Sep 21 07:16:30.024059: FIPS Product: YES Sep 21 07:16:30.024095: FIPS Kernel: NO Sep 21 07:16:30.024098: FIPS Mode: NO Sep 21 07:16:30.024101: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:16:30.024265: Initializing NSS Sep 21 07:16:30.024270: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:16:30.072903: NSS initialized Sep 21 07:16:30.072920: NSS crypto library initialized Sep 21 07:16:30.072923: FIPS HMAC integrity support [enabled] Sep 21 07:16:30.072926: FIPS mode disabled for pluto daemon Sep 21 07:16:30.143987: FIPS HMAC integrity verification self-test FAILED Sep 21 07:16:30.144072: libcap-ng support [enabled] Sep 21 07:16:30.144079: Linux audit support [enabled] Sep 21 07:16:30.144098: Linux audit activated Sep 21 07:16:30.144104: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:11718 Sep 21 07:16:30.144106: core dump dir: /tmp Sep 21 07:16:30.144107: secrets file: /etc/ipsec.secrets Sep 21 07:16:30.144109: leak-detective disabled Sep 21 07:16:30.144110: NSS crypto [enabled] Sep 21 07:16:30.144111: XAUTH PAM support [enabled] Sep 21 07:16:30.144168: | libevent is using pluto's memory allocator Sep 21 07:16:30.144173: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:16:30.144183: | libevent_malloc: new ptr-libevent@0x559ca629a110 size 40 Sep 21 07:16:30.144188: | libevent_malloc: new ptr-libevent@0x559ca629b3c0 size 40 Sep 21 07:16:30.144190: | libevent_malloc: new ptr-libevent@0x559ca629b3f0 size 40 Sep 21 07:16:30.144191: | creating event base Sep 21 07:16:30.144193: | libevent_malloc: new ptr-libevent@0x559ca629b380 size 56 Sep 21 07:16:30.144195: | libevent_malloc: new ptr-libevent@0x559ca629b420 size 664 Sep 21 07:16:30.144203: | libevent_malloc: new ptr-libevent@0x559ca629b6c0 size 24 Sep 21 07:16:30.144206: | libevent_malloc: new ptr-libevent@0x559ca628d010 size 384 Sep 21 07:16:30.144213: | libevent_malloc: new ptr-libevent@0x559ca629b6e0 size 16 Sep 21 07:16:30.144214: | libevent_malloc: new ptr-libevent@0x559ca629b700 size 40 Sep 21 07:16:30.144216: | libevent_malloc: new ptr-libevent@0x559ca629b730 size 48 Sep 21 07:16:30.144221: | libevent_realloc: new ptr-libevent@0x559ca621d370 size 256 Sep 21 07:16:30.144222: | libevent_malloc: new ptr-libevent@0x559ca629b770 size 16 Sep 21 07:16:30.144226: | libevent_free: release ptr-libevent@0x559ca629b380 Sep 21 07:16:30.144229: | libevent initialized Sep 21 07:16:30.144231: | libevent_realloc: new ptr-libevent@0x559ca629b790 size 64 Sep 21 07:16:30.144235: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:16:30.144246: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:16:30.144247: NAT-Traversal support [enabled] Sep 21 07:16:30.144249: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:16:30.144253: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:16:30.144255: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:16:30.144282: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:16:30.144284: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:16:30.144286: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:16:30.144324: Encryption algorithms: Sep 21 07:16:30.144329: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:16:30.144331: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:16:30.144333: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:16:30.144335: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:16:30.144337: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:16:30.144344: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:16:30.144347: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:16:30.144349: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:16:30.144351: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:16:30.144353: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:16:30.144355: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:16:30.144357: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:16:30.144359: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:16:30.144362: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:16:30.144364: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:16:30.144365: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:16:30.144367: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:16:30.144375: Hash algorithms: Sep 21 07:16:30.144377: MD5 IKEv1: IKE IKEv2: Sep 21 07:16:30.144379: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:16:30.144381: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:16:30.144382: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:16:30.144384: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:16:30.144392: PRF algorithms: Sep 21 07:16:30.144394: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:16:30.144396: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:16:30.144398: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:16:30.144400: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:16:30.144402: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:16:30.144403: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:16:30.144418: Integrity algorithms: Sep 21 07:16:30.144420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:16:30.144423: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:16:30.144425: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:16:30.144427: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:16:30.144429: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:16:30.144431: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:16:30.144433: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:16:30.144435: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:16:30.144437: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:16:30.144445: DH algorithms: Sep 21 