: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167318: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167320: | length: 8 (0x8) Sep 21 07:15:55.167323: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167325: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:15:55.167328: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:15:55.167331: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:15:55.167335: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:15:55.167338: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:15:55.167340: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167342: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167345: | length: 8 (0x8) Sep 21 07:15:55.167347: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167349: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:15:55.167352: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167354: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167356: | length: 8 (0x8) Sep 21 07:15:55.167359: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167361: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.167364: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:15:55.167368: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:15:55.167371: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:15:55.167374: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:15:55.167377: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167379: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167381: | length: 8 (0x8) Sep 21 07:15:55.167383: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167386: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:15:55.167388: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167391: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167393: | length: 8 (0x8) Sep 21 07:15:55.167395: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167398: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:15:55.167400: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167402: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167405: | length: 8 (0x8) Sep 21 07:15:55.167407: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167409: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:15:55.167412: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167414: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167416: | length: 8 (0x8) Sep 21 07:15:55.167419: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167421: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:15:55.167423: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167426: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167428: | length: 8 (0x8) Sep 21 07:15:55.167430: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167433: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:15:55.167435: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167439: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167441: | length: 8 (0x8) Sep 21 07:15:55.167444: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167446: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:15:55.167449: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167451: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.167453: | length: 8 (0x8) Sep 21 07:15:55.167456: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167458: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:15:55.167462: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:15:55.167466: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:15:55.167468: | remote proposal 1 matches local proposal 1 Sep 21 07:15:55.167471: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.167473: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.167476: | length: 100 (0x64) Sep 21 07:15:55.167478: | prop #: 2 (0x2) Sep 21 07:15:55.167480: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:15:55.167482: | spi size: 0 (0x0) Sep 21 07:15:55.167485: | # transforms: 11 (0xb) Sep 21 07:15:55.167488: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.167490: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167493: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167495: | length: 12 (0xc) Sep 21 07:15:55.167497: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.167500: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.167502: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.167505: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.167507: | length/value: 128 (0x80) Sep 21 07:15:55.167510: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167512: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167514: | length: 8 (0x8) Sep 21 07:15:55.167517: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167519: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:15:55.167522: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167524: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167526: | length: 8 (0x8) Sep 21 07:15:55.167528: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167531: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:15:55.167533: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167536: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167538: | length: 8 (0x8) Sep 21 07:15:55.167540: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167543: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.167545: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167547: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167550: | length: 8 (0x8) Sep 21 07:15:55.167552: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167554: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:15:55.167557: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167559: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167561: | length: 8 (0x8) Sep 21 07:15:55.167564: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167566: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:15:55.167569: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167571: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167573: | length: 8 (0x8) Sep 21 07:15:55.167576: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167578: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:15:55.167584: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167586: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167588: | length: 8 (0x8) Sep 21 07:15:55.167591: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167593: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:15:55.167596: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167600: | length: 8 (0x8) Sep 21 07:15:55.167603: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167605: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:15:55.167607: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167610: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167612: | length: 8 (0x8) Sep 21 07:15:55.167614: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167617: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:15:55.167619: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167622: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.167624: | length: 8 (0x8) Sep 21 07:15:55.167626: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167628: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:15:55.167632: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:15:55.167635: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:15:55.167637: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.167640: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.167642: | length: 116 (0x74) Sep 21 07:15:55.167644: | prop #: 3 (0x3) Sep 21 07:15:55.167646: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:15:55.167649: | spi size: 0 (0x0) Sep 21 07:15:55.167651: | # transforms: 13 (0xd) Sep 21 07:15:55.167654: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.167657: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167659: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167661: | length: 12 (0xc) Sep 21 07:15:55.167663: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.167666: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:15:55.167668: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.167670: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.167673: | length/value: 256 (0x100) Sep 21 07:15:55.167676: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167678: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167680: | length: 8 (0x8) Sep 21 07:15:55.167682: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167685: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:15:55.167687: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167690: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167692: | length: 8 (0x8) Sep 21 07:15:55.167694: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167697: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:15:55.167699: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167702: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167704: | length: 8 (0x8) Sep 21 07:15:55.167706: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.167709: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:15:55.167711: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167714: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167716: | length: 8 (0x8) Sep 21 07:15:55.167718: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.167720: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:15:55.167723: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167727: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167729: | length: 8 (0x8) Sep 21 07:15:55.167731: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167734: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.167736: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167738: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167741: | length: 8 (0x8) Sep 21 07:15:55.167743: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167745: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:15:55.167748: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167750: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167752: | length: 8 (0x8) Sep 21 07:15:55.167755: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167757: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:15:55.167760: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167762: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167764: | length: 8 (0x8) Sep 21 07:15:55.167767: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167769: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:15:55.167772: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167774: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167776: | length: 8 (0x8) Sep 21 07:15:55.167779: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167781: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:15:55.167787: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167791: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167793: | length: 8 (0x8) Sep 21 07:15:55.167795: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167798: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:15:55.167800: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167803: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167805: | length: 8 (0x8) Sep 21 07:15:55.167807: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167809: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:15:55.167812: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167814: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.167817: | length: 8 (0x8) Sep 21 07:15:55.167819: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167821: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:15:55.167825: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:15:55.167828: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:15:55.167830: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.167832: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:15:55.167835: | length: 116 (0x74) Sep 21 07:15:55.167837: | prop #: 4 (0x4) Sep 21 07:15:55.167840: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:15:55.167842: | spi size: 0 (0x0) Sep 21 07:15:55.167844: | # transforms: 13 (0xd) Sep 21 07:15:55.167847: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.167850: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167852: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167854: | length: 12 (0xc) Sep 21 07:15:55.167856: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.167859: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:15:55.167861: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.167864: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.167866: | length/value: 128 (0x80) Sep 21 07:15:55.167869: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167871: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167874: | length: 8 (0x8) Sep 21 07:15:55.167877: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167879: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:15:55.167882: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167884: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167886: | length: 8 (0x8) Sep 21 07:15:55.167889: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.167891: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:15:55.167894: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167896: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167898: | length: 8 (0x8) Sep 21 07:15:55.167901: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.167903: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:15:55.167906: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167908: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167910: | length: 8 (0x8) Sep 21 07:15:55.167913: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.167915: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:15:55.167918: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167920: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167922: | length: 8 (0x8) Sep 21 07:15:55.167925: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167927: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.167930: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167932: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167934: | length: 8 (0x8) Sep 21 07:15:55.167937: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167939: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:15:55.167941: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167944: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167946: | length: 8 (0x8) Sep 21 07:15:55.167948: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167951: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:15:55.167953: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167956: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167958: | length: 8 (0x8) Sep 21 07:15:55.167960: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167963: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:15:55.167965: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167967: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167970: | length: 8 (0x8) Sep 21 07:15:55.167972: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167974: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:15:55.167977: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167979: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167982: | length: 8 (0x8) Sep 21 07:15:55.167984: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167986: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:15:55.167989: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.167991: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.167993: | length: 8 (0x8) Sep 21 07:15:55.167996: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.167998: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:15:55.168001: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.168003: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.168005: | length: 8 (0x8) Sep 21 07:15:55.168008: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.168010: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:15:55.168014: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:15:55.168016: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:15:55.168023: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:15:55.168028: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:15:55.168030: | converting proposal to internal trans attrs Sep 21 07:15:55.168034: | natd_hash: rcookie is zero Sep 21 07:15:55.168045: | natd_hash: hasher=0x55c77aa137a0(20) Sep 21 07:15:55.168048: | natd_hash: icookie= f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.168050: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:15:55.168052: | natd_hash: ip= c0 01 02 17 Sep 21 07:15:55.168055: | natd_hash: port= 01 f4 Sep 21 07:15:55.168057: | natd_hash: hash= 8a 8b 08 98 73 b3 64 a3 39 6b b8 2e 13 f8 50 27 Sep 21 07:15:55.168059: | natd_hash: hash= 53 9a d1 d8 Sep 21 07:15:55.168061: | natd_hash: rcookie is zero Sep 21 07:15:55.168068: | natd_hash: hasher=0x55c77aa137a0(20) Sep 21 07:15:55.168070: | natd_hash: icookie= f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.168072: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:15:55.168074: | natd_hash: ip= c0 01 02 2d Sep 21 07:15:55.168076: | natd_hash: port= 01 f4 Sep 21 07:15:55.168079: | natd_hash: hash= df e1 82 da da 02 eb 9b eb a1 d8 d9 5c c1 d5 c1 Sep 21 07:15:55.168081: | natd_hash: hash= 71 1b a4 6a Sep 21 07:15:55.168083: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:15:55.168085: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:15:55.168087: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:15:55.168091: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Sep 21 07:15:55.168094: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:15:55.168098: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c77b01b010 Sep 21 07:15:55.168101: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:15:55.168105: | libevent_malloc: new ptr-libevent@0x55c77b01d250 size 128 Sep 21 07:15:55.168115: | #1 spent 0.971 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:15:55.168121: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:15:55.168131: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:15:55.168135: | suspending state #1 and saving MD Sep 21 07:15:55.168139: | #1 is busy; has a suspended MD Sep 21 07:15:55.168121: | crypto helper 3 resuming Sep 21 07:15:55.168145: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:15:55.168155: | crypto helper 3 starting work-order 1 for state #1 Sep 21 07:15:55.168161: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:15:55.168168: | crypto helper 3 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:15:55.168174: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:15:55.168179: | #1 spent 1.51 milliseconds in ikev2_process_packet() Sep 21 07:15:55.168185: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:15:55.168187: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:15:55.168190: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:15:55.168194: | spent 1.52 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:15:55.169215: | crypto helper 3 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001047 seconds Sep 21 07:15:55.169226: | (#1) spent 1.05 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:15:55.169229: | crypto helper 3 sending results from work-order 1 for state #1 to event queue Sep 21 07:15:55.169232: | scheduling resume sending helper answer for #1 Sep 21 07:15:55.169235: | libevent_malloc: new ptr-libevent@0x7fd1fc006900 size 128 Sep 21 07:15:55.169242: | crypto helper 3 waiting (nothing to do) Sep 21 07:15:55.169249: | processing resume sending helper answer for #1 Sep 21 07:15:55.169256: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:15:55.169259: | crypto helper 3 replies to request ID 1 Sep 21 07:15:55.169262: | calling continuation function 0x55c77a93d630 Sep 21 07:15:55.169264: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:15:55.169295: | **emit ISAKMP Message: Sep 21 07:15:55.169298: | initiator cookie: Sep 21 07:15:55.169300: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.169303: | responder cookie: Sep 21 07:15:55.169305: | e5 72 09 dd be df 06 a8 Sep 21 07:15:55.169307: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:15:55.169310: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:55.169313: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:15:55.169315: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:15:55.169318: | Message ID: 0 (0x0) Sep 21 07:15:55.169320: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:15:55.169323: | Emitting ikev2_proposal ... Sep 21 07:15:55.169326: | ***emit IKEv2 Security Association Payload: Sep 21 07:15:55.169328: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.169330: | flags: none (0x0) Sep 21 07:15:55.169333: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:15:55.169336: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169339: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.169341: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:15:55.169344: | prop #: 1 (0x1) Sep 21 07:15:55.169346: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:15:55.169348: | spi size: 0 (0x0) Sep 21 07:15:55.169351: | # transforms: 3 (0x3) Sep 21 07:15:55.169353: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:15:55.169356: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:15:55.169359: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.169361: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.169363: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.169366: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:15:55.169369: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.169371: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.169374: | length/value: 256 (0x100) Sep 21 07:15:55.169376: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:15:55.169379: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:15:55.169381: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.169383: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:15:55.169387: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:15:55.169391: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.169394: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:15:55.169396: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:15:55.169399: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:15:55.169401: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.169403: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:15:55.169406: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.169409: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.169411: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:15:55.169414: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:15:55.169416: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:15:55.169419: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:15:55.169421: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:15:55.169424: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:15:55.169427: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:15:55.169430: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.169432: | flags: none (0x0) Sep 21 07:15:55.169434: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:15:55.169438: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:15:55.169440: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169443: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:15:55.169446: | ikev2 g^x 6c 95 22 3f 0b b3 6b 16 f3 f1 d0 43 6b 3c 29 4f Sep 21 07:15:55.169448: | ikev2 g^x 47 c9 e2 2a de e8 7f 65 4d 79 86 4f d9 10 3e d0 Sep 21 07:15:55.169451: | ikev2 g^x ea 39 46 df 5b 06 f6 9f 6d ab 0b 43 52 d4 3b 00 Sep 21 07:15:55.169453: | ikev2 g^x 51 e8 e7 83 5c 0a 42 a1 5c a1 86 65 8c 1d d5 5e Sep 21 07:15:55.169455: | ikev2 g^x e4 2e 97 02 39 e1 fc 0d 56 1f df b9 3c 81 ca 76 Sep 21 07:15:55.169458: | ikev2 g^x fc 5b 46 b8 ff e1 81 93 80 e7 8d 4c f2 31 7a f8 Sep 21 07:15:55.169460: | ikev2 g^x 30 f5 2a 87 43 2d ad da 3c 10 68 92 bf d2 04 89 Sep 21 07:15:55.169462: | ikev2 g^x 39 b9 f7 ff c4 d2 79 1d f3 26 34 4a 61 0a b4 2d Sep 21 07:15:55.169464: | ikev2 g^x 81 ef 87 24 be e3 23 dc f1 06 21 4e a7 58 e5 0e Sep 21 07:15:55.169467: | ikev2 g^x 01 bc 3a 9c 6e 90 b5 fa e2 89 ca c9 01 c2 de 9c Sep 21 07:15:55.169469: | ikev2 g^x a5 12 3f 0e 41 4c 86 35 d2 a8 73 51 82 31 ac 08 Sep 21 07:15:55.169471: | ikev2 g^x 0d ce e8 20 e4 59 80 eb 77 38 29 d5 f1 3a de a5 Sep 21 07:15:55.169473: | ikev2 g^x a3 1e bd e6 f8 11 d5 08 b8 10 30 0b 93 79 d2 a5 Sep 21 07:15:55.169476: | ikev2 g^x 9b 5d 4a 42 0d 7f 36 c4 72 8d fb ee e2 f5 0b 3b Sep 21 07:15:55.169478: | ikev2 g^x f5 76 c6 3b 04 da 7f 6c c7 4e f6 c5 6f c1 8d 92 Sep 21 07:15:55.169480: | ikev2 g^x c4 0a f8 1f af ca 6d e3 02 04 f8 16 7c b1 a0 60 Sep 21 07:15:55.169483: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:15:55.169485: | ***emit IKEv2 Nonce Payload: Sep 21 07:15:55.169487: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:15:55.169490: | flags: none (0x0) Sep 