Sep 21 07:19:54.382332: FIPS Product: YES Sep 21 07:19:54.382375: FIPS Kernel: NO Sep 21 07:19:54.382378: FIPS Mode: NO Sep 21 07:19:54.382381: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:19:54.382544: Initializing NSS Sep 21 07:19:54.382548: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:19:54.416066: NSS initialized Sep 21 07:19:54.416076: NSS crypto library initialized Sep 21 07:19:54.416078: FIPS HMAC integrity support [enabled] Sep 21 07:19:54.416080: FIPS mode disabled for pluto daemon Sep 21 07:19:54.465068: FIPS HMAC integrity verification self-test FAILED Sep 21 07:19:54.465172: libcap-ng support [enabled] Sep 21 07:19:54.465184: Linux audit support [enabled] Sep 21 07:19:54.465212: Linux audit activated Sep 21 07:19:54.465219: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:14057 Sep 21 07:19:54.465222: core dump dir: /tmp Sep 21 07:19:54.465224: secrets file: /etc/ipsec.secrets Sep 21 07:19:54.465226: leak-detective disabled Sep 21 07:19:54.465227: NSS crypto [enabled] Sep 21 07:19:54.465229: XAUTH PAM support [enabled] Sep 21 07:19:54.465299: | libevent is using pluto's memory allocator Sep 21 07:19:54.465307: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:19:54.465321: | libevent_malloc: new ptr-libevent@0x55d552dd8fb0 size 40 Sep 21 07:19:54.465327: | libevent_malloc: new ptr-libevent@0x55d552dd8fe0 size 40 Sep 21 07:19:54.465331: | libevent_malloc: new ptr-libevent@0x55d552dda2d0 size 40 Sep 21 07:19:54.465333: | creating event base Sep 21 07:19:54.465336: | libevent_malloc: new ptr-libevent@0x55d552dda290 size 56 Sep 21 07:19:54.465339: | libevent_malloc: new ptr-libevent@0x55d552dda300 size 664 Sep 21 07:19:54.465350: | libevent_malloc: new ptr-libevent@0x55d552dda5a0 size 24 Sep 21 07:19:54.465354: | libevent_malloc: new ptr-libevent@0x55d552dcbda0 size 384 Sep 21 07:19:54.465365: | libevent_malloc: new ptr-libevent@0x55d552dda5c0 size 16 Sep 21 07:19:54.465367: | libevent_malloc: new ptr-libevent@0x55d552dda5e0 size 40 Sep 21 07:19:54.465370: | libevent_malloc: new ptr-libevent@0x55d552dda610 size 48 Sep 21 07:19:54.465377: | libevent_realloc: new ptr-libevent@0x55d552d5c370 size 256 Sep 21 07:19:54.465380: | libevent_malloc: new ptr-libevent@0x55d552dda650 size 16 Sep 21 07:19:54.465386: | libevent_free: release ptr-libevent@0x55d552dda290 Sep 21 07:19:54.465389: | libevent initialized Sep 21 07:19:54.465393: | libevent_realloc: new ptr-libevent@0x55d552dda670 size 64 Sep 21 07:19:54.465396: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:19:54.465413: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:19:54.465415: NAT-Traversal support [enabled] Sep 21 07:19:54.465418: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:19:54.465429: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:19:54.465432: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:19:54.465471: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:19:54.465475: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:19:54.465478: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:19:54.465528: Encryption algorithms: Sep 21 07:19:54.465538: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:19:54.465542: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:19:54.465545: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:19:54.465549: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:19:54.465551: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:19:54.465558: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:19:54.465561: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:19:54.465563: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:19:54.465565: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:19:54.465567: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:19:54.465569: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:19:54.465572: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:19:54.465574: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:19:54.465576: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:19:54.465578: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:19:54.465580: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:19:54.465582: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:19:54.465587: Hash algorithms: Sep 21 07:19:54.465589: MD5 IKEv1: IKE IKEv2: Sep 21 07:19:54.465591: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:19:54.465593: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:19:54.465594: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:19:54.465596: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:19:54.465604: PRF algorithms: Sep 21 07:19:54.465606: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:19:54.465608: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:19:54.465610: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:19:54.465612: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:19:54.465614: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:19:54.465616: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:19:54.465630: Integrity algorithms: Sep 21 07:19:54.465632: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:19:54.465635: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:19:54.465637: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:19:54.465639: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:19:54.465642: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:19:54.465643: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:19:54.465646: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:19:54.465647: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:19:54.465649: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:19:54.465657: DH algorithms: Sep 21 07:19:54.465659: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:19:54.465661: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:19:54.465662: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:19:54.465666: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:19:54.465667: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:19:54.465669: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:19:54.465671: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:19:54.465673: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:19:54.465675: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:19:54.465676: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:19:54.465678: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:19:54.465680: testing CAMELLIA_CBC: Sep 21 07:19:54.465681: Camellia: 16 bytes with 128-bit key Sep 21 07:19:54.465774: Camellia: 16 bytes with 128-bit key Sep 21 07:19:54.465798: Camellia: 16 bytes with 256-bit key Sep 21 07:19:54.465819: Camellia: 16 bytes with 256-bit key Sep 21 07:19:54.465838: testing AES_GCM_16: Sep 21 07:19:54.465840: empty string Sep 21 07:19:54.465858: one block Sep 21 07:19:54.465873: two blocks Sep 21 07:19:54.465889: two blocks with associated data Sep 21 07:19:54.465905: testing AES_CTR: Sep 21 07:19:54.465907: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:19:54.465923: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:19:54.465939: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:19:54.465956: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:19:54.465972: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:19:54.465992: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:19:54.466010: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:19:54.466033: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:19:54.466061: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:19:54.466086: testing AES_CBC: Sep 21 07:19:54.466089: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:19:54.466106: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:19:54.466123: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:19:54.466141: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:19:54.466180: testing AES_XCBC: Sep 21 07:19:54.466187: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:19:54.466316: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:19:54.466450: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:19:54.466565: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:19:54.466685: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:19:54.466822: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:19:54.466950: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:19:54.467224: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:19:54.467358: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:19:54.467498: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:19:54.467731: testing HMAC_MD5: Sep 21 07:19:54.467736: RFC 2104: MD5_HMAC test 1 Sep 21 07:19:54.467932: RFC 2104: MD5_HMAC test 2 Sep 21 07:19:54.468080: RFC 2104: MD5_HMAC test 3 Sep 21 07:19:54.468209: 8 CPU cores online Sep 21 07:19:54.468212: starting up 7 crypto helpers Sep 21 07:19:54.468242: started thread for crypto helper 0 Sep 21 07:19:54.468258: started thread for crypto helper 1 Sep 21 07:19:54.468277: started thread for crypto helper 2 Sep 21 07:19:54.468292: started thread for crypto helper 3 Sep 21 07:19:54.468297: | starting up helper thread 3 Sep 21 07:19:54.468311: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:19:54.468323: | crypto helper 3 waiting (nothing to do) Sep 21 07:19:54.468312: started thread for crypto helper 4 Sep 21 07:19:54.468317: | starting up helper thread 0 Sep 21 07:19:54.468345: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:19:54.468348: | crypto helper 0 waiting (nothing to do) Sep 21 07:19:54.468350: started thread for crypto helper 5 Sep 21 07:19:54.468369: started thread for crypto helper 6 Sep 21 07:19:54.468371: | checking IKEv1 state table Sep 21 07:19:54.468377: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468379: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:19:54.468380: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468382: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:19:54.468383: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:19:54.468385: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:19:54.468386: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:19:54.468388: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:19:54.468389: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:19:54.468391: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:19:54.468392: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:19:54.468393: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:19:54.468395: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:19:54.468396: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:19:54.468398: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:19:54.468399: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:19:54.468401: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:19:54.468402: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:19:54.468403: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:19:54.468405: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:19:54.468406: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:19:54.468408: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468406: | starting up helper thread 4 Sep 21 07:19:54.468410: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:19:54.468426: | starting up helper thread 5 Sep 21 07:19:54.468428: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468422: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:19:54.468439: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468434: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:19:54.468445: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:19:54.468440: | crypto helper 4 waiting (nothing to do) Sep 21 07:19:54.468447: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468454: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:19:54.468465: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:19:54.468467: | starting up helper thread 1 Sep 21 07:19:54.468455: | crypto helper 5 waiting (nothing to do) Sep 21 07:19:54.468469: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:19:54.468487: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:19:54.468491: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:19:54.468495: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:19:54.468499: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468479: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:19:54.468504: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:19:54.468515: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468511: | crypto helper 1 waiting (nothing to do) Sep 21 07:19:54.468519: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:19:54.468527: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:19:54.468530: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:19:54.468532: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:19:54.468535: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:19:54.468537: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:19:54.468539: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:19:54.468541: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468547: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:19:54.468549: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468552: | INFO: category: informational flags: 0: Sep 21 07:19:54.468554: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468557: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:19:54.468559: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468561: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:19:54.468563: | -> XAUTH_R1 EVENT_NULL Sep 21 07:19:54.468565: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:19:54.468567: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:19:54.468570: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:19:54.468572: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:19:54.468575: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:19:54.468577: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:19:54.468580: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:19:54.468582: | -> UNDEFINED EVENT_NULL Sep 21 07:19:54.468585: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:19:54.468587: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:19:54.468590: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:19:54.468591: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:19:54.468594: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:19:54.468596: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:19:54.468603: | checking IKEv2 state table Sep 21 07:19:54.468609: | PARENT_I0: category: ignore flags: 0: Sep 21 