07:16:30.144446: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:16:30.144448: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:16:30.144450: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:16:30.144453: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:16:30.144455: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:16:30.144457: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:16:30.144458: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:16:30.144460: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:16:30.144462: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:16:30.144464: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:16:30.144465: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:16:30.144467: testing CAMELLIA_CBC: Sep 21 07:16:30.144469: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.144578: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.144611: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.144636: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.144654: testing AES_GCM_16: Sep 21 07:16:30.144656: empty string Sep 21 07:16:30.144673: one block Sep 21 07:16:30.144689: two blocks Sep 21 07:16:30.144705: two blocks with associated data Sep 21 07:16:30.144721: testing AES_CTR: Sep 21 07:16:30.144723: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:16:30.144739: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:16:30.144755: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:16:30.144772: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:16:30.144805: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:16:30.144825: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:16:30.144842: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:16:30.144859: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:16:30.144875: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:16:30.144892: testing AES_CBC: Sep 21 07:16:30.144894: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:16:30.144910: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.144927: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.144944: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.144967: testing AES_XCBC: Sep 21 07:16:30.144969: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:16:30.145049: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:16:30.145128: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:16:30.145202: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:16:30.145309: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:16:30.145452: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:16:30.145584: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:16:30.145856: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:16:30.145972: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:16:30.146122: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:16:30.146405: testing HMAC_MD5: Sep 21 07:16:30.146411: RFC 2104: MD5_HMAC test 1 Sep 21 07:16:30.146584: RFC 2104: MD5_HMAC test 2 Sep 21 07:16:30.146732: RFC 2104: MD5_HMAC test 3 Sep 21 07:16:30.146920: 8 CPU cores online Sep 21 07:16:30.146928: starting up 7 crypto helpers Sep 21 07:16:30.146963: started thread for crypto helper 0 Sep 21 07:16:30.146969: | starting up helper thread 0 Sep 21 07:16:30.146984: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:16:30.146986: started thread for crypto helper 1 Sep 21 07:16:30.146989: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.146994: | starting up helper thread 1 Sep 21 07:16:30.147013: started thread for crypto helper 2 Sep 21 07:16:30.147014: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:16:30.147023: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:30.147034: started thread for crypto helper 3 Sep 21 07:16:30.147036: | starting up helper thread 3 Sep 21 07:16:30.147047: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:16:30.147049: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:30.147065: started thread for crypto helper 4 Sep 21 07:16:30.147085: started thread for crypto helper 5 Sep 21 07:16:30.147104: started thread for crypto helper 6 Sep 21 07:16:30.147113: | checking IKEv1 state table Sep 21 07:16:30.147121: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147123: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:16:30.147128: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147132: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:16:30.147123: | starting up helper thread 2 Sep 21 07:16:30.147137: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.147149: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:16:30.147156: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:16:30.147161: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:30.147167: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.147178: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.147181: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.147184: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:16:30.147189: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.147193: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.147196: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:16:30.147198: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.147201: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.147203: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.147206: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:16:30.147209: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.147212: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.147214: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.147217: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:16:30.147220: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147223: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:16:30.147225: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147228: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147231: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:16:30.147234: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147237: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.147240: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.147242: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.147245: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.147248: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