21 07:15:55.169493: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:15:55.169497: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:15:55.169499: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169502: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:15:55.169504: | IKEv2 nonce de 20 2d 25 da 27 ec 98 6f 10 9f 0d 5a 7a 13 ec Sep 21 07:15:55.169507: | IKEv2 nonce e4 e7 c4 3c 13 03 6e fe 98 79 85 7e 59 35 cc 57 Sep 21 07:15:55.169509: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:15:55.169511: | Adding a v2N Payload Sep 21 07:15:55.169514: | ***emit IKEv2 Notify Payload: Sep 21 07:15:55.169516: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.169518: | flags: none (0x0) Sep 21 07:15:55.169521: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.169523: | SPI size: 0 (0x0) Sep 21 07:15:55.169526: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:15:55.169529: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:15:55.169531: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169534: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:15:55.169536: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:15:55.169544: | natd_hash: hasher=0x55c77aa137a0(20) Sep 21 07:15:55.169547: | natd_hash: icookie= f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.169549: | natd_hash: rcookie= e5 72 09 dd be df 06 a8 Sep 21 07:15:55.169551: | natd_hash: ip= c0 01 02 17 Sep 21 07:15:55.169554: | natd_hash: port= 01 f4 Sep 21 07:15:55.169556: | natd_hash: hash= 4e 49 b8 fa 6c cd cc d5 b8 25 f0 43 23 44 cc 3a Sep 21 07:15:55.169558: | natd_hash: hash= 7d 7d b0 f1 Sep 21 07:15:55.169560: | Adding a v2N Payload Sep 21 07:15:55.169563: | ***emit IKEv2 Notify Payload: Sep 21 07:15:55.169565: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.169567: | flags: none (0x0) Sep 21 07:15:55.169570: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.169572: | SPI size: 0 (0x0) Sep 21 07:15:55.169575: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:15:55.169577: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:15:55.169580: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169583: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:15:55.169585: | Notify data 4e 49 b8 fa 6c cd cc d5 b8 25 f0 43 23 44 cc 3a Sep 21 07:15:55.169588: | Notify data 7d 7d b0 f1 Sep 21 07:15:55.169590: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:15:55.169596: | natd_hash: hasher=0x55c77aa137a0(20) Sep 21 07:15:55.169598: | natd_hash: icookie= f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.169601: | natd_hash: rcookie= e5 72 09 dd be df 06 a8 Sep 21 07:15:55.169603: | natd_hash: ip= c0 01 02 2d Sep 21 07:15:55.169605: | natd_hash: port= 01 f4 Sep 21 07:15:55.169607: | natd_hash: hash= fb 34 f4 23 79 ee ab de 4c f7 33 a6 42 bb af bd Sep 21 07:15:55.169610: | natd_hash: hash= 3c 4e ea be Sep 21 07:15:55.169612: | Adding a v2N Payload Sep 21 07:15:55.169614: | ***emit IKEv2 Notify Payload: Sep 21 07:15:55.169616: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.169619: | flags: none (0x0) Sep 21 07:15:55.169621: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:15:55.169623: | SPI size: 0 (0x0) Sep 21 07:15:55.169626: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:15:55.169629: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:15:55.169631: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.169635: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:15:55.169637: | Notify data fb 34 f4 23 79 ee ab de 4c f7 33 a6 42 bb af bd Sep 21 07:15:55.169639: | Notify data 3c 4e ea be Sep 21 07:15:55.169642: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:15:55.169644: | emitting length of ISAKMP Message: 432 Sep 21 07:15:55.169650: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:15:55.169654: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:15:55.169657: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:15:55.169660: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:15:55.169662: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:15:55.169667: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:15:55.169672: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:15:55.169676: "westnet-eastnet-ipv4-psk-ikev2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:15:55.169680: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:15:55.169688: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:15:55.169690: | f7 f8 9a 6c 87 12 2b d5 e5 72 09 dd be df 06 a8 Sep 21 07:15:55.169693: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:15:55.169695: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:15:55.169697: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:15:55.169699: | 04 00 00 0e 28 00 01 08 00 0e 00 00 6c 95 22 3f Sep 21 07:15:55.169702: | 0b b3 6b 16 f3 f1 d0 43 6b 3c 29 4f 47 c9 e2 2a Sep 21 07:15:55.169704: | de e8 7f 65 4d 79 86 4f d9 10 3e d0 ea 39 46 df Sep 21 07:15:55.169706: | 5b 06 f6 9f 6d ab 0b 43 52 d4 3b 00 51 e8 e7 83 Sep 21 07:15:55.169708: | 5c 0a 42 a1 5c a1 86 65 8c 1d d5 5e e4 2e 97 02 Sep 21 07:15:55.169710: | 39 e1 fc 0d 56 1f df b9 3c 81 ca 76 fc 5b 46 b8 Sep 21 07:15:55.169713: | ff e1 81 93 80 e7 8d 4c f2 31 7a f8 30 f5 2a 87 Sep 21 07:15:55.169715: | 43 2d ad da 3c 10 68 92 bf d2 04 89 39 b9 f7 ff Sep 21 07:15:55.169717: | c4 d2 79 1d f3 26 34 4a 61 0a b4 2d 81 ef 87 24 Sep 21 07:15:55.169720: | be e3 23 dc f1 06 21 4e a7 58 e5 0e 01 bc 3a 9c Sep 21 07:15:55.169722: | 6e 90 b5 fa e2 89 ca c9 01 c2 de 9c a5 12 3f 0e Sep 21 07:15:55.169724: | 41 4c 86 35 d2 a8 73 51 82 31 ac 08 0d ce e8 20 Sep 21 07:15:55.169726: | e4 59 80 eb 77 38 29 d5 f1 3a de a5 a3 1e bd e6 Sep 21 07:15:55.169729: | f8 11 d5 08 b8 10 30 0b 93 79 d2 a5 9b 5d 4a 42 Sep 21 07:15:55.169731: | 0d 7f 36 c4 72 8d fb ee e2 f5 0b 3b f5 76 c6 3b Sep 21 07:15:55.169733: | 04 da 7f 6c c7 4e f6 c5 6f c1 8d 92 c4 0a f8 1f Sep 21 07:15:55.169735: | af ca 6d e3 02 04 f8 16 7c b1 a0 60 29 00 00 24 Sep 21 07:15:55.169737: | de 20 2d 25 da 27 ec 98 6f 10 9f 0d 5a 7a 13 ec Sep 21 07:15:55.169740: | e4 e7 c4 3c 13 03 6e fe 98 79 85 7e 59 35 cc 57 Sep 21 07:15:55.169742: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:15:55.169744: | 4e 49 b8 fa 6c cd cc d5 b8 25 f0 43 23 44 cc 3a Sep 21 07:15:55.169746: | 7d 7d b0 f1 00 00 00 1c 00 00 40 05 fb 34 f4 23 Sep 21 07:15:55.169749: | 79 ee ab de 4c f7 33 a6 42 bb af bd 3c 4e ea be Sep 21 07:15:55.169777: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:15:55.169781: | libevent_free: release ptr-libevent@0x55c77b01d250 Sep 21 07:15:55.169792: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c77b01b010 Sep 21 07:15:55.169796: | event_schedule: new EVENT_SO_DISCARD-pe@0x55c77b01b010 Sep 21 07:15:55.169799: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:15:55.169802: | libevent_malloc: new ptr-libevent@0x55c77b01d250 size 128 Sep 21 07:15:55.169805: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:15:55.169810: | #1 spent 0.532 milliseconds in resume sending helper answer Sep 21 07:15:55.169815: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:15:55.169817: | libevent_free: release ptr-libevent@0x7fd1fc006900 Sep 21 07:15:55.172964: | spent 0.00199 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:15:55.172980: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:15:55.172983: | f7 f8 9a 6c 87 12 2b d5 e5 72 09 dd be df 06 a8 Sep 21 07:15:55.172986: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Sep 21 07:15:55.172988: | e1 12 7a be c7 b9 6f a9 b6 60 09 20 00 75 4b 37 Sep 21 07:15:55.172990: | 7b 2a 53 ba 1d 47 9b 86 5a 6f e5 52 2c 2b 09 05 Sep 21 07:15:55.172992: | 17 33 1d b4 45 a0 ca b5 aa 3a f3 67 99 6c ee e2 Sep 21 07:15:55.172995: | 98 5b 23 a2 44 df a4 7c 23 ae 0e ae 9a ce 5f 3b Sep 21 07:15:55.172997: | c5 d0 a3 bb 29 29 1b ff 29 12 86 ef 5d 32 68 40 Sep 21 07:15:55.172999: | 9f 82 b9 a9 ec d9 c3 e8 e0 b6 3a bd 42 47 82 f6 Sep 21 07:15:55.173001: | e3 91 f5 6e 7b 3f de 89 da b0 17 df 82 ff 6c 0a Sep 21 07:15:55.173004: | 13 3b 1a 13 68 4e e1 06 7e 12 33 f9 96 78 27 5b Sep 21 07:15:55.173006: | 72 de 3e 23 ae a0 a1 02 17 c5 3e 2b b5 11 89 6e Sep 21 07:15:55.173008: | 83 b3 99 db 15 b4 23 2c 0a 0c 78 04 8c 87 9f 46 Sep 21 07:15:55.173010: | 21 4a 57 14 3b 93 5d 58 15 8d b8 fd bb b2 7c 64 Sep 21 07:15:55.173013: | 7c f1 95 4e ef aa 91 c6 50 99 c5 cb 5c ea c8 e0 Sep 21 07:15:55.173015: | 99 27 dc 65 a8 85 be 54 57 a7 5c 34 03 b2 f5 7e Sep 21 07:15:55.173017: | 2c 32 8c 6d 0f 86 07 8a 2e aa fc 07 d7 44 bb 7a Sep 21 07:15:55.173019: | 5d e1 c8 a2 ec a6 cb c9 ce c6 04 7c ba 2a 24 43 Sep 21 07:15:55.173022: | c0 71 9c 73 b0 c3 34 df 67 d8 f4 cb 61 ad 5d e5 Sep 21 07:15:55.173024: | 12 a2 87 30 b7 94 c4 0c 28 cf ce 18 cf ef 71 e7 Sep 21 07:15:55.173026: | 3d 27 a0 dc 92 54 c9 26 c1 a9 97 83 0c 41 1e e0 Sep 21 07:15:55.173028: | 07 2d 23 6c fb 9d d0 83 4f fe b1 b1 c7 02 16 da Sep 21 07:15:55.173031: | f5 15 ab ef 1b 26 a8 a0 4d 88 91 3f f2 a0 3b 67 Sep 21 07:15:55.173033: | 9e f4 cf 48 a1 af 26 1f 1a 70 45 1a 10 Sep 21 07:15:55.173038: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:15:55.173041: | **parse ISAKMP Message: Sep 21 07:15:55.173044: | initiator cookie: Sep 21 07:15:55.173046: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.173048: | responder cookie: Sep 21 07:15:55.173050: | e5 72 09 dd be df 06 a8 Sep 21 07:15:55.173053: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:15:55.173055: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:55.173058: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:15:55.173060: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:15:55.173063: | Message ID: 1 (0x1) Sep 21 07:15:55.173065: | length: 365 (0x16d) Sep 21 07:15:55.173068: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:15:55.173071: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:15:55.173075: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:15:55.173081: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:15:55.173084: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:15:55.173089: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:15:55.173094: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:15:55.173098: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:15:55.173100: | unpacking clear payload Sep 21 07:15:55.173103: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:15:55.173106: | ***parse IKEv2 Encryption Payload: Sep 21 07:15:55.173108: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:15:55.173111: | flags: none (0x0) Sep 21 07:15:55.173113: | length: 337 (0x151) Sep 21 07:15:55.173115: | processing payload: ISAKMP_NEXT_v2SK (len=333) Sep 21 07:15:55.173120: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:15:55.173122: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:15:55.173125: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:15:55.173128: | Now let's proceed with state specific processing Sep 21 07:15:55.173130: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:15:55.173133: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:15:55.173137: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:15:55.173140: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:15:55.173143: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:15:55.173146: | libevent_free: release ptr-libevent@0x55c77b01d250 Sep 21 07:15:55.173149: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55c77b01b010 Sep 21 07:15:55.173152: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c77b01b010 Sep 21 07:15:55.173155: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:15:55.173158: | libevent_malloc: new ptr-libevent@0x55c77b01d250 size 128 Sep 21 07:15:55.173167: | #1 spent 0.0322 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:15:55.173172: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:15:55.173173: | crypto helper 4 resuming Sep 21 07:15:55.173176: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:15:55.173183: | crypto helper 4 starting work-order 2 for state #1 Sep 21 07:15:55.173188: | suspending state #1 and saving MD Sep 21 07:15:55.173199: | #1 is busy; has a suspended MD Sep 21 07:15:55.173195: | crypto helper 4 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:15:55.173205: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:15:55.173209: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:15:55.173214: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:15:55.173218: | #1 spent 0.239 milliseconds in ikev2_process_packet() Sep 21 07:15:55.173222: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:15:55.173225: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:15:55.173227: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:15:55.173231: | spent 0.253 