07:19:54.468613: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:19:54.468616: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468618: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:19:54.468621: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:19:54.468624: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:19:54.468627: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:19:54.468630: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:19:54.468633: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:19:54.468635: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:19:54.468638: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:19:54.468641: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:19:54.468644: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:19:54.468646: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:19:54.468649: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:19:54.468651: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:19:54.468654: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468657: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:19:54.468660: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:19:54.468662: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:19:54.468665: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:19:54.468668: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:19:54.468671: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:19:54.468674: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:19:54.468676: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:19:54.468679: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:19:54.468681: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:19:54.468687: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:19:54.468690: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:19:54.468692: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:19:54.468695: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:19:54.468698: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:19:54.468701: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:19:54.468704: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:19:54.468707: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:19:54.468709: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:19:54.468712: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:19:54.468715: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:19:54.468718: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:19:54.468721: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:19:54.468723: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:19:54.468726: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:19:54.468728: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:19:54.468731: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:19:54.468734: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:19:54.468737: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:19:54.468740: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:19:54.468798: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:19:54.468870: | Hard-wiring algorithms Sep 21 07:19:54.468874: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:19:54.468878: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:19:54.468881: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:19:54.468883: | adding 3DES_CBC to kernel algorithm db Sep 21 07:19:54.468886: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:19:54.468888: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:19:54.468891: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:19:54.468893: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:19:54.468895: | adding AES_CTR to kernel algorithm db Sep 21 07:19:54.468897: | adding AES_CBC to kernel algorithm db Sep 21 07:19:54.468900: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:19:54.468902: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:19:54.468905: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:19:54.468907: | adding NULL to kernel algorithm db Sep 21 07:19:54.468910: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:19:54.468912: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:19:54.468915: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:19:54.468917: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:19:54.468920: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:19:54.468923: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:19:54.468925: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:19:54.468928: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:19:54.468930: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:19:54.468933: | adding NONE to kernel algorithm db Sep 21 07:19:54.468953: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:19:54.468960: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:19:54.468963: | setup kernel fd callback Sep 21 07:19:54.468966: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55d552de4a50 Sep 21 07:19:54.468969: | libevent_malloc: new ptr-libevent@0x55d552debf20 size 128 Sep 21 07:19:54.468973: | libevent_malloc: new ptr-libevent@0x55d552ddfcc0 size 16 Sep 21 07:19:54.468983: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55d552ddf2f0 Sep 21 07:19:54.468988: | libevent_malloc: new ptr-libevent@0x55d552debfb0 size 128 Sep 21 07:19:54.468991: | libevent_malloc: new ptr-libevent@0x55d552dda780 size 16 Sep 21 07:19:54.469225: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:19:54.469233: selinux support is enabled. Sep 21 07:19:54.469309: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:19:54.469490: | unbound context created - setting debug level to 5 Sep 21 07:19:54.469522: | /etc/hosts lookups activated Sep 21 07:19:54.469537: | /etc/resolv.conf usage activated Sep 21 07:19:54.469597: | outgoing-port-avoid set 0-65535 Sep 21 07:19:54.469625: | outgoing-port-permit set 32768-60999 Sep 21 07:19:54.469628: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:19:54.469632: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:19:54.469635: | Setting up events, loop start Sep 21 07:19:54.469638: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55d552ddf040 Sep 21 07:19:54.469641: | libevent_malloc: new ptr-libevent@0x55d552df6520 size 128 Sep 21 07:19:54.469644: | libevent_malloc: new ptr-libevent@0x55d552df65b0 size 16 Sep 21 07:19:54.469652: | libevent_realloc: new ptr-libevent@0x55d552d5a5b0 size 256 Sep 21 07:19:54.469655: | libevent_malloc: new ptr-libevent@0x55d552df65d0 size 8 Sep 21 07:19:54.469659: | libevent_realloc: new ptr-libevent@0x55d552deb220 size 144 Sep 21 07:19:54.469662: | libevent_malloc: new ptr-libevent@0x55d552df65f0 size 152 Sep 21 07:19:54.469665: | libevent_malloc: new ptr-libevent@0x55d552df6690 size 16 Sep 21 07:19:54.469669: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:19:54.469672: | libevent_malloc: new ptr-libevent@0x55d552df66b0 size 8 Sep 21 07:19:54.469675: | libevent_malloc: new ptr-libevent@0x55d552df66d0 size 152 Sep 21 07:19:54.469678: | signal event handler PLUTO_SIGTERM installed Sep 21 07:19:54.469681: | libevent_malloc: new ptr-libevent@0x55d552df6770 size 8 Sep 21 07:19:54.469683: | libevent_malloc: new ptr-libevent@0x55d552df6790 size 152 Sep 21 07:19:54.469686: | signal event handler PLUTO_SIGHUP installed Sep 21 07:19:54.469689: | libevent_malloc: new ptr-libevent@0x55d552df6830 size 8 Sep 21 07:19:54.469691: | libevent_realloc: release ptr-libevent@0x55d552deb220 Sep 21 07:19:54.469694: | libevent_realloc: new ptr-libevent@0x55d552df6850 size 256 Sep 21 07:19:54.469696: | libevent_malloc: new ptr-libevent@0x55d552deb220 size 152 Sep 21 07:19:54.469699: | signal event handler PLUTO_SIGSYS installed Sep 21 07:19:54.470059: | created addconn helper (pid:14142) using fork+execve Sep 21 07:19:54.470076: | forked child 14142 Sep 21 07:19:54.470116: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:19:54.470132: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:19:54.470138: listening for IKE messages Sep 21 07:19:54.470190: | Inspecting interface lo Sep 21 07:19:54.470196: | found lo with address 127.0.0.1 Sep 21 07:19:54.470199: | Inspecting interface eth0 Sep 21 07:19:54.470203: | found eth0 with address 192.0.2.254 Sep 21 07:19:54.470206: | Inspecting interface eth1 Sep 21 07:19:54.470210: | found eth1 with address 192.1.2.23 Sep 21 07:19:54.470257: Kernel supports NIC esp-hw-offload Sep 21 07:19:54.470266: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:19:54.470287: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:19:54.470291: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:19:54.470295: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:19:54.470318: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:19:54.470338: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:19:54.470341: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:19:54.470348: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:19:54.470372: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:19:54.470392: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:19:54.470395: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:19:54.470399: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:19:54.470458: | no interfaces to sort Sep 21 07:19:54.470463: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:19:54.470471: | add_fd_read_event_handler: new ethX-pe@0x55d552ddfdc0 Sep 21 07:19:54.470474: | libevent_malloc: new ptr-libevent@0x55d552df6bc0 size 128 Sep 21 07:19:54.470477: | libevent_malloc: new ptr-libevent@0x55d552df6c50 size 16 Sep 21 07:19:54.470485: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:19:54.470489: | add_fd_read_event_handler: new ethX-pe@0x55d552df6c70 Sep 21 07:19:54.470491: | libevent_malloc: new ptr-libevent@0x55d552df6cb0 size 128 Sep 21 07:19:54.470494: | libevent_malloc: new ptr-libevent@0x55d552df6d40 size 16 Sep 21 07:19:54.470499: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:19:54.470502: | add_fd_read_event_handler: new ethX-pe@0x55d552df6d60 Sep 21 07:19:54.470504: | libevent_malloc: new ptr-libevent@0x55d552df6da0 size 128 Sep 21 07:19:54.470507: | libevent_malloc: new ptr-libevent@0x55d552df6e30 size 16 Sep 21 07:19:54.470511: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:19:54.470514: | add_fd_read_event_handler: new ethX-pe@0x55d552df6e50 Sep 21 07:19:54.470517: | libevent_malloc: new ptr-libevent@0x55d552df6e90 size 128 Sep 21 07:19:54.470519: | libevent_malloc: new ptr-libevent@0x55d552df6f20 size 16 Sep 21 07:19:54.470524: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:19:54.470527: | add_fd_read_event_handler: new ethX-pe@0x55d552df6f40 Sep 21 07:19:54.470529: | libevent_malloc: new ptr-libevent@0x55d552df6f80 size 128 Sep 21 07:19:54.470531: | libevent_malloc: new ptr-libevent@0x55d552df7010 size 16 Sep 21 07:19:54.470536: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:19:54.470539: | add_fd_read_event_handler: new ethX-pe@0x55d552df7030 Sep 21 07:19:54.470541: | libevent_malloc: new ptr-libevent@0x55d552df7070 size 128 Sep 21 07:19:54.470544: | libevent_malloc: new ptr-libevent@0x55d552df7100 size 16 Sep 21 07:19:54.470548: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:19:54.470554: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:19:54.470556: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:19:54.470577: loading secrets from "/etc/ipsec.secrets" Sep 21 07:19:54.470588: | id type added to secret(0x55d552dec100) PKK_PSK: @east Sep 21 07:19:54.470592: | id type added to secret(0x55d552dec100) PKK_PSK: @west Sep 21 07:19:54.470596: | Processing PSK at line 1: passed Sep 21 07:19:54.470599: | certs and keys locked by 'process_secret' Sep 21 07:19:54.470603: | certs and keys unlocked by 'process_secret' Sep 21 07:19:54.470608: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:19:54.470614: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:19:54.470622: | spent 0.506 milliseconds in whack Sep 21 07:19:54.471818: | starting up helper thread 6 Sep 21 07:19:54.471832: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:19:54.471839: | crypto helper 6 waiting (nothing to do) Sep 21 07:19:54.476891: | starting up helper thread 2 Sep 21 07:19:54.476910: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:19:54.476913: | crypto helper 2 waiting (nothing to do) Sep 21 07:19:54.516617: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:19:54.516645: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:19:54.516651: listening for IKE messages Sep 21 07:19:54.516689: | Inspecting interface lo Sep 21 07:19:54.516704: | found lo with address 127.0.0.1 Sep 21 07:19:54.516707: | Inspecting interface eth0 Sep 21 07:19:54.516712: | found eth0 with address 192.0.2.254 Sep 21 07:19:54.516715: | Inspecting interface eth1 Sep 21 07:19:54.516719: | found eth1 with address 192.1.2.23 Sep 21 07:19:54.516803: | no interfaces to sort Sep 21 07:19:54.516816: | libevent_free: release ptr-libevent@0x55d552df6bc0 Sep 21 07:19:54.516820: | free_event_entry: release EVENT_NULL-pe@0x55d552ddfdc0 Sep 21 07:19:54.516823: | add_fd_read_event_handler: new ethX-pe@0x55d552ddfdc0 Sep 21 07:19:54.516826: | libevent_malloc: new ptr-libevent@0x55d552df6bc0 size 128 Sep 21 07:19:54.516833: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:19:54.516837: | libevent_free: release ptr-libevent@0x55d552df6cb0 Sep 21 07:19:54.516840: | free_event_entry: release EVENT_NULL-pe@0x55d552df6c70 Sep 21 07:19:54.516843: | add_fd_read_event_handler: new ethX-pe@0x55d552df6c70 Sep 21 07:19:54.516846: | libevent_malloc: new ptr-libevent@0x55d552df6cb0 size 128 Sep 21 07:19:54.516852: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:19:54.516855: | libevent_free: release ptr-libevent@0x55d552df6da0 Sep 21 07:19:54.516858: | free_event_entry: release EVENT_NULL-pe@0x55d552df6d60 Sep 21 07:19:54.516860: | add_fd_read_event_handler: new ethX-pe@0x55d552df6d60 Sep 21 07:19:54.516863: | libevent_malloc: new ptr-libevent@0x55d552df6da0 size 128 Sep 21 07:19:54.516868: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:19:54.516871: | libevent_free: release ptr-libevent@0x55d552df6e90 Sep 21 07:19:54.516873: | free_event_entry: release EVENT_NULL-pe@0x55d552df6e50 Sep 21 07:19:54.516876: | add_fd_read_event_handler: new ethX-pe@0x55d552df6e50 Sep 21 07:19:54.516878: | libevent_malloc: new ptr-libevent@0x55d552df6e90 size 128 Sep 21 07:19:54.516883: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:19:54.516886: | libevent_free: release ptr-libevent@0x55d552df6f80 Sep 21 07:19:54.516889: | free_event_entry: release EVENT_NULL-pe@0x55d552df6f40 Sep 21 07:19:54.516892: | add_fd_read_event_handler: new ethX-pe@0x55d552df6f40 Sep 21 07:19:54.516895: | libevent_malloc: new ptr-libevent@0x55d552df6f80 size 128 Sep 21 07:19:54.516899: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:19:54.516903: | libevent_free: release ptr-libevent@0x55d552df7070 Sep 21 07:19:54.516906: | free_event_entry: release EVENT_NULL-pe@0x55d552df7030 Sep 21 07:19:54.516908: | add_fd_read_event_handler: new ethX-pe@0x55d552df7030 Sep 21 07:19:54.516910: | libevent_malloc: new ptr-libevent@0x55d552df7070 size 128 Sep 21 07:19:54.516915: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:19:54.516919: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:19:54.516922: forgetting secrets Sep 21 07:19:54.516931: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:19:54.516945: loading secrets from "/etc/ipsec.secrets" Sep 21 07:19:54.516953: | id type added to secret(0x55d552dec100) PKK_PSK: @east Sep 21 07:19:54.516956: | id type added to secret(0x55d552dec100) PKK_PSK: @west Sep 21 07:19:54.516960: | Processing PSK at line 1: passed Sep 21 07:19:54.516962: | certs and keys locked by 'process_secret' Sep 21 07:19:54.516965: | certs and keys unlocked by 'process_secret' Sep 21 07:19:54.516969: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:19:54.516976: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:19:54.516984: | spent 0.361 milliseconds in whack Sep 21 07:19:54.517563: | processing signal PLUTO_SIGCHLD Sep 21 07:19:54.517576: | waitpid returned pid 14142 (exited with status 0) Sep 21 07:19:54.517580: | reaped addconn helper child (status 0) Sep 21 07:19:54.517584: | waitpid returned ECHILD (no child processes left) Sep 21 07:19:54.517589: | spent 0.0165 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:19:54.602298: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:19:54.602320: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:19:54.602323: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:19:54.602325: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:19:54.602326: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:19:54.602329: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:19:54.602334: | Added new connection westnet-eastnet-ipv4-psk-ikev2 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:19:54.602370: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:19:54.602372: | from whack: got --esp= Sep 21 07:19:54.602394: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:19:54.602397: | counting wild cards for @west is 0 Sep 21 07:19:54.602399: | counting wild cards for @east is 0 Sep 21 07:19:54.602407: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Sep 21 07:19:54.602410: | new hp@0x55d552dc35f0 Sep 21 07:19:54.602412: added connection description "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:19:54.602421: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:19:54.602432: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Sep 21 07:19:54.602438: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:19:54.602445: | spent 0.153 milliseconds in whack Sep 21 07:19:57.123285: | spent 0.00253 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:19:57.123310: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:19:57.123314: | 2f 05 32 33 35 70 31 00 00 00 00 00 00 00 00 00 Sep 21 07:19:57.123316: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:19:57.123318: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:19:57.123320: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:19:57.123323: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:19:57.123325: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:19:57.123327: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:19:57.123329: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:19:57.123332: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:19:57.123334: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:19:57.123336: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:19:57.123338: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:19:57.123340: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:19:57.123343: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:19:57.123345: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:19:57.123347: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:19:57.123349: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:19:57.123352: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:19:57.123354: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:19:57.123356: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:19:57.123358: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:19:57.123360: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:19:57.123363: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:19:57.123365: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:19:57.123372: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:19:57.123374: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:19:57.123376: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:19:57.123378: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:19:57.123381: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:19:57.123383: | 28 00 01 08 00 0e 00 00 b9 a4 a4 c6 b4 24 22 84 Sep 21 07:19:57.123385: | c1 90 e2 ed 2a 7b 82 54 14 6f 24 b0 29 35 14 1f Sep 21 07:19:57.123387: | b6 68 8e 14 25 d1 28 78 a3 d3 82 5e 0c 96 fd b5 Sep 21 07:19:57.123390: | 35 d5 c6 72 ae 01 ba c7 44 1f fb 76 83 53 f6 05 Sep 21 07:19:57.123392: | e6 4a 0d 58 1f 50 cf ae 79 c7 70 91 a1 08 e0 1a Sep 21 07:19:57.123394: | 6e ac f7 71 c1 4f 5b 96 6b 3b db 59 d0 39 19 2d Sep 21 07:19:57.123396: | 55 3f 08 2a a9 a2 1f b7 07 5f 40 80 cc fb 3b f1 Sep 21 07:19:57.123398: | 27 f4 b0 eb 62 d5 0e 93 b0 8a 16 d2 e0 5a bc 9c Sep 21 07:19:57.123401: | 30 cb 38 41 a3 bc 3f 5a 64 a2 6e db ad 16 a1 c1 Sep 21 07:19:57.123403: | c8 0d 2d 69 dd f8 ce b0 3a b5 30 02 c2 cf 01 a8 Sep 21 07:19:57.123405: | 7b af a4 c4 a1 75 9b ba 03 da b0 ff e1 0f 8b e3 Sep 21 07:19:57.123407: | 01 57 93 02 2b 91 56 97 4a f9 42 23 f6 fd c6 5a Sep 21 07:19:57.123410: | 24 96 cf f8 8a b6 06 43 3f 43 4a 44 3a 24 d2 47 Sep 21 07:19:57.123412: | aa 98 0b e7 a8 db f0 0a b6 a0 f6 cc 88 80 8b dd Sep 21 07:19:57.123414: | 8a 88 d9 d2 02 8e b8 0b f9 b5 a4 d2 c7 98 77 1a Sep 21 07:19:57.123416: | 20 4f 36 87 76 a5 f9 81 bc e4 43 b2 47 fa a7 a4 Sep 21 07:19:57.123419: | 57 65 ae 4a 8d 63 46 e7 29 00 00 24 ad e8 74 0e Sep 21 07:19:57.123421: | 45 42 c5 1b 60 dd c0 72 63 31 f2 77 64 a7 5c 8d Sep 21 07:19:57.123423: | 01 f3 06 b9 1d cf 00 14 f7 1d 01 20 29 00 00 08 Sep 21 07:19:57.123425: | 00 00 40 2e 29 00 00 1c 00 00 40 04 f7 6b 90 35 Sep 21 07:19:57.123427: | 59 82 30 f0 12 2d ea 5e 1b 65 a6 39 ed 5d e2 dc Sep 21 07:19:57.123430: | 00 00 00 1c 00 00 40 05 df 05 9d 65 ce d2 5b 2e Sep 21 07:19:57.123432: | 4e 8b 58 27 53 ce c8 0a 51 93 a8 cc Sep 21 07:19:57.123439: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:19:57.123442: | **parse ISAKMP Message: Sep 21 07:19:57.123445: | initiator cookie: Sep 21 07:19:57.123447: | 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.123449: | responder cookie: Sep 21 07:19:57.123452: | 00 00 00 00 00 00 00 00 Sep 21 07:19:57.123454: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:19:57.123457: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:19:57.123459: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:19:57.123462: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:19:57.123464: | Message ID: 0 (0x0) Sep 21 07:19:57.123467: | length: 828 (0x33c) Sep 21 07:19:57.123470: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:19:57.123473: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:19:57.123476: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:19:57.123479: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:19:57.123482: | ***parse IKEv2 Security Association Payload: Sep 21 07:19:57.123484: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:19:57.123487: | flags: none (0x0) Sep 21 07:19:57.123489: | length: 436 (0x1b4) Sep 21 07:19:57.123492: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:19:57.123494: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:19:57.123497: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:19:57.123499: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:19:57.123502: | flags: none (0x0) Sep 21 07:19:57.123504: | length: 264 (0x108) Sep 21 07:19:57.123506: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.123509: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:19:57.123513: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:19:57.123515: | ***parse IKEv2 Nonce Payload: Sep 21 07:19:57.123517: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:19:57.123520: | flags: none (0x0) Sep 21 07:19:57.123522: | length: 36 (0x24) Sep 21 07:19:57.123524: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:19:57.123527: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:19:57.123529: | ***parse IKEv2 Notify Payload: Sep 21 07:19:57.123531: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:19:57.123534: | flags: none (0x0) Sep 21 07:19:57.123536: | length: 8 (0x8) Sep 21 07:19:57.123538: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.123541: | SPI size: 0 (0x0) Sep 21 07:19:57.123544: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:19:57.123546: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:19:57.123548: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:19:57.123551: | ***parse IKEv2 Notify Payload: Sep 21 07:19:57.123553: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:19:57.123555: | flags: none (0x0) Sep 21 07:19:57.123558: | length: 28 (0x1c) Sep 21 07:19:57.123560: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.123562: | SPI size: 0 (0x0) Sep 21 07:19:57.123565: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:19:57.123567: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:19:57.123569: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:19:57.123572: | ***parse IKEv2 Notify Payload: Sep 21 07:19:57.123574: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.123576: | flags: none (0x0) Sep 21 07:19:57.123579: | length: 28 (0x1c) Sep 21 07:19:57.123581: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.123583: | SPI size: 0 (0x0) Sep 21 07:19:57.123586: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:19:57.123588: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:19:57.123590: | DDOS disabled and no cookie sent, continuing Sep 21 07:19:57.123596: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:19:57.123601: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:19:57.123604: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:19:57.123608: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:19:57.123610: | find_next_host_connection returns empty Sep 21 07:19:57.123614: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:19:57.123617: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:19:57.123619: | find_next_host_connection returns empty Sep 21 07:19:57.123623: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:19:57.123628: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:19:57.123633: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:19:57.123635: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:19:57.123638: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:19:57.123640: | find_next_host_connection returns empty Sep 21 07:19:57.123644: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:19:57.123647: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:19:57.123649: | find_next_host_connection returns empty Sep 21 07:19:57.123653: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:19:57.123657: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:19:57.123663: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:19:57.123666: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:19:57.123669: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Sep 21 07:19:57.123671: | find_next_host_connection returns westnet-eastnet-ipv4-psk-ikev2 Sep 21 07:19:57.123674: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:19:57.123676: | find_next_host_connection returns empty Sep 21 07:19:57.123679: | found connection: westnet-eastnet-ipv4-psk-ikev2 with policy PSK+IKEV2_ALLOW Sep 21 07:19:57.123705: | creating state object #1 at 0x55d552dfa1a0 Sep 21 07:19:57.123708: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:19:57.123716: | pstats #1 ikev2.ike started Sep 21 07:19:57.123719: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:19:57.123738: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:19:57.123744: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:19:57.123751: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:19:57.123754: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:19:57.123759: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:19:57.123762: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:19:57.123770: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:19:57.123774: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:19:57.123777: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:19:57.123780: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:19:57.123790: | Now let's proceed with state specific processing Sep 21 07:19:57.123795: | calling processor Respond to IKE_SA_INIT Sep 21 07:19:57.123801: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:19:57.123804: | constructing local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals) Sep 21 07:19:57.123812: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:19:57.123820: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:19:57.123823: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:19:57.123829: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:19:57.123832: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:19:57.123838: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:19:57.123841: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:19:57.123847: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:19:57.123860: "westnet-eastnet-ipv4-psk-ikev2": constructed local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:19:57.123864: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:19:57.123868: | local proposal 1 type ENCR has 1 transforms Sep 21 07:19:57.123871: | local proposal 1 type PRF has 2 transforms Sep 21 07:19:57.123874: | local proposal 1 type INTEG has 1 transforms Sep 21 07:19:57.123876: | local proposal 1 type DH has 8 transforms Sep 21 07:19:57.123878: | local proposal 1 type ESN has 0 transforms Sep 21 07:19:57.123882: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:19:57.123884: | local proposal 2 type ENCR has 1 transforms Sep 21 07:19:57.123887: | local proposal 2 type PRF has 2 transforms Sep 21 07:19:57.123889: | local proposal 2 type INTEG has 1 transforms Sep 21 07:19:57.123891: | local proposal 2 type DH has 8 transforms Sep 21 07:19:57.123894: | local proposal 2 type ESN has 0 transforms Sep 21 07:19:57.123897: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:19:57.123899: | local proposal 3 type ENCR has 1 transforms Sep 21 07:19:57.123901: | local proposal 3 type PRF has 2 transforms Sep 21 07:19:57.123904: | local proposal 3 type INTEG has 2 transforms Sep 21 07:19:57.123906: | local proposal 3 type DH has 8 transforms Sep 21 07:19:57.123909: | local proposal 3 type ESN has 0 transforms Sep 21 07:19:57.123911: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:19:57.123914: | local proposal 4 type ENCR has 1 transforms Sep 21 07:19:57.123916: | local proposal 4 type PRF has 2 transforms Sep 21 07:19:57.123919: | local proposal 4 type INTEG has 2 transforms Sep 21 07:19:57.123921: | local proposal 4 type DH has 8 transforms Sep 21 07:19:57.123923: | local proposal 4 type ESN has 0 transforms Sep 21 07:19:57.123926: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:19:57.123929: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.123932: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.123934: | length: 100 (0x64) Sep 21 07:19:57.123937: | prop #: 1 (0x1) Sep 21 07:19:57.123939: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:19:57.123942: | spi size: 0 (0x0) Sep 21 07:19:57.123944: | # transforms: 11 (0xb) Sep 21 07:19:57.123947: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:19:57.123950: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.123953: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.123955: | length: 12 (0xc) Sep 21 07:19:57.123957: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.123960: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.123962: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.123965: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.123967: | length/value: 256 (0x100) Sep 21 07:19:57.123971: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:19:57.123974: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.123977: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.123980: | length: 8 (0x8) Sep 21 07:19:57.123983: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.123985: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:19:57.123989: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:19:57.123992: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:19:57.123995: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:19:57.123999: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:19:57.124001: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124003: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124006: | length: 8 (0x8) Sep 21 07:19:57.124008: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124011: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:19:57.124013: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124016: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124018: | length: 8 (0x8) Sep 21 07:19:57.124020: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124023: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.124026: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:19:57.124029: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:19:57.124032: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:19:57.124035: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:19:57.124037: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124040: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124042: | length: 8 (0x8) Sep 21 07:19:57.124044: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124047: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:19:57.124049: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124052: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124054: | length: 8 (0x8) Sep 21 07:19:57.124056: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124059: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:19:57.124062: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124064: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124066: | length: 8 (0x8) Sep 21 07:19:57.124069: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124071: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:19:57.124074: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124076: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124078: | length: 8 (0x8) Sep 21 07:19:57.124081: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124083: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:19:57.124086: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124088: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124091: | length: 8 (0x8) Sep 21 07:19:57.124093: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124095: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:19:57.124098: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124100: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124102: | length: 8 (0x8) Sep 21 07:19:57.124105: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124107: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:19:57.124110: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124112: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.124115: | length: 8 (0x8) Sep 21 07:19:57.124117: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124121: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:19:57.124125: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:19:57.124129: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:19:57.124132: | remote proposal 1 matches local proposal 1 Sep 21 07:19:57.124135: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.124137: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.124140: | length: 100 (0x64) Sep 21 07:19:57.124142: | prop #: 2 (0x2) Sep 21 07:19:57.124144: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:19:57.124147: | spi size: 0 (0x0) Sep 21 07:19:57.124149: | # transforms: 11 (0xb) Sep 21 07:19:57.124152: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.124155: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124157: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124159: | length: 12 (0xc) Sep 21 07:19:57.124162: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.124164: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.124166: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.124169: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.124171: | length/value: 128 (0x80) Sep 21 07:19:57.124174: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124176: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124179: | length: 8 (0x8) Sep 21 07:19:57.124181: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124183: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:19:57.124186: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124188: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124191: | length: 8 (0x8) Sep 21 07:19:57.124193: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124196: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:19:57.124198: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124201: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124203: | length: 8 (0x8) Sep 21 07:19:57.124205: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124208: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.124210: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124212: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124215: | length: 8 (0x8) Sep 21 07:19:57.124217: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124219: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:19:57.124222: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124224: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124227: | length: 8 (0x8) Sep 21 07:19:57.124229: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124231: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:19:57.124234: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124236: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124239: | length: 8 (0x8) Sep 21 07:19:57.124241: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124243: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:19:57.124246: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124248: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124251: | length: 8 (0x8) Sep 21 07:19:57.124253: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124255: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:19:57.124258: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124261: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124263: | length: 8 (0x8) Sep 21 07:19:57.124268: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124270: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:19:57.124273: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124275: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124278: | length: 8 (0x8) Sep 21 07:19:57.124280: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124282: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:19:57.124285: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124287: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.124290: | length: 8 (0x8) Sep 21 07:19:57.124292: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124294: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:19:57.124298: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:19:57.124301: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:19:57.124303: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.124306: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.124308: | length: 116 (0x74) Sep 21 07:19:57.124310: | prop #: 3 (0x3) Sep 21 07:19:57.124312: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:19:57.124315: | spi size: 0 (0x0) Sep 21 07:19:57.124317: | # transforms: 13 (0xd) Sep 21 07:19:57.124320: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.124322: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124325: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124327: | length: 12 (0xc) Sep 21 07:19:57.124330: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.124332: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:19:57.124334: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.124337: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.124339: | length/value: 256 (0x100) Sep 21 07:19:57.124342: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124344: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124346: | length: 8 (0x8) Sep 21 07:19:57.124349: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124351: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:19:57.124354: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124356: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124358: | length: 8 (0x8) Sep 21 07:19:57.124361: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124385: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:19:57.124399: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124401: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124404: | length: 8 (0x8) Sep 21 07:19:57.124406: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.124408: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:19:57.124411: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124413: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124416: | length: 8 (0x8) Sep 21 07:19:57.124418: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.124420: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:19:57.124423: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124425: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124428: | length: 8 (0x8) Sep 21 07:19:57.124430: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124432: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.124435: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124437: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124439: | length: 8 (0x8) Sep 21 07:19:57.124442: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124446: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:19:57.124448: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124451: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124453: | length: 8 (0x8) Sep 21 07:19:57.124455: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124458: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:19:57.124460: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124463: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124465: | length: 8 (0x8) Sep 21 07:19:57.124467: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124470: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:19:57.124472: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124475: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124477: | length: 8 (0x8) Sep 21 07:19:57.124479: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124481: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:19:57.124484: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124486: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124489: | length: 8 (0x8) Sep 21 07:19:57.124491: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124493: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:19:57.124496: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124498: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124500: | length: 8 (0x8) Sep 21 07:19:57.124503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124505: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:19:57.124508: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124510: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.124512: | length: 8 (0x8) Sep 21 07:19:57.124515: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124517: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:19:57.124521: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:19:57.124524: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:19:57.124526: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.124528: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:19:57.124531: | length: 116 (0x74) Sep 21 07:19:57.124533: | prop #: 4 (0x4) Sep 21 07:19:57.124535: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:19:57.124537: | spi size: 0 (0x0) Sep 21 07:19:57.124540: | # transforms: 13 (0xd) Sep 21 07:19:57.124543: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.124545: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124548: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124550: | length: 12 (0xc) Sep 21 07:19:57.124552: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.124555: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:19:57.124557: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.124560: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.124562: | length/value: 128 (0x80) Sep 21 07:19:57.124565: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124567: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124569: | length: 8 (0x8) Sep 21 07:19:57.124572: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124574: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:19:57.124577: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124579: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124581: | length: 8 (0x8) Sep 21 07:19:57.124584: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.124586: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:19:57.124590: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124592: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124594: | length: 8 (0x8) Sep 21 07:19:57.124597: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.124599: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:19:57.124602: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124604: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124606: | length: 8 (0x8) Sep 21 07:19:57.124609: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.124611: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:19:57.124614: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124616: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124618: | length: 8 (0x8) Sep 21 07:19:57.124620: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124623: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.124625: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124628: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124630: | length: 8 (0x8) Sep 21 07:19:57.124632: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124635: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:19:57.124637: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124640: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124642: | length: 8 (0x8) Sep 21 07:19:57.124644: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124647: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:19:57.124649: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124652: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124654: | length: 8 (0x8) Sep 21 07:19:57.124656: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124659: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:19:57.124661: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124664: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124666: | length: 8 (0x8) Sep 21 07:19:57.124668: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124671: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:19:57.124673: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124676: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124678: | length: 8 (0x8) Sep 21 07:19:57.124680: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124683: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:19:57.124685: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124688: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.124690: | length: 8 (0x8) Sep 21 07:19:57.124692: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124694: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:19:57.124697: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.124699: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.124702: | length: 8 (0x8) Sep 21 07:19:57.124704: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.124706: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:19:57.124710: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:19:57.124713: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:19:57.124717: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:19:57.124723: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:19:57.124725: | converting proposal to internal trans attrs Sep 21 07:19:57.124729: | natd_hash: rcookie is zero Sep 21 07:19:57.124742: | natd_hash: hasher=0x55d55173d7a0(20) Sep 21 07:19:57.124745: | natd_hash: icookie= 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.124747: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:19:57.124749: | natd_hash: ip= c0 01 02 17 Sep 21 07:19:57.124752: | natd_hash: port= 01 f4 Sep 21 07:19:57.124754: | natd_hash: hash= df 05 9d 65 ce d2 5b 2e 4e 8b 58 27 53 ce c8 0a Sep 21 07:19:57.124756: | natd_hash: hash= 