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:15:55.174186: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:15:55.174611: | crypto helper 4 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001417 seconds Sep 21 07:15:55.174619: | (#1) spent 1.4 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:15:55.174625: | crypto helper 4 sending results from work-order 2 for state #1 to event queue Sep 21 07:15:55.174628: | scheduling resume sending helper answer for #1 Sep 21 07:15:55.174631: | libevent_malloc: new ptr-libevent@0x7fd1f4006b90 size 128 Sep 21 07:15:55.174638: | crypto helper 4 waiting (nothing to do) Sep 21 07:15:55.174648: | processing resume sending helper answer for #1 Sep 21 07:15:55.174654: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:15:55.174657: | crypto helper 4 replies to request ID 2 Sep 21 07:15:55.174660: | calling continuation function 0x55c77a93d630 Sep 21 07:15:55.174662: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:15:55.174665: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:15:55.174677: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:15:55.174680: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:15:55.174683: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:15:55.174686: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:15:55.174688: | flags: none (0x0) Sep 21 07:15:55.174691: | length: 12 (0xc) Sep 21 07:15:55.174693: | ID type: ID_FQDN (0x2) Sep 21 07:15:55.174696: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:15:55.174698: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:15:55.174700: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:15:55.174703: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:15:55.174705: | flags: none (0x0) Sep 21 07:15:55.174707: | length: 12 (0xc) Sep 21 07:15:55.174710: | ID type: ID_FQDN (0x2) Sep 21 07:15:55.174712: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:15:55.174714: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:15:55.174717: | **parse IKEv2 Authentication Payload: Sep 21 07:15:55.174720: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:15:55.174722: | flags: none (0x0) Sep 21 07:15:55.174724: | length: 72 (0x48) Sep 21 07:15:55.174726: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:15:55.174729: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:15:55.174731: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:15:55.174734: | **parse IKEv2 Security Association Payload: Sep 21 07:15:55.174736: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:15:55.174738: | flags: none (0x0) Sep 21 07:15:55.174741: | length: 164 (0xa4) Sep 21 07:15:55.174743: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:15:55.174745: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:15:55.174748: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:15:55.174750: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:15:55.174753: | flags: none (0x0) Sep 21 07:15:55.174755: | length: 24 (0x18) Sep 21 07:15:55.174757: | number of TS: 1 (0x1) Sep 21 07:15:55.174760: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:15:55.174762: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:15:55.174764: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:15:55.174767: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.174769: | flags: none (0x0) Sep 21 07:15:55.174771: | length: 24 (0x18) Sep 21 07:15:55.174773: | number of TS: 1 (0x1) Sep 21 07:15:55.174776: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:15:55.174778: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:15:55.174781: | Now let's proceed with state specific processing Sep 21 07:15:55.174786: | calling processor Responder: process IKE_AUTH request Sep 21 07:15:55.174794: "westnet-eastnet-ipv4-psk-ikev2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:15:55.174800: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:15:55.174807: | received IDr payload - extracting our alleged ID Sep 21 07:15:55.174811: | refine_host_connection for IKEv2: starting with "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:15:55.174815: | match_id a=@west Sep 21 07:15:55.174817: | b=@west Sep 21 07:15:55.174820: | results matched Sep 21 07:15:55.174824: | refine_host_connection: checking "westnet-eastnet-ipv4-psk-ikev2" against "westnet-eastnet-ipv4-psk-ikev2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:15:55.174826: | Warning: not switching back to template of current instance Sep 21 07:15:55.174829: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:15:55.174832: | This connection's local id is @east (ID_FQDN) Sep 21 07:15:55.174835: | refine_host_connection: checked westnet-eastnet-ipv4-psk-ikev2 against westnet-eastnet-ipv4-psk-ikev2, now for see if best Sep 21 07:15:55.174839: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.174842: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.174845: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:15:55.174848: | 1: compared key @west to @east / @west -> 004 Sep 21 07:15:55.174852: | 2: compared key @east to @east / @west -> 014 Sep 21 07:15:55.174854: | line 1: match=014 Sep 21 07:15:55.174857: | match 014 beats previous best_match 000 match=0x55c77b00cf60 (line=1) Sep 21 07:15:55.174860: | concluding with best_match=014 best=0x55c77b00cf60 (lineno=1) Sep 21 07:15:55.174862: | returning because exact peer id match Sep 21 07:15:55.174865: | offered CA: '%none' Sep 21 07:15:55.174868: "westnet-eastnet-ipv4-psk-ikev2" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Sep 21 07:15:55.174885: | verifying AUTH payload Sep 21 07:15:55.174888: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:15:55.174892: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.174894: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.174897: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:15:55.174900: | 1: compared key @west to @east / @west -> 004 Sep 21 07:15:55.174903: | 2: compared key @east to @east / @west -> 014 Sep 21 07:15:55.174906: | line 1: match=014 Sep 21 07:15:55.174908: | match 014 beats previous best_match 000 match=0x55c77b00cf60 (line=1) Sep 21 07:15:55.174911: | concluding with best_match=014 best=0x55c77b00cf60 (lineno=1) Sep 21 07:15:55.174968: "westnet-eastnet-ipv4-psk-ikev2" #1: Authenticated using authby=secret Sep 21 07:15:55.174972: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:15:55.174976: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:15:55.174979: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:15:55.174982: | libevent_free: release ptr-libevent@0x55c77b01d250 Sep 21 07:15:55.174984: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c77b01b010 Sep 21 07:15:55.174988: | event_schedule: new EVENT_SA_REKEY-pe@0x55c77b01b010 Sep 21 07:15:55.174991: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:15:55.174994: | libevent_malloc: new ptr-libevent@0x55c77b01d250 size 128 Sep 21 07:15:55.175224: | pstats #1 ikev2.ike established Sep 21 07:15:55.175233: | **emit ISAKMP Message: Sep 21 07:15:55.175236: | initiator cookie: Sep 21 07:15:55.175239: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:55.175241: | responder cookie: Sep 21 07:15:55.175243: | e5 72 09 dd be df 06 a8 Sep 21 07:15:55.175246: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:15:55.175249: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:55.175252: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:15:55.175255: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:15:55.175257: | Message ID: 1 (0x1) Sep 21 07:15:55.175260: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:15:55.175265: | IKEv2 CERT: send a certificate? Sep 21 07:15:55.175268: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:15:55.175271: | ***emit IKEv2 Encryption Payload: Sep 21 07:15:55.175274: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.175276: | flags: none (0x0) Sep 21 07:15:55.175279: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:15:55.175282: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.175286: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:15:55.175294: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:15:55.175309: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:15:55.175313: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.175315: | flags: none (0x0) Sep 21 07:15:55.175317: | ID type: ID_FQDN (0x2) Sep 21 07:15:55.175321: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:15:55.175324: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.175327: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:15:55.175329: | my identity 65 61 73 74 Sep 21 07:15:55.175332: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:15:55.175340: | assembled IDr payload Sep 21 07:15:55.175342: | CHILD SA proposals received Sep 21 07:15:55.175345: | going to assemble AUTH payload Sep 21 07:15:55.175347: | ****emit IKEv2 Authentication Payload: Sep 21 07:15:55.175350: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:15:55.175352: | flags: none (0x0) Sep 21 07:15:55.175355: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:15:55.175358: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:15:55.175361: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:15:55.175364: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.175367: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:15:55.175371: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.175374: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:15:55.175377: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:15:55.175381: | 1: compared key @west to @east / @west -> 004 Sep 21 07:15:55.175384: | 2: compared key @east to @east / @west -> 014 Sep 21 07:15:55.175387: | line 1: match=014 Sep 21 07:15:55.175389: | match 014 beats previous best_match 000 match=0x55c77b00cf60 (line=1) Sep 21 07:15:55.175392: | concluding with best_match=014 best=0x55c77b00cf60 (lineno=1) Sep 21 07:15:55.175452: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:15:55.175455: | PSK auth 30 4c 7d 38 10 68 22 91 2e ca 96 2e 8c 48 03 28 Sep 21 07:15:55.175457: | PSK auth 2f 1f be 83 cf 0c b7 8d bc 63 f8 0f b0 b3 50 c3 Sep 21 07:15:55.175460: | PSK auth f4 4d 76 0a 96 71 37 68 76 df 78 f5 bd 49 ca 70 Sep 21 07:15:55.175462: | PSK auth 06 ac 84 11 bd dc f1 bf 05 ea 1c 11 d8 e3 fc 0c Sep 21 07:15:55.175465: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:15:55.175472: | creating state object #2 at 0x55c77b01e6b0 Sep 21 07:15:55.175475: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:15:55.175479: | pstats #2 ikev2.child started Sep 21 07:15:55.175482: | duplicating state object #1 "westnet-eastnet-ipv4-psk-ikev2" as #2 for IPSEC SA Sep 21 07:15:55.175487: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:15:55.175494: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:15:55.175499: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:15:55.175503: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:15:55.175506: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:15:55.175508: | TSi: parsing 1 traffic selectors Sep 21 07:15:55.175511: | ***parse IKEv2 Traffic Selector: Sep 21 07:15:55.175514: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:15:55.175516: | IP Protocol ID: 0 (0x0) Sep 21 07:15:55.175519: | length: 16 (0x10) Sep 21 07:15:55.175521: | start port: 0 (0x0) Sep 21 07:15:55.175523: | end port: 65535 (0xffff) Sep 21 07:15:55.175526: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:15:55.175528: | TS low c0 00 01 00 Sep 21 07:15:55.175531: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:15:55.175533: | TS high c0 00 01 ff Sep 21 07:15:55.175535: | TSi: parsed 1 traffic selectors Sep 21 07:15:55.175538: | TSr: parsing 1 traffic selectors Sep 21 07:15:55.175540: | ***parse IKEv2 Traffic Selector: Sep 21 07:15:55.175542: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:15:55.175545: | IP Protocol ID: 0 (0x0) Sep 21 07:15:55.175547: | length: 16 (0x10) Sep 21 07:15:55.175549: | start port: 0 (0x0) Sep 21 07:15:55.175551: | end port: 65535 (0xffff) Sep 21 07:15:55.175554: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:15:55.175556: | TS low c0 00 02 00 Sep 21 07:15:55.175558: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:15:55.175560: | TS high c0 00 02 ff Sep 21 07:15:55.175563: | TSr: parsed 1 traffic selectors Sep 21 07:15:55.175565: | looking for best SPD in current connection Sep 21 07:15:55.175572: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:15:55.175577: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:15:55.175583: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:15:55.175586: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:15:55.175589: | TSi[0] port match: YES fitness 65536 Sep 21 07:15:55.175592: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:15:55.175595: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:15:55.175599: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:15:55.175605: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:15:55.175608: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:15:55.175610: | TSr[0] port match: YES fitness 65536 Sep 21 07:15:55.175613: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:15:55.175616: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:15:55.175618: | best fit so far: TSi[0] TSr[0] Sep 21 07:15:55.175621: | found better spd route for TSi[0],TSr[0] Sep 21 07:15:55.175623: | looking for better host pair Sep 21 07:15:55.175628: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:15:55.175633: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Sep 21 07:15:55.175635: | investigating connection "westnet-eastnet-ipv4-psk-ikev2" as a better match Sep 21 07:15:55.175638: | match_id a=@west Sep 21 07:15:55.175641: | b=@west Sep 21 07:15:55.175643: | results matched Sep 21 07:15:55.175648: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:15:55.175655: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:15:55.175661: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:15:55.175664: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:15:55.175666: | TSi[0] port match: YES fitness 65536 Sep 21 07:15:55.175669: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:15:55.175672: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:15:55.175676: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:15:55.175682: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:15:55.175684: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:15:55.175687: | TSr[0] port match: YES fitness 65536 Sep 21 07:15:55.175689: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:15:55.175692: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:15:55.175694: | best fit so far: TSi[0] TSr[0] Sep 21 07:15:55.175697: | did not find a better connection using host pair Sep 21 07:15:55.175699: | printing contents struct traffic_selector Sep 21 07:15:55.175702: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:15:55.175704: | ipprotoid: 0 Sep 21 07:15:55.175706: | port range: 0-65535 Sep 21 07:15:55.175710: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:15:55.175712: | printing contents struct traffic_selector Sep 21 07:15:55.175714: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:15:55.175716: | ipprotoid: 0 Sep 21 07:15:55.175718: | port range: 0-65535 Sep 21 07:15:55.175722: | ip range: 192.0.1.0-192.0.1.255 Sep 21 07:15:55.175727: | constructing ESP/AH proposals with all DH removed for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:15:55.175732: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:15:55.175738: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:15:55.175741: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:15:55.175745: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:15:55.175748: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:15:55.175752: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:15:55.175755: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:15:55.175759: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:15:55.175767: "westnet-eastnet-ipv4-psk-ikev2": constructed local ESP/AH proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:15:55.175770: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:15:55.175773: | local proposal 1 type ENCR has 1 transforms Sep 21 07:15:55.175775: | local proposal 1 type PRF has 0 transforms Sep 21 07:15:55.175778: | local proposal 1 type INTEG has 1 transforms Sep 21 07:15:55.175780: | local proposal 1 type DH has 1 transforms Sep 21 07:15:55.175789: | local proposal 1 type ESN has 1 transforms Sep 21 07:15:55.175795: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:15:55.175798: | local proposal 2 type ENCR has 1 transforms Sep 21 07:15:55.175800: | local proposal 2 type PRF has 0 transforms Sep 21 07:15:55.175803: | local proposal 2 type INTEG has 1 transforms Sep 21 07:15:55.175806: | local proposal 2 type DH has 1 transforms Sep 21 07:15:55.175809: | local proposal 2 type ESN has 1 transforms Sep 21 07:15:55.175811: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:15:55.175814: | local proposal 3 type ENCR has 1 transforms Sep 21 07:15:55.175816: | local proposal 3 type PRF has 0 transforms Sep 21 07:15:55.175819: | local proposal 3 type INTEG has 2 transforms Sep 21 07:15:55.175821: | local proposal 3 type DH has 1 transforms Sep 21 07:15:55.175823: | local proposal 3 type ESN has 1 transforms Sep 21 07:15:55.175826: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:15:55.175828: | local proposal 4 type ENCR has 1 transforms Sep 21 07:15:55.175831: | local proposal 4 type PRF has 0 transforms Sep 21 07:15:55.175833: | local proposal 4 type INTEG has 2 transforms Sep 21 07:15:55.175835: | local proposal 4 type DH has 1 transforms Sep 21 07:15:55.175838: | local proposal 4 type ESN has 1 transforms Sep 21 07:15:55.175840: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:15:55.175843: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.175846: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.175848: | length: 32 (0x20) Sep 21 07:15:55.175851: | prop #: 1 (0x1) Sep 21 07:15:55.175853: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:15:55.175856: | spi size: 4 (0x4) Sep 21 07:15:55.175858: | # transforms: 2 (0x2) Sep 21 07:15:55.175861: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:15:55.175863: | remote SPI 52 ad 1d b7 Sep 21 07:15:55.175866: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:15:55.175869: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.175872: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.175874: | length: 12 (0xc) Sep 21 07:15:55.175876: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.175879: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.175882: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.175884: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.175887: | length/value: 256 (0x100) Sep 21 07:15:55.175891: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:15:55.175894: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.175896: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.175898: | length: 8 (0x8) Sep 21 07:15:55.175901: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:15:55.175903: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:15:55.175906: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:15:55.175909: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:15:55.175912: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:15:55.175915: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:15:55.175919: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:15:55.175923: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:15:55.175925: | remote proposal 1 matches local proposal 1 Sep 21 07:15:55.175928: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.175931: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.175933: | length: 32 (0x20) Sep 21 07:15:55.175935: | prop #: 2 (0x2) Sep 21 07:15:55.175937: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:15:55.175940: | spi size: 4 (0x4) Sep 21 07:15:55.175942: | # transforms: 2 (0x2) Sep 21 07:15:55.175945: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:15:55.175948: | remote SPI 52 ad 1d b7 Sep 21 07:15:55.175951: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.175953: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.175956: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.175958: | length: 12 (0xc) Sep 21 07:15:55.175961: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.175963: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.175965: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.175968: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.175970: | length/value: 128 (0x80) Sep 21 07:15:55.175973: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.175975: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.175978: | length: 8 (0x8) Sep 21 07:15:55.175980: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:15:55.175982: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:15:55.175986: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:15:55.175988: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:15:55.175991: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.175993: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:15:55.175996: | length: 48 (0x30) Sep 21 07:15:55.175998: | prop #: 3 (0x3) Sep 21 07:15:55.176000: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:15:55.176002: | spi size: 4 (0x4) Sep 21 07:15:55.176005: | # transforms: 4 (0x4) Sep 21 07:15:55.176008: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:15:55.176010: | remote SPI 52 ad 1d b7 Sep 21 07:15:55.176012: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.176015: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176017: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176019: | length: 12 (0xc) Sep 21 07:15:55.176022: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.176024: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:15:55.176026: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.176029: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.176031: | length/value: 256 (0x100) Sep 21 07:15:55.176034: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176036: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176039: | length: 8 (0x8) Sep 21 07:15:55.176041: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.176043: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:15:55.176046: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176048: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176050: | length: 8 (0x8) Sep 21 07:15:55.176053: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.176055: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:15:55.176058: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176060: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.176062: | length: 8 (0x8) Sep 21 07:15:55.176065: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:15:55.176067: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:15:55.176071: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:15:55.176073: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:15:55.176076: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.176078: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:15:55.176080: | length: 48 (0x30) Sep 21 07:15:55.176083: | prop #: 4 (0x4) Sep 21 07:15:55.176085: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:15:55.176087: | spi size: 4 (0x4) Sep 21 07:15:55.176091: | # transforms: 4 (0x4) Sep 21 07:15:55.176094: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:15:55.176096: | remote SPI 52 ad 1d b7 Sep 21 07:15:55.176099: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:15:55.176101: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176104: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176106: | length: 12 (0xc) Sep 21 07:15:55.176108: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.176112: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:15:55.176114: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.176116: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.176119: | length/value: 128 (0x80) Sep 21 07:15:55.176122: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176124: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176126: | length: 8 (0x8) Sep 21 07:15:55.176128: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.176131: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:15:55.176133: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176136: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176138: | length: 8 (0x8) Sep 21 07:15:55.176140: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:15:55.176143: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:15:55.176145: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176148: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.176150: | length: 8 (0x8) Sep 21 07:15:55.176152: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:15:55.176155: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:15:55.176158: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:15:55.176161: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:15:55.176166: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:ESP:SPI=52ad1db7;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:15:55.176170: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=52ad1db7;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:15:55.176173: | converting proposal to internal trans attrs Sep 21 07:15:55.176191: | netlink_get_spi: allocated 0x5ea304a7 for esp.0@192.1.2.23 Sep 21 07:15:55.176194: | Emitting ikev2_proposal ... Sep 21 07:15:55.176196: | ****emit IKEv2 Security Association Payload: Sep 21 07:15:55.176199: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.176201: | flags: none (0x0) Sep 21 07:15:55.176204: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:15:55.176207: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.176210: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:15:55.176212: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:15:55.176214: | prop #: 1 (0x1) Sep 21 07:15:55.176217: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:15:55.176219: | spi size: 4 (0x4) Sep 21 07:15:55.176221: | # transforms: 2 (0x2) Sep 21 07:15:55.176224: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:15:55.176227: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:15:55.176229: | our spi 5e a3 04 a7 Sep 21 07:15:55.176232: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176236: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176238: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:15:55.176240: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:15:55.176243: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:15:55.176246: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:15:55.176248: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:15:55.176251: | length/value: 256 (0x100) Sep 21 07:15:55.176253: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:15:55.176256: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:15:55.176258: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:15:55.176261: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:15:55.176263: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:15:55.176266: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:15:55.176269: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:15:55.176271: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:15:55.176274: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:15:55.176276: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:15:55.176279: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:15:55.176281: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:15:55.176284: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:15:55.176286: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.176289: | flags: none (0x0) Sep 21 07:15:55.176291: | number of TS: 1 (0x1) Sep 21 07:15:55.176294: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:15:55.176297: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.176300: | *****emit IKEv2 Traffic Selector: Sep 21 07:15:55.176302: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:15:55.176304: | IP Protocol ID: 0 (0x0) Sep 21 07:15:55.176306: | start port: 0 (0x0) Sep 21 07:15:55.176309: | end port: 65535 (0xffff) Sep 21 07:15:55.176312: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:15:55.176314: | IP start c0 00 01 00 Sep 21 07:15:55.176317: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:15:55.176319: | IP end c0 00 01 ff Sep 21 07:15:55.176321: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:15:55.176324: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:15:55.176326: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:15:55.176328: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:55.176331: | flags: none (0x0) Sep 21 07:15:55.176333: | number of TS: 1 (0x1) Sep 21 07:15:55.176336: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:15:55.176339: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:15:55.176341: | *****emit IKEv2 Traffic Selector: Sep 21 07:15:55.176344: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:15:55.176346: | IP Protocol ID: 0 (0x0) Sep 21 07:15:55.176348: | start port: 0 (0x0) Sep 21 07:15:55.176350: | end port: 65535 (0xffff) Sep 21 07:15:55.176353: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:15:55.176356: | IP start c0 00 02 00 Sep 21 07:15:55.176359: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:15:55.176361: | IP end c0 00 02 ff Sep 21 07:15:55.176363: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:15:55.176366: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:15:55.176368: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:15:55.176371: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:15:55.176527: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:15:55.176535: | #1 spent 1.6 milliseconds Sep 21 07:15:55.176538: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:15:55.176541: | could_route called for westnet-eastnet-ipv4-psk-ikev2 (kind=CK_PERMANENT) Sep 21 07:15:55.176543: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:15:55.176546: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Sep 21 07:15:55.176549: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Sep 21 07:15:55.176554: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Sep 21 07:15:55.176558: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:15:55.176561: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:15:55.176564: | AES_GCM_16 requires 4 salt bytes Sep 21 07:15:55.176567: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:15:55.176570: | setting IPsec SA replay-window to 32 Sep 21 07:15:55.176574: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Sep 21 07:15:55.176577: | netlink: enabling tunnel mode Sep 21 07:15:55.176579: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:15:55.176582: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:15:55.176713: | netlink response for Add SA esp.52ad1db7@192.1.2.45 included non-error error Sep 21 07:15:55.176719: | set up outgoing SA, ref=0/0 Sep 21 07:15:55.176723: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:15:55.176726: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:15:55.176728: | AES_GCM_16 requires 4 salt bytes Sep 21 07:15:55.176731: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:15:55.176735: | setting IPsec SA replay-window to 32 Sep 21 07:15:55.176738: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Sep 21 07:15:55.176741: | netlink: enabling tunnel mode Sep 21 07:15:55.176743: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:15:55.176746: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:15:55.176835: | netlink response for Add SA esp.5ea304a7@192.1.2.23 included non-error error Sep 21 07:15:55.176843: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:55.176851: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:15:55.176854: | IPsec Sa SPD priority set to 1042407 Sep 21 07:15:55.177053: | raw_eroute result=success Sep 21 07:15:55.177059: | set up incoming SA, ref=0/0 Sep 21 07:15:55.177061: | sr for #2: unrouted Sep 21 07:15:55.177064: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:15:55.177067: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:15:55.177070: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Sep 21 07:15:55.177073: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Sep 21 07:15:55.177076: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Sep 21 07:15:55.177080: | route_and_eroute with c: westnet-eastnet-ipv4-psk-ikev2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:15:55.177083: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:55.177123: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Sep 21 07:15:55.177126: | IPsec Sa SPD priority set to 1042407 Sep 21 07:15:55.177242: | raw_eroute result=success Sep 21 07:15:55.177248: | running updown command "ipsec _updown" for verb up Sep 21 07:15:55.177251: | command executing up-client Sep 21 07:15:55.177278: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Sep 21 07:15:55.177281: | popen cmd is 1046 chars long Sep 21 07:15:55.177284: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv: Sep 21 07:15:55.177287: | cmd( 80):4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.: Sep 21 07:15:55.177290: | cmd( 160):2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='19: Sep 21 07:15:55.177292: | cmd( 240):2.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCO: Sep 21 07:15:55.177295: | cmd( 320):L='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_P: Sep 21 07:15:55.177297: | cmd( 400):EER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0: Sep 21 07:15:55.177300: | cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL: Sep 21 07:15:55.177302: | cmd( 560):='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=': Sep 21 07:15:55.177305: | cmd( 640):PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:15:55.177307: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Sep 21 07:15:55.177310: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Sep 21 07:15:55.177312: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Sep 21 07:15:55.177315: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x52ad1db7 SPI_OUT=0x5ea304a7 ipsec _updow: Sep 21 07:15:55.177317: | cmd(1040):n 2>&1: Sep 21 07:15:55.193075: | route_and_eroute: firewall_notified: true Sep 21 07:15:55.193089: | running updown command "ipsec _updown" for verb prepare Sep 21 07:15:55.193093: | command executing prepare-client Sep 21 07:15:55.193125: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Sep 21 07:15:55.193132: | popen cmd is 1051 chars long Sep 21 07:15:55.193213: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: Sep 21 07:15:55.193218: | cmd( 80):t-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='1: Sep 21 07:15:55.193221: | cmd( 160):92.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NE: Sep 21 07:15:55.193224: | cmd( 240):T='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PR: Sep 21 07:15:55.193227: | cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PL: Sep 21 07:15:55.193230: | cmd( 400):UTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.: Sep 21 07:15:55.193233: | cmd( 480):0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: Sep 21 07:15:55.193236: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POL: Sep 21 07:15:55.193240: | cmd( 640):ICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO: Sep 21 07:15:55.193243: | cmd( 720):_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:15:55.193247: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:15:55.193252: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:15:55.193256: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x52ad1db7 SPI_OUT=0x5ea304a7 ipsec _: Sep 21 07:15:55.193258: | cmd(1040):updown 2>&1: Sep 21 07:15:55.203891: | running updown command "ipsec _updown" for verb route Sep 21 07:15:55.203904: | command executing route-client Sep 21 07:15:55.203935: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:15:55.203939: | popen cmd is 1049 chars long Sep 21 07:15:55.203942: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: Sep 21 07:15:55.203944: | cmd( 80):ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192: Sep 21 07:15:55.203947: | cmd( 160):.