51 93 a8 cc Sep 21 07:19:57.124758: | natd_hash: rcookie is zero Sep 21 07:19:57.124765: | natd_hash: hasher=0x55d55173d7a0(20) Sep 21 07:19:57.124767: | natd_hash: icookie= 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.124770: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:19:57.124772: | natd_hash: ip= c0 01 02 2d Sep 21 07:19:57.124774: | natd_hash: port= 01 f4 Sep 21 07:19:57.124776: | natd_hash: hash= f7 6b 90 35 59 82 30 f0 12 2d ea 5e 1b 65 a6 39 Sep 21 07:19:57.124778: | natd_hash: hash= ed 5d e2 dc Sep 21 07:19:57.124781: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:19:57.124799: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:19:57.124804: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:19:57.124807: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Sep 21 07:19:57.124810: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:19:57.124814: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d552dfa0d0 Sep 21 07:19:57.124817: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:19:57.124821: | libevent_malloc: new ptr-libevent@0x55d552dfc310 size 128 Sep 21 07:19:57.124833: | #1 spent 0.988 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:19:57.124837: | crypto helper 3 resuming Sep 21 07:19:57.124848: | crypto helper 3 starting work-order 1 for state #1 Sep 21 07:19:57.124853: | crypto helper 3 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:19:57.124840: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:19:57.124866: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:19:57.124868: | suspending state #1 and saving MD Sep 21 07:19:57.124871: | #1 is busy; has a suspended MD Sep 21 07:19:57.124875: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:19:57.124879: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:19:57.124883: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:19:57.124888: | #1 spent 1.51 milliseconds in ikev2_process_packet() Sep 21 07:19:57.124892: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:19:57.124895: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:19:57.124897: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:19:57.124901: | spent 1.53 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:19:57.125889: | crypto helper 3 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001035 seconds Sep 21 07:19:57.125901: | (#1) spent 1.04 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:19:57.125904: | crypto helper 3 sending results from work-order 1 for state #1 to event queue Sep 21 07:19:57.125907: | scheduling resume sending helper answer for #1 Sep 21 07:19:57.125910: | libevent_malloc: new ptr-libevent@0x7fac78006900 size 128 Sep 21 07:19:57.125918: | crypto helper 3 waiting (nothing to do) Sep 21 07:19:57.125926: | processing resume sending helper answer for #1 Sep 21 07:19:57.125934: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:19:57.125938: | crypto helper 3 replies to request ID 1 Sep 21 07:19:57.125941: | calling continuation function 0x55d551667630 Sep 21 07:19:57.125944: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:19:57.125974: | **emit ISAKMP Message: Sep 21 07:19:57.125977: | initiator cookie: Sep 21 07:19:57.125979: | 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.125981: | responder cookie: Sep 21 07:19:57.125984: | 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.125986: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:19:57.125989: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:19:57.125991: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:19:57.125994: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:19:57.125996: | Message ID: 0 (0x0) Sep 21 07:19:57.125999: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:19:57.126002: | Emitting ikev2_proposal ... Sep 21 07:19:57.126004: | ***emit IKEv2 Security Association Payload: Sep 21 07:19:57.126007: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.126009: | flags: none (0x0) Sep 21 07:19:57.126012: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:19:57.126015: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126018: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.126020: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:19:57.126023: | prop #: 1 (0x1) Sep 21 07:19:57.126025: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:19:57.126027: | spi size: 0 (0x0) Sep 21 07:19:57.126030: | # transforms: 3 (0x3) Sep 21 07:19:57.126032: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:19:57.126035: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:19:57.126038: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.126040: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.126042: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.126045: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:19:57.126048: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.126050: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.126053: | length/value: 256 (0x100) Sep 21 07:19:57.126055: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:19:57.126058: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:19:57.126060: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.126062: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:19:57.126065: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:19:57.126068: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.126071: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:19:57.126073: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:19:57.126077: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:19:57.126080: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.126082: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:19:57.126085: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.126088: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.126090: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:19:57.126093: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:19:57.126095: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:19:57.126098: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:19:57.126101: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:19:57.126104: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:19:57.126107: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:19:57.126109: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.126111: | flags: none (0x0) Sep 21 07:19:57.126114: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:19:57.126117: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:19:57.126119: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126123: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:19:57.126125: | ikev2 g^x 99 7c 8e f0 ad 05 eb 37 b5 2f 4c 95 3f 8a c2 6a Sep 21 07:19:57.126128: | ikev2 g^x 26 68 48 4e 29 1c 98 04 fd b7 88 10 e1 dd 3c e9 Sep 21 07:19:57.126130: | ikev2 g^x 96 ba 98 77 dd 35 d6 e7 a2 08 2d 5b 58 cd d5 d1 Sep 21 07:19:57.126132: | ikev2 g^x ef c9 75 ac 4f de a4 b2 8b 4e 0d 7a c9 05 2c 38 Sep 21 07:19:57.126134: | ikev2 g^x 13 f3 b8 12 08 cb 6f 28 03 86 46 82 14 7b ad dc Sep 21 07:19:57.126137: | ikev2 g^x 3e 1f 39 65 cb e3 78 a3 45 a6 0c 19 8d d0 d5 b8 Sep 21 07:19:57.126139: | ikev2 g^x c0 36 13 fc f4 11 08 7d 4e fc 99 8a 04 a9 4c 55 Sep 21 07:19:57.126141: | ikev2 g^x 6d eb 4c 89 f0 47 77 f3 31 1d fc 13 f5 8d 77 85 Sep 21 07:19:57.126144: | ikev2 g^x 53 c8 4b 1f 44 ea e5 a2 10 ca ca 63 29 4c e3 2b Sep 21 07:19:57.126146: | ikev2 g^x 79 2e bd 99 2a 85 4c 9a 42 cb a6 d7 40 a8 0b a9 Sep 21 07:19:57.126148: | ikev2 g^x 25 1c 2d fb 2b e4 c0 e7 e4 41 c8 15 ad 9c 1d 92 Sep 21 07:19:57.126150: | ikev2 g^x b6 ef c5 d6 a0 72 6a a6 e6 44 8c a5 59 ba c3 ab Sep 21 07:19:57.126153: | ikev2 g^x 4f 24 11 be f1 f2 3f 91 1b eb f0 a1 e5 b1 ae d1 Sep 21 07:19:57.126155: | ikev2 g^x e1 c9 93 e6 98 2f 84 f7 c9 4f 85 36 98 a7 e2 44 Sep 21 07:19:57.126180: | ikev2 g^x da 1c 64 60 43 7f 35 82 8f c4 ec fd 19 84 d4 2f Sep 21 07:19:57.126182: | ikev2 g^x 8d 4c 9f 05 de 7c ce dd 14 c3 4d 9d d1 de e3 73 Sep 21 07:19:57.126185: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:19:57.126187: | ***emit IKEv2 Nonce Payload: Sep 21 07:19:57.126190: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:19:57.126192: | flags: none (0x0) Sep 21 07:19:57.126195: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:19:57.126198: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:19:57.126201: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126203: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:19:57.126206: | IKEv2 nonce fc 00 86 2e 2a 51 81 1b d9 03 7b 95 9c a3 12 3a Sep 21 07:19:57.126210: | IKEv2 nonce 5b 06 7a 08 5a 5a 1e 6a 92 95 c4 d7 e3 cc 58 33 Sep 21 07:19:57.126212: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:19:57.126214: | Adding a v2N Payload Sep 21 07:19:57.126217: | ***emit IKEv2 Notify Payload: Sep 21 07:19:57.126219: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.126222: | flags: none (0x0) Sep 21 07:19:57.126224: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.126227: | SPI size: 0 (0x0) Sep 21 07:19:57.126229: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:19:57.126232: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:19:57.126235: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126237: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:19:57.126240: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:19:57.126250: | natd_hash: hasher=0x55d55173d7a0(20) Sep 21 07:19:57.126252: | natd_hash: icookie= 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.126255: | natd_hash: rcookie= 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.126257: | natd_hash: ip= c0 01 02 17 Sep 21 07:19:57.126259: | natd_hash: port= 01 f4 Sep 21 07:19:57.126262: | natd_hash: hash= 72 c1 a0 3a 81 f3 47 d5 dd 5e 54 ed ba 7c 93 65 Sep 21 07:19:57.126264: | natd_hash: hash= ac 4a c4 5d Sep 21 07:19:57.126266: | Adding a v2N Payload Sep 21 07:19:57.126268: | ***emit IKEv2 Notify Payload: Sep 21 07:19:57.126270: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.126273: | flags: none (0x0) Sep 21 07:19:57.126275: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.126277: | SPI size: 0 (0x0) Sep 21 07:19:57.126280: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:19:57.126283: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:19:57.126285: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126288: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:19:57.126291: | Notify data 72 c1 a0 3a 81 f3 47 d5 dd 5e 54 ed ba 7c 93 65 Sep 21 07:19:57.126293: | Notify data ac 4a c4 5d Sep 21 07:19:57.126295: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:19:57.126301: | natd_hash: hasher=0x55d55173d7a0(20) Sep 21 07:19:57.126303: | natd_hash: icookie= 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.126306: | natd_hash: rcookie= 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.126308: | natd_hash: ip= c0 01 02 2d Sep 21 07:19:57.126310: | natd_hash: port= 01 f4 Sep 21 07:19:57.126312: | natd_hash: hash= 1b 84 c8 87 36 5b c3 f4 6d e1 aa f8 bf 4d 6d 28 Sep 21 07:19:57.126315: | natd_hash: hash= 33 72 77 d6 Sep 21 07:19:57.126317: | Adding a v2N Payload Sep 21 07:19:57.126319: | ***emit IKEv2 Notify Payload: Sep 21 07:19:57.126321: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.126323: | flags: none (0x0) Sep 21 07:19:57.126326: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:19:57.126328: | SPI size: 0 (0x0) Sep 21 07:19:57.126330: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:19:57.126333: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:19:57.126336: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.126339: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:19:57.126341: | Notify data 1b 84 c8 87 36 5b c3 f4 6d e1 aa f8 bf 4d 6d 28 Sep 21 07:19:57.126343: | Notify data 33 72 77 d6 Sep 21 07:19:57.126345: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:19:57.126348: | emitting length of ISAKMP Message: 432 Sep 21 07:19:57.126354: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:19:57.126359: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:19:57.126362: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:19:57.126365: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:19:57.126368: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:19:57.126373: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:19:57.126377: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:19:57.126382: "westnet-eastnet-ipv4-psk-ikev2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:19:57.126386: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:19:57.126395: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:19:57.126397: | 2f 05 32 33 35 70 31 00 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.126400: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:19:57.126402: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:19:57.126404: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:19:57.126406: | 04 00 00 0e 28 00 01 08 00 0e 00 00 99 7c 8e f0 Sep 21 07:19:57.126408: | ad 05 eb 37 b5 2f 4c 95 3f 8a c2 6a 26 68 48 4e Sep 21 07:19:57.126411: | 29 1c 98 04 fd b7 88 10 e1 dd 3c e9 96 ba 98 77 Sep 21 07:19:57.126413: | dd 35 d6 e7 a2 08 2d 5b 58 cd d5 d1 ef c9 75 ac Sep 21 07:19:57.126415: | 4f de a4 b2 8b 4e 0d 7a c9 05 2c 38 13 f3 b8 12 Sep 21 07:19:57.126418: | 08 cb 6f 28 03 86 46 82 14 7b ad dc 3e 1f 39 65 Sep 21 07:19:57.126420: | cb e3 78 a3 45 a6 0c 19 8d d0 d5 b8 c0 36 13 fc Sep 21 07:19:57.126422: | f4 11 08 7d 4e fc 99 8a 04 a9 4c 55 6d eb 4c 89 Sep 21 07:19:57.126424: | f0 47 77 f3 31 1d fc 13 f5 8d 77 85 53 c8 4b 1f Sep 21 07:19:57.126426: | 44 ea e5 a2 10 ca ca 63 29 4c e3 2b 79 2e bd 99 Sep 21 07:19:57.126429: | 2a 85 4c 9a 42 cb a6 d7 40 a8 0b a9 25 1c 2d fb Sep 21 07:19:57.126431: | 2b e4 c0 e7 e4 41 c8 15 ad 9c 1d 92 b6 ef c5 d6 Sep 21 07:19:57.126433: | a0 72 6a a6 e6 44 8c a5 59 ba c3 ab 4f 24 11 be Sep 21 07:19:57.126435: | f1 f2 3f 91 1b eb f0 a1 e5 b1 ae d1 e1 c9 93 e6 Sep 21 07:19:57.126438: | 98 2f 84 f7 c9 4f 85 36 98 a7 e2 44 da 1c 64 60 Sep 21 07:19:57.126440: | 43 7f 35 82 8f c4 ec fd 19 84 d4 2f 8d 4c 9f 05 Sep 21 07:19:57.126442: | de 7c ce dd 14 c3 4d 9d d1 de e3 73 29 00 00 24 Sep 21 07:19:57.126444: | fc 00 86 2e 2a 51 81 1b d9 03 7b 95 9c a3 12 3a Sep 21 07:19:57.126447: | 5b 06 7a 08 5a 5a 1e 6a 92 95 c4 d7 e3 cc 58 33 Sep 21 07:19:57.126449: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:19:57.126451: | 72 c1 a0 3a 81 f3 47 d5 dd 5e 54 ed ba 7c 93 65 Sep 21 07:19:57.126453: | ac 4a c4 5d 00 00 00 1c 00 00 40 05 1b 84 c8 87 Sep 21 07:19:57.126456: | 36 5b c3 f4 6d e1 aa f8 bf 4d 6d 28 33 72 77 d6 Sep 21 07:19:57.126490: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:19:57.126494: | libevent_free: release ptr-libevent@0x55d552dfc310 Sep 21 07:19:57.126497: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d552dfa0d0 Sep 21 07:19:57.126500: | event_schedule: new EVENT_SO_DISCARD-pe@0x55d552dfa0d0 Sep 21 07:19:57.126503: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:19:57.126506: | libevent_malloc: new ptr-libevent@0x55d552dfc310 size 128 Sep 21 07:19:57.126510: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:19:57.126515: | #1 spent 0.544 milliseconds in resume sending helper answer Sep 21 07:19:57.126520: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:19:57.126525: | libevent_free: release ptr-libevent@0x7fac78006900 Sep 21 07:19:57.129647: | spent 0.00222 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:19:57.129665: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:19:57.129668: | 2f 05 32 33 35 70 31 00 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.129671: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Sep 21 07:19:57.129673: | 64 ac e2 ec b7 26 b1 25 dd d5 e4 66 c4 37 8f be Sep 21 07:19:57.129675: | 07 ca 12 e5 f1 a9 7b 80 03 31 90 23 af ba ad a2 Sep 21 07:19:57.129677: | 52 aa dc 67 ee 11 e0 01 3a 04 b1 58 fa 16 c3 27 Sep 21 07:19:57.129679: | 27 93 eb 3c 2c 9f 8c 31 98 33 7c a9 fa 92 9e df Sep 21 07:19:57.129681: | 8d b4 4f 22 15 ab a7 76 92 fd 21 58 aa 2b 75 86 Sep 21 07:19:57.129684: | b1 4c eb b4 f8 dd 29 a3 07 19 1c c4 a3 81 b3 c9 Sep 21 07:19:57.129686: | 7e 55 03 d2 e8 3d 82 f6 cf ee 86 3f 35 48 f6 32 Sep 21 07:19:57.129688: | 0b a0 b3 18 0b 8e 7e e5 e8 17 0c 43 cf ba 79 f2 Sep 21 07:19:57.129690: | 80 b4 3b 36 62 0a 74 c6 c5 6c 8d ca c1 67 a3 cf Sep 21 07:19:57.129692: | 2d a6 cb 4c 6d 24 c0 80 30 d2 9b df 8d 5e d4 fb Sep 21 07:19:57.129694: | a8 a3 84 6d 44 e6 77 02 d3 e0 00 17 65 80 d3 f8 Sep 21 07:19:57.129697: | 55 cc b0 af d2 60 5f 72 20 ae 99 83 c0 93 e8 88 Sep 21 07:19:57.129699: | 86 aa ec 0b 1e e1 a5 9b 43 ac 85 21 e5 99 cd b3 Sep 21 07:19:57.129701: | 6c 49 e8 e0 45 a4 eb 40 89 20 ab 74 5f f4 92 39 Sep 21 07:19:57.129703: | 7e 0b 0b 09 6b 07 b3 56 5b 33 e0 3b 61 db 2d c3 Sep 21 07:19:57.129706: | b1 1b 98 ee c6 d9 44 2f 14 e3 d1 35 19 12 44 3f Sep 21 07:19:57.129708: | 6c ee 56 e0 23 cd 65 47 5f 18 6b 8f 93 b0 cf 47 Sep 21 07:19:57.129710: | 7f 26 6a 9b 71 36 a9 e1 6a e2 64 1f c9 57 b2 7d Sep 21 07:19:57.129712: | 38 a1 93 9c 75 11 48 42 71 a9 b0 a1 24 d6 3d 8f Sep 21 07:19:57.129714: | c8 a0 e0 4e 1f 61 d8 7a f4 49 fc a1 15 19 00 72 Sep 21 07:19:57.129717: | ea ad 6a 87 2d 85 a2 2a b8 95 16 12 5b Sep 21 07:19:57.129721: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:19:57.129724: | **parse ISAKMP Message: Sep 21 07:19:57.129727: | initiator cookie: Sep 21 07:19:57.129729: | 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.129731: | responder cookie: Sep 21 07:19:57.129733: | 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.129735: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:19:57.129738: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:19:57.129754: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:19:57.129757: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:19:57.129759: | Message ID: 1 (0x1) Sep 21 07:19:57.129761: | length: 365 (0x16d) Sep 21 07:19:57.129764: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:19:57.129767: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:19:57.129770: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:19:57.129776: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:19:57.129809: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:19:57.129814: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:19:57.129817: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:19:57.129821: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:19:57.129823: | unpacking clear payload Sep 21 07:19:57.129826: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:19:57.129828: | ***parse IKEv2 Encryption Payload: Sep 21 07:19:57.129831: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:19:57.129837: | flags: none (0x0) Sep 21 07:19:57.129840: | length: 337 (0x151) Sep 21 07:19:57.129842: | processing payload: ISAKMP_NEXT_v2SK (len=333) Sep 21 07:19:57.129846: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:19:57.129849: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:19:57.129851: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:19:57.129854: | Now let's proceed with state specific processing Sep 21 07:19:57.129856: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:19:57.129859: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:19:57.129863: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:19:57.129866: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:19:57.129868: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:19:57.129871: | libevent_free: release ptr-libevent@0x55d552dfc310 Sep 21 07:19:57.129874: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55d552dfa0d0 Sep 21 07:19:57.129877: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d552dfa0d0 Sep 21 07:19:57.129880: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:19:57.129883: | libevent_malloc: new ptr-libevent@0x55d552dfc310 size 128 Sep 21 07:19:57.129892: | #1 spent 0.0306 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:19:57.129897: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:19:57.129900: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:19:57.129902: | suspending state #1 and saving MD Sep 21 07:19:57.129904: | #1 is busy; has a suspended MD Sep 21 07:19:57.129908: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:19:57.129911: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:19:57.129916: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:19:57.129920: | #1 spent 0.226 milliseconds in ikev2_process_packet() Sep 21 07:19:57.129923: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:19:57.129926: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:19:57.129929: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:19:57.129932: | spent 0.239 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:19:57.129942: | crypto helper 0 resuming Sep 21 07:19:57.129947: | crypto helper 0 starting work-order 2 for state #1 Sep 21 07:19:57.129950: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:19:57.131038: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:19:57.131439: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001488 seconds Sep 21 07:19:57.131446: | (#1) spent 1.36 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:19:57.131449: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Sep 21 07:19:57.131452: | scheduling resume sending helper answer for #1 Sep 21 07:19:57.131455: | libevent_malloc: new ptr-libevent@0x7fac70006b90 size 128 Sep 21 07:19:57.131462: | crypto helper 0 waiting (nothing to do) Sep 21 07:19:57.131504: | processing resume sending helper answer for #1 Sep 21 07:19:57.131510: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:19:57.131516: | crypto helper 0 replies to request ID 2 Sep 21 07:19:57.131518: | calling continuation function 0x55d551667630 Sep 21 07:19:57.131521: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:19:57.131524: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:19:57.131534: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:19:57.131537: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:19:57.131539: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:19:57.131542: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:19:57.131544: | flags: none (0x0) Sep 21 07:19:57.131547: | length: 12 (0xc) Sep 21 07:19:57.131549: | ID type: ID_FQDN (0x2) Sep 21 07:19:57.131551: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:19:57.131554: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:19:57.131556: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:19:57.131558: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:19:57.131561: | flags: none (0x0) Sep 21 07:19:57.131563: | length: 12 (0xc) Sep 21 07:19:57.131565: | ID type: ID_FQDN (0x2) Sep 21 07:19:57.131567: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:19:57.131569: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:19:57.131572: | **parse IKEv2 Authentication Payload: Sep 21 07:19:57.131574: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:19:57.131576: | flags: none (0x0) Sep 21 07:19:57.131578: | length: 72 (0x48) Sep 21 07:19:57.131581: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:19:57.131583: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:19:57.131586: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:19:57.131588: | **parse IKEv2 Security Association Payload: Sep 21 07:19:57.131590: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:19:57.131592: | flags: none (0x0) Sep 21 07:19:57.131594: | length: 164 (0xa4) Sep 21 07:19:57.131597: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:19:57.131599: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:19:57.131601: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:19:57.131604: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:19:57.131606: | flags: none (0x0) Sep 21 07:19:57.131608: | length: 24 (0x18) Sep 21 07:19:57.131610: | number of TS: 1 (0x1) Sep 21 07:19:57.131612: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:19:57.131614: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:19:57.131616: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:19:57.131619: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.131621: | flags: none (0x0) Sep 21 07:19:57.131623: | length: 24 (0x18) Sep 21 07:19:57.131625: | number of TS: 1 (0x1) Sep 21 07:19:57.131627: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:19:57.131629: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:19:57.131632: | Now let's proceed with state specific processing Sep 21 07:19:57.131634: | calling processor Responder: process IKE_AUTH request Sep 21 07:19:57.131639: "westnet-eastnet-ipv4-psk-ikev2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:19:57.131644: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:19:57.131648: | received IDr payload - extracting our alleged ID Sep 21 07:19:57.131651: | refine_host_connection for IKEv2: starting with "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:19:57.131654: | match_id a=@west Sep 21 07:19:57.131656: | b=@west Sep 21 07:19:57.131659: | results matched Sep 21 07:19:57.131662: | refine_host_connection: checking "westnet-eastnet-ipv4-psk-ikev2" against "westnet-eastnet-ipv4-psk-ikev2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:19:57.131665: | Warning: not switching back to template of current instance Sep 21 07:19:57.131671: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:19:57.131674: | This connection's local id is @east (ID_FQDN) Sep 21 07:19:57.131677: | refine_host_connection: checked westnet-eastnet-ipv4-psk-ikev2 against westnet-eastnet-ipv4-psk-ikev2, now for see if best Sep 21 07:19:57.131680: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.131683: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.131686: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:19:57.131689: | 1: compared key @west to @east / @west -> 004 Sep 21 07:19:57.131692: | 2: compared key @east to @east / @west -> 014 Sep 21 07:19:57.131695: | line 1: match=014 Sep 21 07:19:57.131697: | match 014 beats previous best_match 000 match=0x55d552dec100 (line=1) Sep 21 07:19:57.131700: | concluding with best_match=014 best=0x55d552dec100 (lineno=1) Sep 21 07:19:57.131702: | returning because exact peer id match Sep 21 07:19:57.131705: | offered CA: '%none' Sep 21 07:19:57.131707: "westnet-eastnet-ipv4-psk-ikev2" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Sep 21 07:19:57.131724: | verifying AUTH payload Sep 21 07:19:57.131728: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:19:57.131731: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.131733: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.131736: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:19:57.131739: | 1: compared key @west to @east / @west -> 004 Sep 21 07:19:57.131742: | 2: compared key @east to @east / @west -> 014 Sep 21 07:19:57.131744: | line 1: match=014 Sep 21 07:19:57.131746: | match 014 beats previous best_match 000 match=0x55d552dec100 (line=1) Sep 21 07:19:57.131748: | concluding with best_match=014 best=0x55d552dec100 (lineno=1) Sep 21 07:19:57.131807: "westnet-eastnet-ipv4-psk-ikev2" #1: Authenticated using authby=secret Sep 21 07:19:57.131814: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:19:57.131818: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:19:57.131821: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:19:57.131824: | libevent_free: release ptr-libevent@0x55d552dfc310 Sep 21 07:19:57.131826: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d552dfa0d0 Sep 21 07:19:57.131829: | event_schedule: new EVENT_SA_REKEY-pe@0x55d552dfa0d0 Sep 21 07:19:57.131832: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:19:57.131834: | libevent_malloc: new ptr-libevent@0x55d552dfc310 size 128 Sep 21 07:19:57.132097: | pstats #1 ikev2.ike established Sep 21 07:19:57.132105: | **emit ISAKMP Message: Sep 21 07:19:57.132108: | initiator cookie: Sep 21 07:19:57.132110: | 2f 05 32 33 35 70 31 00 Sep 21 07:19:57.132112: | responder cookie: Sep 21 07:19:57.132115: | 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.132117: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:19:57.132120: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:19:57.132122: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:19:57.132125: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:19:57.132127: | Message ID: 1 (0x1) Sep 21 07:19:57.132130: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:19:57.132133: | IKEv2 CERT: send a certificate? Sep 21 07:19:57.132136: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:19:57.132138: | ***emit IKEv2 Encryption Payload: Sep 21 07:19:57.132141: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.132143: | flags: none (0x0) Sep 21 07:19:57.132146: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:19:57.132149: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.132154: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:19:57.132161: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:19:57.132174: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:19:57.132177: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.132180: | flags: none (0x0) Sep 21 07:19:57.132182: | ID type: ID_FQDN (0x2) Sep 21 07:19:57.132185: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:19:57.132188: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.132191: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:19:57.132193: | my identity 65 61 73 74 Sep 21 07:19:57.132196: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:19:57.132204: | assembled IDr payload Sep 21 07:19:57.132206: | CHILD SA proposals received Sep 21 07:19:57.132208: | going to assemble AUTH payload Sep 21 07:19:57.132211: | ****emit IKEv2 Authentication Payload: Sep 21 07:19:57.132213: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:19:57.132215: | flags: none (0x0) Sep 21 07:19:57.132218: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:19:57.132220: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:19:57.132223: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:19:57.132226: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.132229: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:19:57.132232: | started looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.132235: | actually looking for secret for @east->@west of kind PKK_PSK Sep 21 07:19:57.132238: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:19:57.132242: | 1: compared key @west to @east / @west -> 004 Sep 21 07:19:57.132245: | 2: compared key @east to @east / @west -> 014 Sep 21 07:19:57.132247: | line 1: match=014 Sep 21 07:19:57.132250: | match 014 beats previous best_match 000 match=0x55d552dec100 (line=1) Sep 21 07:19:57.132253: | concluding with best_match=014 best=0x55d552dec100 (lineno=1) Sep 21 07:19:57.132308: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:19:57.132311: | PSK auth 9e bb 9f 60 5d 07 8c fd e9 37 95 77 b3 24 e1 b6 Sep 21 07:19:57.132314: | PSK auth 46 f8 97 6d 54 97 35 bb ee f4 58 df 10 9b fc 5b Sep 21 07:19:57.132316: | PSK auth a1 c4 d9 e9 d4 09 b0 9f 98 65 22 b2 7c 31 14 d5 Sep 21 07:19:57.132318: | PSK auth a4 4f b9 8d af 29 09 ff ce bc fc 05 f7 fe fc 3d Sep 21 07:19:57.132320: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:19:57.132327: | creating state object #2 at 0x55d552dfd6a0 Sep 21 07:19:57.132330: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:19:57.132334: | pstats #2 ikev2.child started Sep 21 07:19:57.132337: | duplicating state object #1 "westnet-eastnet-ipv4-psk-ikev2" as #2 for IPSEC SA Sep 21 