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET=: Sep 21 07:15:55.203949: | cmd( 240):'192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROT: Sep 21 07:15:55.203952: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: Sep 21 07:15:55.203954: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: Sep 21 07:15:55.203957: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: Sep 21 07:15:55.203959: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLIC: Sep 21 07:15:55.203962: | cmd( 640):Y='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_C: Sep 21 07:15:55.203967: | cmd( 720):ONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE: Sep 21 07:15:55.203969: | cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': Sep 21 07:15:55.203972: | cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='': Sep 21 07:15:55.203974: | cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x52ad1db7 SPI_OUT=0x5ea304a7 ipsec _up: Sep 21 07:15:55.203977: | cmd(1040):down 2>&1: Sep 21 07:15:55.219836: | route_and_eroute: instance "westnet-eastnet-ipv4-psk-ikev2", setting eroute_owner {spd=0x55c77b0188f0,sr=0x55c77b0188f0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:15:55.220111: | #1 spent 0.951 milliseconds in install_ipsec_sa() Sep 21 07:15:55.220119: | ISAKMP_v2_IKE_AUTH: instance westnet-eastnet-ipv4-psk-ikev2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:15:55.220123: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:15:55.220127: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:15:55.220130: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:15:55.220133: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:15:55.220135: | emitting length of ISAKMP Message: 225 Sep 21 07:15:55.220157: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:15:55.220164: | #1 spent 2.61 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:15:55.220171: | suspend processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:15:55.220176: | start processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:15:55.220180: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:15:55.220184: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:15:55.220187: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:15:55.220190: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:15:55.220195: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:15:55.220200: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:15:55.220203: | pstats #2 ikev2.child established Sep 21 07:15:55.220212: "westnet-eastnet-ipv4-psk-ikev2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Sep 21 07:15:55.220216: | NAT-T: encaps is 'auto' Sep 21 07:15:55.220220: "westnet-eastnet-ipv4-psk-ikev2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x52ad1db7 <0x5ea304a7 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:15:55.220226: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:15:55.220231: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:15:55.220234: | f7 f8 9a 6c 87 12 2b d5 e5 72 09 dd be df 06 a8 Sep 21 07:15:55.220236: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Sep 21 07:15:55.220239: | 31 0e 94 30 20 5d d6 e5 9a f4 be b2 d2 8c e9 de Sep 21 07:15:55.220241: | 5d 34 93 28 b8 b1 81 70 87 b0 98 0e ed b5 ab c3 Sep 21 07:15:55.220243: | e7 b9 81 c9 44 5c 32 c5 3e d6 d7 a8 88 3a 2c 50 Sep 21 07:15:55.220245: | 44 be b3 69 b5 68 28 3d d5 41 04 3e c8 05 24 ec Sep 21 07:15:55.220248: | 6f b2 c9 7b fc c8 c2 33 04 f7 51 b8 f5 46 c8 0e Sep 21 07:15:55.220254: | c7 32 20 65 28 96 82 54 80 10 5a b3 94 a0 e6 6e Sep 21 07:15:55.220256: | 1e 6a b2 6c 6a ab 3e a9 4d c3 02 57 91 3d 92 ca Sep 21 07:15:55.220258: | 6a 57 10 e7 9a e9 97 5b 88 e2 e4 65 3f d2 ce 47 Sep 21 07:15:55.220261: | 5b 9e 9d 0e f5 82 f5 f3 2a 60 ae a6 df b2 18 2d Sep 21 07:15:55.220263: | 30 d4 be 68 9c 36 5c 9b 09 62 07 e3 0e 1f 6a c0 Sep 21 07:15:55.220265: | a5 34 26 11 45 23 43 cf c6 52 2c 98 91 6b 2f 0b Sep 21 07:15:55.220267: | 31 20 ec 56 22 c7 02 51 14 d8 1d 6a 31 0e 69 3f Sep 21 07:15:55.220269: | fb Sep 21 07:15:55.220310: | releasing whack for #2 (sock=fd@-1) Sep 21 07:15:55.220314: | releasing whack and unpending for parent #1 Sep 21 07:15:55.220317: | unpending state #1 connection "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:15:55.220322: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:15:55.220325: | event_schedule: new EVENT_SA_REKEY-pe@0x7fd1fc002b20 Sep 21 07:15:55.220328: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:15:55.220332: | libevent_malloc: new ptr-libevent@0x55c77b0220a0 size 128 Sep 21 07:15:55.220337: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:15:55.220343: | #1 spent 2.9 milliseconds in resume sending helper answer Sep 21 07:15:55.220348: | stop processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:15:55.220351: | libevent_free: release ptr-libevent@0x7fd1f4006b90 Sep 21 07:15:55.220361: | processing signal PLUTO_SIGCHLD Sep 21 07:15:55.220365: | waitpid returned ECHILD (no child processes left) Sep 21 07:15:55.220369: | spent 0.00402 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:15:55.220371: | processing signal PLUTO_SIGCHLD Sep 21 07:15:55.220374: | waitpid returned ECHILD (no child processes left) Sep 21 07:15:55.220378: | spent 0.00337 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:15:55.220380: | processing signal PLUTO_SIGCHLD Sep 21 07:15:55.220384: | waitpid returned ECHILD (no child processes left) Sep 21 07:15:55.220387: | spent 0.00338 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:15:57.320324: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:57.320706: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:15:57.320711: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:15:57.320771: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:15:57.320774: | FOR_EACH_STATE_... in sort_states Sep 21 07:15:57.320795: | get_sa_info esp.5ea304a7@192.1.2.23 Sep 21 07:15:57.320813: | get_sa_info esp.52ad1db7@192.1.2.45 Sep 21 07:15:57.320834: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:15:57.320842: | spent 0.513 milliseconds in whack Sep 21 07:15:58.698972: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:15:58.698993: shutting down Sep 21 07:15:58.699001: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:15:58.699005: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:15:58.699011: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:15:58.699013: forgetting secrets Sep 21 07:15:58.699017: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:15:58.699021: | start processing: connection "westnet-eastnet-ipv4-psk-ikev2" (in delete_connection() at connections.c:189) Sep 21 07:15:58.699024: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:15:58.699027: | pass 0 Sep 21 07:15:58.699029: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:15:58.699032: | state #2 Sep 21 07:15:58.699035: | suspend processing: connection "westnet-eastnet-ipv4-psk-ikev2" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:15:58.699041: | start processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:15:58.699047: | pstats #2 ikev2.child deleted completed Sep 21 07:15:58.699052: | [RE]START processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:15:58.699057: "westnet-eastnet-ipv4-psk-ikev2" #2: deleting state (STATE_V2_IPSEC_R) aged 3.523s and sending notification Sep 21 07:15:58.699060: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:15:58.699065: | get_sa_info esp.52ad1db7@192.1.2.45 Sep 21 07:15:58.699079: | get_sa_info esp.5ea304a7@192.1.2.23 Sep 21 07:15:58.699087: "westnet-eastnet-ipv4-psk-ikev2" #2: ESP traffic information: in=168B out=168B Sep 21 07:15:58.699090: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:15:58.699093: | Opening output PBS informational exchange delete request Sep 21 07:15:58.699097: | **emit ISAKMP Message: Sep 21 07:15:58.699099: | initiator cookie: Sep 21 07:15:58.699101: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:58.699104: | responder cookie: Sep 21 07:15:58.699106: | e5 72 09 dd be df 06 a8 Sep 21 07:15:58.699109: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:15:58.699111: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:58.699114: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:15:58.699117: | flags: none (0x0) Sep 21 07:15:58.699119: | Message ID: 0 (0x0) Sep 21 07:15:58.699122: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:15:58.699125: | ***emit IKEv2 Encryption Payload: Sep 21 07:15:58.699128: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:58.699130: | flags: none (0x0) Sep 21 07:15:58.699133: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:15:58.699136: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:15:58.699140: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:15:58.699147: | ****emit IKEv2 Delete Payload: Sep 21 07:15:58.699150: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:58.699152: | flags: none (0x0) Sep 21 07:15:58.699155: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:15:58.699157: | SPI size: 4 (0x4) Sep 21 07:15:58.699159: | number of SPIs: 1 (0x1) Sep 21 07:15:58.699162: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:15:58.699165: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:15:58.699168: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:15:58.699170: | local spis 5e a3 04 a7 Sep 21 07:15:58.699173: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:15:58.699176: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:15:58.699179: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:15:58.699182: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:15:58.699184: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:15:58.699186: | emitting length of ISAKMP Message: 69 Sep 21 07:15:58.699209: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Sep 21 07:15:58.699212: | f7 f8 9a 6c 87 12 2b d5 e5 72 09 dd be df 06 a8 Sep 21 07:15:58.699214: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:15:58.699216: | 5b cc 2f 7d 2b f4 c2 8c 3b d0 cf c6 80 bd 60 16 Sep 21 07:15:58.699219: | d7 5d aa f7 66 4c 2d e0 43 46 f8 aa 55 03 18 b5 Sep 21 07:15:58.699221: | 48 4b 9c 05 eb Sep 21 07:15:58.699263: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:15:58.699271: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:15:58.699276: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:15:58.699279: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:15:58.699283: | libevent_free: release ptr-libevent@0x55c77b0220a0 Sep 21 07:15:58.699286: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fd1fc002b20 Sep 21 07:15:58.699427: | running updown command "ipsec _updown" for verb down Sep 21 07:15:58.699434: | command executing down-client Sep 21 07:15:58.699463: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050155' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR Sep 21 07:15:58.699466: | popen cmd is 1057 chars long Sep 21 07:15:58.699469: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-i: Sep 21 07:15:58.699472: | cmd( 80):pv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: Sep 21 07:15:58.699475: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET=': Sep 21 07:15:58.699477: | cmd( 240):192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTO: Sep 21 07:15:58.699480: | cmd( 320):COL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO: Sep 21 07:15:58.699483: | cmd( 400):_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1: Sep 21 07:15:58.699485: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Sep 21 07:15:58.699488: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050155' PLUTO_CO: Sep 21 07:15:58.699490: | cmd( 640):NN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO': Sep 21 07:15:58.699493: | cmd( 720): PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT: Sep 21 07:15:58.699495: | cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_: Sep 21 07:15:58.699498: | cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_: Sep 21 07:15:58.699501: | cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x52ad1db7 SPI_OUT=0x5ea304a7 i: Sep 21 07:15:58.699503: | cmd(1040):psec _updown 2>&1: Sep 21 07:15:58.762421: | shunt_eroute() called for connection 'westnet-eastnet-ipv4-psk-ikev2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:15:58.762437: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:15:58.762441: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:58.762445: | IPsec Sa SPD priority set to 1042407 Sep 21 07:15:58.762680: | delete esp.52ad1db7@192.1.2.45 Sep 21 07:15:58.762835: | netlink response for Del SA esp.52ad1db7@192.1.2.45 included non-error error Sep 21 07:15:58.762845: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:58.762856: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:15:58.763092: | raw_eroute result=success Sep 21 07:15:58.763100: | delete esp.5ea304a7@192.1.2.23 Sep 21 07:15:58.763221: | netlink response for Del SA esp.5ea304a7@192.1.2.23 included non-error error Sep 21 07:15:58.763231: | stop processing: connection "westnet-eastnet-ipv4-psk-ikev2" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:15:58.763234: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:15:58.763237: | in connection_discard for connection westnet-eastnet-ipv4-psk-ikev2 Sep 21 07:15:58.763240: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:15:58.763245: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:15:58.763251: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:15:58.763257: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:15:58.763260: | state #1 Sep 21 07:15:58.763263: | pass 1 Sep 21 07:15:58.763265: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:15:58.763267: | state #1 Sep 21 07:15:58.763273: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:15:58.763276: | pstats #1 ikev2.ike deleted completed Sep 21 07:15:58.763281: | #1 spent 7.62 milliseconds in total Sep 21 07:15:58.763286: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:15:58.763290: "westnet-eastnet-ipv4-psk-ikev2" #1: deleting state (STATE_PARENT_R2) aged 3.596s and sending notification Sep 21 07:15:58.763293: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:15:58.763476: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:15:58.763482: | Opening output PBS informational exchange delete request Sep 21 07:15:58.763486: | **emit ISAKMP Message: Sep 21 07:15:58.763489: | initiator cookie: Sep 21 07:15:58.763491: | f7 f8 9a 6c 87 12 2b d5 Sep 21 07:15:58.763494: | responder cookie: Sep 21 07:15:58.763496: | e5 72 09 dd be df 06 a8 Sep 21 07:15:58.763499: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:15:58.763502: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:15:58.763505: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:15:58.763507: | flags: none (0x0) Sep 21 07:15:58.763510: | Message ID: 1 (0x1) Sep 21 07:15:58.763513: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:15:58.763516: | ***emit IKEv2 Encryption Payload: Sep 21 07:15:58.763519: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:58.763521: | flags: none (0x0) Sep 21 07:15:58.763525: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:15:58.763528: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:15:58.763531: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:15:58.763540: | ****emit IKEv2 Delete Payload: Sep 21 07:15:58.763543: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:15:58.763546: | flags: none (0x0) Sep 21 07:15:58.763548: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:15:58.763551: | SPI size: 0 (0x0) Sep 21 07:15:58.763553: | number of SPIs: 0 (0x0) Sep 21 07:15:58.763556: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:15:58.763559: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:15:58.763562: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:15:58.763568: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:15:58.763572: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:15:58.763575: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:15:58.763577: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:15:58.763580: | emitting length of ISAKMP Message: 65 Sep 21 07:15:58.763601: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:15:58.763604: | f7 f8 9a 6c 87 12 2b d5 e5 72 09 dd be df 06 a8 Sep 21 07:15:58.763607: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:15:58.763609: | e3 31 0f 78 38 c8 e3 9b b0 09 fe c8 d8 c7 76 05 Sep 21 07:15:58.763611: | d5 25 6b b8 ee d9 0c 8b 5d 05 7e d5 5c 64 cd 39 Sep 21 07:15:58.763614: | 0e Sep 21 07:15:58.763652: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:15:58.763655: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:15:58.763660: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Sep 21 07:15:58.763665: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Sep 21 07:15:58.763668: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:15:58.763674: | libevent_free: release ptr-libevent@0x55c77b01d250 Sep 21 07:15:58.763676: | free_event_entry: release EVENT_SA_REKEY-pe@0x55c77b01b010 Sep 21 07:15:58.763680: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:15:58.763683: | in connection_discard for connection westnet-eastnet-ipv4-psk-ikev2 Sep 21 07:15:58.763686: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:15:58.763690: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:15:58.763706: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:15:58.763720: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:15:58.763726: | shunt_eroute() called for connection 'westnet-eastnet-ipv4-psk-ikev2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:15:58.763732: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:15:58.763735: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:58.763868: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:15:58.763884: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:15:58.763887: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Sep 21 07:15:58.763890: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Sep 21 07:15:58.763894: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL Sep 21 07:15:58.763897: | running updown command "ipsec _updown" for verb unroute Sep 21 07:15:58.763900: | command executing unroute-client Sep 21 07:15:58.763927: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED Sep 21 07:15:58.763932: | popen cmd is 1038 chars long Sep 21 07:15:58.763935: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: Sep 21 07:15:58.763938: | cmd( 80):t-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='1: Sep 21 07:15:58.763941: | cmd( 160):92.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NE: Sep 21 07:15:58.763943: | cmd( 240):T='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PR: Sep 21 07:15:58.763946: | cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' P: Sep 21 07:15:58.763949: | cmd( 400):LUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192: Sep 21 07:15:58.763951: | cmd( 480):.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: Sep 21 07:15:58.763954: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: Sep 21 07:15:58.763956: | cmd( 640):LICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Sep 21 07:15:58.763959: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Sep 21 07:15:58.763962: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Sep 21 07:15:58.763964: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Sep 21 07:15:58.763967: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:15:58.856153: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856202: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856230: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856257: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856283: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856309: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856573: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856608: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856635: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856662: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.856689: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857064: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857100: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857130: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857157: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857184: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857213: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857241: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857267: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857294: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857320: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857348: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857376: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857411: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.857466: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.864808: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.864831: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.864852: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:15:58.915976: | free hp@0x55c77afe41c0 Sep 21 07:15:58.915993: | flush revival: connection 'westnet-eastnet-ipv4-psk-ikev2' wasn't on the list Sep 21 07:15:58.915996: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:15:58.916004: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:15:58.916007: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:15:58.916018: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:15:58.916022: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:15:58.916025: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:15:58.916028: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:15:58.916031: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:15:58.916034: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:15:58.916038: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:15:58.916046: | libevent_free: release ptr-libevent@0x55c77b017a20 Sep 21 07:15:58.916050: | free_event_entry: release EVENT_NULL-pe@0x55c77b000c20 Sep 21 07:15:58.916060: | libevent_free: release ptr-libevent@0x55c77b017b10 Sep 21 07:15:58.916062: | free_event_entry: release EVENT_NULL-pe@0x55c77b017ad0 Sep 21 07:15:58.916069: | libevent_free: release ptr-libevent@0x55c77b017c00 Sep 21 07:15:58.916071: | free_event_entry: release EVENT_NULL-pe@0x55c77b017bc0 Sep 21 07:15:58.916077: | libevent_free: release ptr-libevent@0x55c77b017cf0 Sep 21 07:15:58.916079: | free_event_entry: release EVENT_NULL-pe@0x55c77b017cb0 Sep 21 07:15:58.916085: | libevent_free: release ptr-libevent@0x55c77b017de0 Sep 21 07:15:58.916088: | free_event_entry: release EVENT_NULL-pe@0x55c77b017da0 Sep 21 07:15:58.916094: | libevent_free: release ptr-libevent@0x55c77b017ed0 Sep 21 07:15:58.916097: | free_event_entry: release EVENT_NULL-pe@0x55c77b017e90 Sep 21 07:15:58.916102: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:15:58.916497: | libevent_free: release ptr-libevent@0x55c77b017380 Sep 21 07:15:58.916503: | free_event_entry: release EVENT_NULL-pe@0x55c77afffea0 Sep 21 07:15:58.916507: | libevent_free: release ptr-libevent@0x55c77b00ce10 Sep 21 07:15:58.916509: | free_event_entry: release EVENT_NULL-pe@0x55c77b000150 Sep 21 07:15:58.916513: | libevent_free: release ptr-libevent@0x55c77b00cd80 Sep 21 07:15:58.916515: | free_event_entry: release EVENT_NULL-pe@0x55c77b0058b0 Sep 21 07:15:58.916518: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:15:58.916521: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:15:58.916523: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:15:58.916525: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:15:58.916528: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:15:58.916530: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:15:58.916532: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:15:58.916534: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:15:58.916537: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:15:58.916541: | libevent_free: release ptr-libevent@0x55c77b017450 Sep 21 07:15:58.916544: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:15:58.916547: | libevent_free: release ptr-libevent@0x55c77b017530 Sep 21 07:15:58.916549: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:15:58.916552: | libevent_free: release ptr-libevent@0x55c77b0175f0 Sep 21 07:15:58.916554: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:15:58.916557: | libevent_free: release ptr-libevent@0x55c77b00c080 Sep 21 07:15:58.916559: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:15:58.916561: | releasing event base Sep 21 07:15:58.916572: | libevent_free: release ptr-libevent@0x55c77b0176b0 Sep 21 07:15:58.916578: | libevent_free: release ptr-libevent@0x55c77afecae0 Sep 21 07:15:58.916582: | libevent_free: release ptr-libevent@0x55c77affb430 Sep 21 07:15:58.916584: | libevent_free: release ptr-libevent@0x55c77affb500 Sep 21 07:15:58.916586: | libevent_free: release ptr-libevent@0x55c77affb450 Sep 21 07:15:58.916589: | libevent_free: release ptr-libevent@0x55c77b017410 Sep 21 07:15:58.916591: | libevent_free: release ptr-libevent@0x55c77b0174f0 Sep 21 07:15:58.916594: | libevent_free: release ptr-libevent@0x55c77affb4e0 Sep 21 07:15:58.916596: | libevent_free: release ptr-libevent@0x55c77affb640 Sep 21 07:15:58.916598: | libevent_free: release ptr-libevent@0x55c77b0000a0 Sep 21 07:15:58.916600: | libevent_free: release ptr-libevent@0x55c77b017f60 Sep 21 07:15:58.916603: | libevent_free: release ptr-libevent@0x55c77b017e70 Sep 21 07:15:58.916605: | libevent_free: release ptr-libevent@0x55c77b017d80 Sep 21 07:15:58.916607: | libevent_free: release ptr-libevent@0x55c77b017c90 Sep 21 07:15:58.916609: | libevent_free: release ptr-libevent@0x55c77b017ba0 Sep 21 07:15:58.916612: | libevent_free: release ptr-libevent@0x55c77b017ab0 Sep 21 07:15:58.916614: | libevent_free: release ptr-libevent@0x55c77af7f370 Sep 21 07:15:58.916616: | libevent_free: release ptr-libevent@0x55c77b0175d0 Sep 21 07:15:58.916618: | libevent_free: release ptr-libevent@0x55c77b017510 Sep 21 07:15:58.916621: | libevent_free: release ptr-libevent@0x55c77b017430 Sep 21 07:15:58.916623: | libevent_free: release ptr-libevent@0x55c77b017690 Sep 21 07:15:58.916625: | libevent_free: release ptr-libevent@0x55c77af7d5b0 Sep 21 07:15:58.916628: | libevent_free: release ptr-libevent@0x55c77affb470 Sep 21 07:15:58.916630: | libevent_free: release ptr-libevent@0x55c77affb4a0 Sep 21 07:15:58.916632: | libevent_free: release ptr-libevent@0x55c77affb190 Sep 21 07:15:58.916635: | releasing global libevent data Sep 21 07:15:58.916637: | libevent_free: release ptr-libevent@0x55c77aff9e80 Sep 21 07:15:58.916640: | libevent_free: release ptr-libevent@0x55c77affb130 Sep 21 07:15:58.916643: | libevent_free: release ptr-libevent@0x55c77affb160