07:19:57.132342: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:19:57.132347: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:19:57.132352: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:19:57.132356: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:19:57.132360: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:19:57.132363: | TSi: parsing 1 traffic selectors Sep 21 07:19:57.132365: | ***parse IKEv2 Traffic Selector: Sep 21 07:19:57.132368: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:19:57.132370: | IP Protocol ID: 0 (0x0) Sep 21 07:19:57.132372: | length: 16 (0x10) Sep 21 07:19:57.132374: | start port: 0 (0x0) Sep 21 07:19:57.132377: | end port: 65535 (0xffff) Sep 21 07:19:57.132379: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:19:57.132381: | TS low c0 00 01 00 Sep 21 07:19:57.132384: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:19:57.132386: | TS high c0 00 01 ff Sep 21 07:19:57.132388: | TSi: parsed 1 traffic selectors Sep 21 07:19:57.132390: | TSr: parsing 1 traffic selectors Sep 21 07:19:57.132393: | ***parse IKEv2 Traffic Selector: Sep 21 07:19:57.132395: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:19:57.132397: | IP Protocol ID: 0 (0x0) Sep 21 07:19:57.132399: | length: 16 (0x10) Sep 21 07:19:57.132401: | start port: 0 (0x0) Sep 21 07:19:57.132403: | end port: 65535 (0xffff) Sep 21 07:19:57.132406: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:19:57.132408: | TS low c0 00 02 00 Sep 21 07:19:57.132410: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:19:57.132412: | TS high c0 00 02 ff Sep 21 07:19:57.132414: | TSr: parsed 1 traffic selectors Sep 21 07:19:57.132416: | looking for best SPD in current connection Sep 21 07:19:57.132422: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:19:57.132427: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:19:57.132433: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:19:57.132436: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:19:57.132438: | TSi[0] port match: YES fitness 65536 Sep 21 07:19:57.132441: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:19:57.132444: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:19:57.132448: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:19:57.132453: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:19:57.132456: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:19:57.132458: | TSr[0] port match: YES fitness 65536 Sep 21 07:19:57.132460: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:19:57.132463: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:19:57.132465: | best fit so far: TSi[0] TSr[0] Sep 21 07:19:57.132468: | found better spd route for TSi[0],TSr[0] Sep 21 07:19:57.132470: | looking for better host pair Sep 21 07:19:57.132474: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:19:57.132479: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Sep 21 07:19:57.132481: | investigating connection "westnet-eastnet-ipv4-psk-ikev2" as a better match Sep 21 07:19:57.132484: | match_id a=@west Sep 21 07:19:57.132486: | b=@west Sep 21 07:19:57.132488: | results matched Sep 21 07:19:57.132493: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:19:57.132497: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:19:57.132502: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:19:57.132505: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:19:57.132507: | TSi[0] port match: YES fitness 65536 Sep 21 07:19:57.132510: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:19:57.132514: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:19:57.132518: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:19:57.132523: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:19:57.132526: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:19:57.132528: | TSr[0] port match: YES fitness 65536 Sep 21 07:19:57.132530: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:19:57.132533: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:19:57.132535: | best fit so far: TSi[0] TSr[0] Sep 21 07:19:57.132537: | did not find a better connection using host pair Sep 21 07:19:57.132540: | printing contents struct traffic_selector Sep 21 07:19:57.132542: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:19:57.132544: | ipprotoid: 0 Sep 21 07:19:57.132546: | port range: 0-65535 Sep 21 07:19:57.132549: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:19:57.132552: | printing contents struct traffic_selector Sep 21 07:19:57.132554: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:19:57.132556: | ipprotoid: 0 Sep 21 07:19:57.132558: | port range: 0-65535 Sep 21 07:19:57.132561: | ip range: 192.0.1.0-192.0.1.255 Sep 21 07:19:57.132565: | constructing ESP/AH proposals with all DH removed for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:19:57.132570: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:19:57.132576: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:19:57.132579: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:19:57.132582: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:19:57.132585: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:19:57.132589: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:19:57.132592: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:19:57.132596: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:19:57.132603: "westnet-eastnet-ipv4-psk-ikev2": constructed local ESP/AH proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:19:57.132606: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:19:57.132609: | local proposal 1 type ENCR has 1 transforms Sep 21 07:19:57.132612: | local proposal 1 type PRF has 0 transforms Sep 21 07:19:57.132614: | local proposal 1 type INTEG has 1 transforms Sep 21 07:19:57.132617: | local proposal 1 type DH has 1 transforms Sep 21 07:19:57.132619: | local proposal 1 type ESN has 1 transforms Sep 21 07:19:57.132622: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:19:57.132624: | local proposal 2 type ENCR has 1 transforms Sep 21 07:19:57.132626: | local proposal 2 type PRF has 0 transforms Sep 21 07:19:57.132628: | local proposal 2 type INTEG has 1 transforms Sep 21 07:19:57.132631: | local proposal 2 type DH has 1 transforms Sep 21 07:19:57.132633: | local proposal 2 type ESN has 1 transforms Sep 21 07:19:57.132636: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:19:57.132638: | local proposal 3 type ENCR has 1 transforms Sep 21 07:19:57.132640: | local proposal 3 type PRF has 0 transforms Sep 21 07:19:57.132642: | local proposal 3 type INTEG has 2 transforms Sep 21 07:19:57.132644: | local proposal 3 type DH has 1 transforms Sep 21 07:19:57.132648: | local proposal 3 type ESN has 1 transforms Sep 21 07:19:57.132651: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:19:57.132653: | local proposal 4 type ENCR has 1 transforms Sep 21 07:19:57.132655: | local proposal 4 type PRF has 0 transforms Sep 21 07:19:57.132657: | local proposal 4 type INTEG has 2 transforms Sep 21 07:19:57.132660: | local proposal 4 type DH has 1 transforms Sep 21 07:19:57.132662: | local proposal 4 type ESN has 1 transforms Sep 21 07:19:57.132664: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:19:57.132667: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.132670: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.132672: | length: 32 (0x20) Sep 21 07:19:57.132674: | prop #: 1 (0x1) Sep 21 07:19:57.132676: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:19:57.132679: | spi size: 4 (0x4) Sep 21 07:19:57.132681: | # transforms: 2 (0x2) Sep 21 07:19:57.132684: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:19:57.132686: | remote SPI ef 97 7d e6 Sep 21 07:19:57.132689: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:19:57.132691: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132694: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132696: | length: 12 (0xc) Sep 21 07:19:57.132698: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.132700: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.132703: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.132705: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.132708: | length/value: 256 (0x100) Sep 21 07:19:57.132712: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:19:57.132714: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132716: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.132719: | length: 8 (0x8) Sep 21 07:19:57.132721: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:19:57.132723: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:19:57.132726: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:19:57.132729: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:19:57.132732: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:19:57.132735: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:19:57.132738: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:19:57.132742: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:19:57.132744: | remote proposal 1 matches local proposal 1 Sep 21 07:19:57.132747: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.132749: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.132751: | length: 32 (0x20) Sep 21 07:19:57.132753: | prop #: 2 (0x2) Sep 21 07:19:57.132756: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:19:57.132758: | spi size: 4 (0x4) Sep 21 07:19:57.132760: | # transforms: 2 (0x2) Sep 21 07:19:57.132762: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:19:57.132764: | remote SPI ef 97 7d e6 Sep 21 07:19:57.132767: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.132770: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132772: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132774: | length: 12 (0xc) Sep 21 07:19:57.132776: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.132780: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.132782: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.132794: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.132796: | length/value: 128 (0x80) Sep 21 07:19:57.132799: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132801: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.132804: | length: 8 (0x8) Sep 21 07:19:57.132806: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:19:57.132808: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:19:57.132811: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:19:57.132819: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:19:57.132822: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.132824: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:19:57.132826: | length: 48 (0x30) Sep 21 07:19:57.132828: | prop #: 3 (0x3) Sep 21 07:19:57.132830: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:19:57.132832: | spi size: 4 (0x4) Sep 21 07:19:57.132834: | # transforms: 4 (0x4) Sep 21 07:19:57.132837: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:19:57.132839: | remote SPI ef 97 7d e6 Sep 21 07:19:57.132842: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.132844: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132846: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132848: | length: 12 (0xc) Sep 21 07:19:57.132850: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.132853: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:19:57.132855: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.132857: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.132859: | length/value: 256 (0x100) Sep 21 07:19:57.132862: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132864: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132866: | length: 8 (0x8) Sep 21 07:19:57.132869: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.132871: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:19:57.132873: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132876: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132878: | length: 8 (0x8) Sep 21 07:19:57.132880: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.132882: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:19:57.132885: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132887: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.132889: | length: 8 (0x8) Sep 21 07:19:57.132892: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:19:57.132894: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:19:57.132897: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:19:57.132900: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:19:57.132902: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.132904: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:19:57.132906: | length: 48 (0x30) Sep 21 07:19:57.132908: | prop #: 4 (0x4) Sep 21 07:19:57.132910: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:19:57.132912: | spi size: 4 (0x4) Sep 21 07:19:57.132914: | # transforms: 4 (0x4) Sep 21 07:19:57.132917: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:19:57.132919: | remote SPI ef 97 7d e6 Sep 21 07:19:57.132922: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:19:57.132924: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132928: | length: 12 (0xc) Sep 21 07:19:57.132932: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.132934: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:19:57.132936: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.132939: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.132941: | length/value: 128 (0x80) Sep 21 07:19:57.132943: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132946: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132948: | length: 8 (0x8) Sep 21 07:19:57.132950: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.132952: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:19:57.132955: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132957: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.132959: | length: 8 (0x8) Sep 21 07:19:57.132961: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:19:57.132963: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:19:57.132966: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:19:57.132968: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.132970: | length: 8 (0x8) Sep 21 07:19:57.132972: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:19:57.132974: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:19:57.132978: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:19:57.132980: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:19:57.132985: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:ESP:SPI=ef977de6;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:19:57.132989: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=ef977de6;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:19:57.132991: | converting proposal to internal trans attrs Sep 21 07:19:57.133009: | netlink_get_spi: allocated 0x15f96ee0 for esp.0@192.1.2.23 Sep 21 07:19:57.133011: | Emitting ikev2_proposal ... Sep 21 07:19:57.133014: | ****emit IKEv2 Security Association Payload: Sep 21 07:19:57.133016: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.133018: | flags: none (0x0) Sep 21 07:19:57.133022: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:19:57.133024: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.133027: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:19:57.133029: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:19:57.133031: | prop #: 1 (0x1) Sep 21 07:19:57.133033: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:19:57.133036: | spi size: 4 (0x4) Sep 21 07:19:57.133038: | # transforms: 2 (0x2) Sep 21 07:19:57.133040: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:19:57.133043: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:19:57.133045: | our spi 15 f9 6e e0 Sep 21 07:19:57.133048: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:19:57.133050: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.133052: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:19:57.133054: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:19:57.133057: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:19:57.133060: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:19:57.133062: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:19:57.133064: | length/value: 256 (0x100) Sep 21 07:19:57.133068: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:19:57.133071: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:19:57.133073: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:19:57.133075: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:19:57.133077: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:19:57.133080: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:19:57.133083: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:19:57.133085: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:19:57.133088: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:19:57.133090: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:19:57.133092: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:19:57.133095: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:19:57.133098: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:19:57.133100: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.133102: | flags: none (0x0) Sep 21 07:19:57.133104: | number of TS: 1 (0x1) Sep 21 07:19:57.133107: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:19:57.133110: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.133112: | *****emit IKEv2 Traffic Selector: Sep 21 07:19:57.133114: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:19:57.133117: | IP Protocol ID: 0 (0x0) Sep 21 07:19:57.133119: | start port: 0 (0x0) Sep 21 07:19:57.133121: | end port: 65535 (0xffff) Sep 21 07:19:57.133124: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:19:57.133126: | IP start c0 00 01 00 Sep 21 07:19:57.133128: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:19:57.133130: | IP end c0 00 01 ff Sep 21 07:19:57.133132: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:19:57.133135: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:19:57.133137: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:19:57.133139: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:19:57.133141: | flags: none (0x0) Sep 21 07:19:57.133143: | number of TS: 1 (0x1) Sep 21 07:19:57.133146: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:19:57.133149: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:19:57.133151: | *****emit IKEv2 Traffic Selector: Sep 21 07:19:57.133153: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:19:57.133156: | IP Protocol ID: 0 (0x0) Sep 21 07:19:57.133158: | start port: 0 (0x0) Sep 21 07:19:57.133160: | end port: 65535 (0xffff) Sep 21 07:19:57.133162: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:19:57.133164: | IP start c0 00 02 00 Sep 21 07:19:57.133167: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:19:57.133169: | IP end c0 00 02 ff Sep 21 07:19:57.133171: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:19:57.133174: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:19:57.133176: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:19:57.133179: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:19:57.133327: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:19:57.133334: | #1 spent 1.51 milliseconds Sep 21 07:19:57.133337: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:19:57.133339: | could_route called for westnet-eastnet-ipv4-psk-ikev2 (kind=CK_PERMANENT) Sep 21 07:19:57.133342: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:19:57.133345: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Sep 21 07:19:57.133347: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Sep 21 07:19:57.133352: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Sep 21 07:19:57.133355: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:19:57.133359: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:19:57.133362: | AES_GCM_16 requires 4 salt bytes Sep 21 07:19:57.133364: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:19:57.133368: | setting IPsec SA replay-window to 32 Sep 21 07:19:57.133370: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Sep 21 07:19:57.133373: | netlink: enabling tunnel mode Sep 21 07:19:57.133376: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:19:57.133378: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:19:57.134301: | netlink response for Add SA esp.ef977de6@192.1.2.45 included non-error error Sep 21 07:19:57.134311: | set up outgoing SA, ref=0/0 Sep 21 07:19:57.134314: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:19:57.134317: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:19:57.134319: | AES_GCM_16 requires 4 salt bytes Sep 21 07:19:57.134322: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:19:57.134325: | setting IPsec SA replay-window to 32 Sep 21 07:19:57.134328: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Sep 21 07:19:57.134331: | netlink: enabling tunnel mode Sep 21 07:19:57.134333: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:19:57.134336: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:19:57.135351: | netlink response for Add SA esp.15f96ee0@192.1.2.23 included non-error error Sep 21 07:19:57.135360: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:19:57.135368: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:19:57.135371: | IPsec Sa SPD priority set to 1042407 Sep 21 07:19:57.135657: | raw_eroute result=success Sep 21 07:19:57.135663: | set up incoming SA, ref=0/0 Sep 21 07:19:57.135666: | sr for #2: unrouted Sep 21 07:19:57.135669: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:19:57.135671: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:19:57.135675: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Sep 21 07:19:57.135677: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Sep 21 07:19:57.135681: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Sep 21 07:19:57.135684: | route_and_eroute with c: westnet-eastnet-ipv4-psk-ikev2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:19:57.135688: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Sep 21 07:19:57.135695: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Sep 21 07:19:57.135698: | IPsec Sa SPD priority set to 1042407 Sep 21 07:19:57.135831: | raw_eroute result=success Sep 21 07:19:57.135839: | running updown command "ipsec _updown" for verb up Sep 21 07:19:57.135842: | command executing up-client Sep 21 07:19:57.135869: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Sep 21 07:19:57.135876: | popen cmd is 1046 chars long Sep 21 07:19:57.135879: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv: Sep 21 07:19:57.135881: | cmd( 80):4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.: Sep 21 07:19:57.135884: | cmd( 160):2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='19: Sep 21 07:19:57.135886: | cmd( 240):2.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCO: Sep 21 07:19:57.135889: | cmd( 320):L='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_P: Sep 21 07:19:57.135891: | cmd( 400):EER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0: Sep 21 07:19:57.135894: | cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL: Sep 21 07:19:57.135896: | cmd( 560):='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=': Sep 21 07:19:57.135898: | cmd( 640):PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:19:57.135901: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Sep 21 07:19:57.135903: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Sep 21 07:19:57.135906: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Sep 21 07:19:57.135908: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0xef977de6 SPI_OUT=0x15f96ee0 ipsec _updow: Sep 21 07:19:57.135910: | cmd(1040):n 2>&1: Sep 21 07:19:57.158859: | route_and_eroute: firewall_notified: true Sep 21 07:19:57.158873: | running updown command "ipsec _updown" for verb prepare Sep 21 07:19:57.158877: | command executing prepare-client Sep 21 07:19:57.158907: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Sep 21 07:19:57.158911: | popen cmd is 1051 chars long Sep 21 07:19:57.158914: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: Sep 21 07:19:57.158916: | cmd( 80):t-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='1: Sep 21 07:19:57.158921: | cmd( 160):92.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NE: Sep 21 07:19:57.158924: | cmd( 240):T='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PR: Sep 21 07:19:57.158927: | cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PL: Sep 21 07:19:57.158929: | cmd( 400):UTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.: Sep 21 07:19:57.158932: | cmd( 480):0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: Sep 21 07:19:57.158934: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POL: Sep 21 07:19:57.158936: | cmd( 640):ICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO: Sep 21 07:19:57.158939: | cmd( 720):_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:19:57.158942: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:19:57.158944: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:19:57.158947: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xef977de6 SPI_OUT=0x15f96ee0 ipsec _: Sep 21 07:19:57.158949: | cmd(1040):updown 2>&1: Sep 21 07:19:57.185097: | running updown command "ipsec _updown" for verb route Sep 21 07:19:57.185116: | command executing route-client Sep 21 07:19:57.185146: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:19:57.185150: | popen cmd is 1049 chars long Sep 21 07:19:57.185153: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: Sep 21 07:19:57.185155: | cmd( 80):ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192: Sep 21 07:19:57.185158: | cmd( 160):.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET=: Sep 21 07:19:57.185160: | cmd( 240):'192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROT: Sep 21 07:19:57.185163: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: Sep 21 07:19:57.185165: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: Sep 21 07:19:57.185168: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: Sep 21 07:19:57.185170: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLIC: Sep 21 07:19:57.185173: | cmd( 640):Y='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_C: Sep 21 07:19:57.185175: | cmd( 720):ONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE: Sep 21 07:19:57.185178: | cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': Sep 21 07:19:57.185180: | cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='': Sep 21 07:19:57.185183: | cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xef977de6 SPI_OUT=0x15f96ee0 ipsec _up: Sep 21 07:19:57.185189: | cmd(1040):down 2>&1: Sep 21 07:19:57.240819: | route_and_eroute: instance "westnet-eastnet-ipv4-psk-ikev2", setting eroute_owner {spd=0x55d552df7a90,sr=0x55d552df7a90} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:19:57.241146: | #1 spent 0.946 milliseconds in install_ipsec_sa() Sep 21 07:19:57.241155: | ISAKMP_v2_IKE_AUTH: instance westnet-eastnet-ipv4-psk-ikev2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:19:57.241158: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:19:57.241162: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:19:57.241166: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:19:57.241168: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:19:57.241171: | emitting length of ISAKMP Message: 225 Sep 21 07:19:57.241190: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:19:57.241196: | #1 spent 2.51 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:19:57.241202: | suspend processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:19:57.241208: | start processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:19:57.241212: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:19:57.241216: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:19:57.241219: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:19:57.241222: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:19:57.241228: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:19:57.241233: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:19:57.241235: | pstats #2 ikev2.child established Sep 21 07:19:57.241244: "westnet-eastnet-ipv4-psk-ikev2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Sep 21 07:19:57.241248: | NAT-T: encaps is 'auto' Sep 21 07:19:57.241252: "westnet-eastnet-ipv4-psk-ikev2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xef977de6 <0x15f96ee0 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:19:57.241257: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:19:57.241264: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:19:57.241267: | 2f 05 32 33 35 70 31 00 67 17 1f 52 6b e0 55 6c Sep 21 07:19:57.241273: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Sep 21 07:19:57.241276: | 68 4d 9a 0e 6f 14 b5 15 12 87 5b e2 12 a1 44 85 Sep 21 07:19:57.241278: | 34 f6 4f bd aa f6 c0 ca 5c f8 2b 8d 7d aa 07 11 Sep 21 07:19:57.241280: | 38 bc 2a 4e fc d3 05 22 13 9c 16 82 11 dd 51 40 Sep 21 07:19:57.241282: | f8 8d 2a 35 af 61 40 58 6f 75 01 5d 45 72 3f 4f Sep 21 07:19:57.241284: | 68 89 ab be 7e 1f 26 08 62 40 61 cb ec 5f 44 4b Sep 21 07:19:57.241287: | 56 e6 96 54 b6 6d 03 09 19 6f d3 15 81 71 54 84 Sep 21 07:19:57.241289: | c2 1b 0f 74 e1 73 26 c1 d8 01 4d 33 40 53 96 1e Sep 21 07:19:57.241291: | 11 2f da 46 05 0b 7e f7 3b 9e a5 59 7a fd 51 2f Sep 21 07:19:57.241293: | a7 cd e5 9d aa a8 b6 1f 2c d9 af 45 44 0f 38 d6 Sep 21 07:19:57.241296: | 24 ba 23 bd 65 95 63 56 6d e6 79 03 b9 cd 2f e5 Sep 21 07:19:57.241298: | 7c 14 d8 33 d1 72 9f 2d 01 05 8f a5 92 32 90 95 Sep 21 07:19:57.241300: | 19 d2 ae dd 8c 36 ee 71 dd 1a 1a ce 1c 35 0a 30 Sep 21 07:19:57.241305: | bd Sep 21 07:19:57.241346: | releasing whack for #2 (sock=fd@-1) Sep 21 07:19:57.241350: | releasing whack and unpending for parent #1 Sep 21 07:19:57.241352: | unpending state #1 connection "westnet-eastnet-ipv4-psk-ikev2" Sep 21 07:19:57.241356: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:19:57.241359: | event_schedule: new EVENT_SA_REKEY-pe@0x7fac78002b20 Sep 21 07:19:57.241363: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:19:57.241366: | libevent_malloc: new ptr-libevent@0x55d552e01130 size 128 Sep 21 07:19:57.241372: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:19:57.241377: | #1 spent 2.79 milliseconds in resume sending helper answer Sep 21 07:19:57.241382: | stop processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:19:57.241386: | libevent_free: release ptr-libevent@0x7fac70006b90 Sep 21 07:19:57.241396: | processing signal PLUTO_SIGCHLD Sep 21 07:19:57.241401: | waitpid returned ECHILD (no child processes left) Sep 21 07:19:57.241405: | spent 0.00506 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:19:57.241408: | processing signal PLUTO_SIGCHLD Sep 21 07:19:57.241411: | waitpid returned ECHILD (no child processes left) Sep 21 07:19:57.241415: | spent 0.00329 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:19:57.241417: | processing signal PLUTO_SIGCHLD Sep 21 07:19:57.241420: | waitpid returned ECHILD (no child processes left) Sep 21 07:19:57.241424: | spent 0.00325 milliseconds in signal handler PLUTO_SIGCHLD [New LWP 17960] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf'. Program terminated with signal SIGABRT, Aborted. #0 0x00007fcf59e5be75 in raise () from /lib64/libc.so.6 #0 0x00007fcf59e5be75 in raise () from /lib64/libc.so.6 Backtrace stopped: Cannot access memory at address 0x7ffe4b805728 [New LWP 18204] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf'. Program terminated with signal SIGABRT, Aborted. #0 0x00007f83065c8e75 in raise () from /lib64/libc.so.6 #0 0x00007f83065c8e75 in raise () from /lib64/libc.so.6 Backtrace stopped: Cannot access memory at address 0x7fff44733d38