.147251: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:16:30.147254: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147257: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.147259: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147262: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:16:30.147265: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:16:30.147268: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:16:30.147271: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:16:30.147275: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:16:30.147280: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:16:30.147284: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:16:30.147287: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147290: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:16:30.147292: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147293: | starting up helper thread 4 Sep 21 07:16:30.147295: | INFO: category: informational flags: 0: Sep 21 07:16:30.147316: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147320: | starting up helper thread 6 Sep 21 07:16:30.147305: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:16:30.147309: | starting up helper thread 5 Sep 21 07:16:30.147322: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:16:30.147349: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147353: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:16:30.147355: | -> XAUTH_R1 EVENT_NULL Sep 21 07:16:30.147358: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.147360: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.147363: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:16:30.147365: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:16:30.147368: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.147370: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:16:30.147373: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.147375: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.147378: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.147381: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.147383: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.147386: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:16:30.147388: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.147390: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:16:30.147396: | checking IKEv2 state table Sep 21 07:16:30.147402: | PARENT_I0: category: ignore flags: 0: Sep 21 07:16:30.147404: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:16:30.147407: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147409: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:16:30.147411: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:16:30.147414: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.147416: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:16:30.147418: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:16:30.147420: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:16:30.147422: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:16:30.147425: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:16:30.147427: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:16:30.147429: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:16:30.147431: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:16:30.147434: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:16:30.147436: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:16:30.147438: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147441: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:16:30.147443: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.147445: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:16:30.147448: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:16:30.147450: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.147453: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:16:30.147455: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:16:30.147457: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:16:30.147460: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:16:30.147463: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.147468: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:16:30.147471: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.147474: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:16:30.147477: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.147479: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.147482: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.147485: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:16:30.147488: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.147490: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:16:30.147493: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:16:30.147496: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.147499: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:16:30.147501: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.147504: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.147506: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:16:30.147509: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:16:30.147512: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:16:30.147514: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:16:30.147517: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:16:30.147520: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:16:30.147568: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:16:30.147633: | Hard-wiring algorithms Sep 21 07:16:30.147638: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:16:30.147642: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:16:30.147645: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:16:30.147647: | adding 3DES_CBC to kernel algorithm db Sep 21 07:16:30.147650: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:16:30.147652: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:16:30.147654: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:16:30.147657: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:16:30.147659: | adding AES_CTR to kernel algorithm db Sep 21 07:16:30.147661: | adding AES_CBC to kernel algorithm db Sep 21 07:16:30.147664: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:16:30.147666: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:16:30.147669: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:16:30.147672: | adding NULL to kernel algorithm db Sep 21 07:16:30.147674: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:16:30.147677: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:16:30.147680: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:16:30.147682: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:16:30.147685: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:16:30.147687: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:16:30.147690: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:16:30.147692: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:16:30.147694: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:16:30.147697: | adding NONE to kernel algorithm db Sep 21 07:16:30.147720: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:16:30.147729: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:16:30.147734: | setup kernel fd callback Sep 21 07:16:30.147738: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x559ca62a5b30 Sep 21 07:16:30.147744: | libevent_malloc: new ptr-libevent@0x559ca62ad000 size 128 Sep 21 07:16:30.147751: | libevent_malloc: new ptr-libevent@0x559ca62a0da0 size 16 Sep 21 07:16:30.147761: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x559ca62a03d0 Sep 21 07:16:30.147767: | libevent_malloc: new ptr-libevent@0x559ca62ad090 size 128 Sep 21 07:16:30.147771: | libevent_malloc: new ptr-libevent@0x559ca629b7e0 size 16 Sep 21 07:16:30.148022: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:16:30.148034: selinux support is enabled. Sep 21 07:16:30.148099: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:16:30.147331: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:16:30.147337: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:30.147344: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:16:30.148155: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:30.148166: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:30.148241: | unbound context created - setting debug level to 5 Sep 21 07:16:30.148263: | /etc/hosts lookups activated Sep 21 07:16:30.148275: | /etc/resolv.conf usage activated Sep 21 07:16:30.148307: | outgoing-port-avoid set 0-65535 Sep 21 07:16:30.148324: | outgoing-port-permit set 32768-60999 Sep 21 07:16:30.148326: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:16:30.148328: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:16:30.148330: | Setting up events, loop start Sep 21 07:16:30.148332: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x559ca62a0120 Sep 21 07:16:30.148334: | libevent_malloc: new ptr-libevent@0x559ca62b7600 size 128 Sep 21 07:16:30.148337: | libevent_malloc: new ptr-libevent@0x559ca62b7690 size 16 Sep 21 07:16:30.148342: | libevent_realloc: new ptr-libevent@0x559ca621b5b0 size 256 Sep 21 07:16:30.148344: | libevent_malloc: new ptr-libevent@0x559ca62b76b0 size 8 Sep 21 07:16:30.148346: | libevent_realloc: new ptr-libevent@0x559ca62ac300 size 144 Sep 21 07:16:30.148347: | libevent_malloc: new ptr-libevent@0x559ca62b76d0 size 152 Sep 21 07:16:30.148350: | libevent_malloc: new ptr-libevent@0x559ca62b7770 size 16 Sep 21 07:16:30.148353: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:16:30.148354: | libevent_malloc: new ptr-libevent@0x559ca62b7790 size 8 Sep 21 07:16:30.148356: | libevent_malloc: new ptr-libevent@0x559ca62b77b0 size 152 Sep 21 07:16:30.148358: | signal event handler PLUTO_SIGTERM installed Sep 21 07:16:30.148359: | libevent_malloc: new ptr-libevent@0x559ca62b7850 size 8 Sep 21 07:16:30.148362: | libevent_malloc: new ptr-libevent@0x559ca62b7870 size 152 Sep 21 07:16:30.148365: | signal event handler PLUTO_SIGHUP installed Sep 21 07:16:30.148366: | libevent_malloc: new ptr-libevent@0x559ca62b7910 size 8 Sep 21 07:16:30.148368: | libevent_realloc: release ptr-libevent@0x559ca62ac300 Sep 21 07:16:30.148370: | libevent_realloc: new ptr-libevent@0x559ca62b7930 size 256 Sep 21 07:16:30.148371: | libevent_malloc: new ptr-libevent@0x559ca62ac300 size 152 Sep 21 07:16:30.148373: | signal event handler PLUTO_SIGSYS installed Sep 21 07:16:30.148609: | created addconn helper (pid:11853) using fork+execve Sep 21 07:16:30.148620: | forked child 11853 Sep 21 07:16:30.148650: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.148661: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.148667: listening for IKE messages Sep 21 07:16:30.162012: | Inspecting interface lo Sep 21 07:16:30.162030: | found lo with address 127.0.0.1 Sep 21 07:16:30.162034: | Inspecting interface eth0 Sep 21 07:16:30.162039: | found eth0 with address 192.0.2.254 Sep 21 07:16:30.162041: | Inspecting interface eth0 Sep 21 07:16:30.162045: | found eth0 with address 192.0.22.251 Sep 21 07:16:30.162048: | Inspecting interface eth0 Sep 21 07:16:30.162052: | found eth0 with address 192.0.22.254 Sep 21 07:16:30.162054: | Inspecting interface eth0 Sep 21 07:16:30.162058: | found eth0 with address 192.0.2.251 Sep 21 07:16:30.162066: | Inspecting interface eth1 Sep 21 07:16:30.162070: | found eth1 with address 192.1.2.23 Sep 21 07:16:30.162127: Kernel supports NIC esp-hw-offload Sep 21 07:16:30.162161: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:16:30.162190: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162195: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162199: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:30.162229: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.251:500 Sep 21 07:16:30.162255: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162259: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162263: adding interface eth0/eth0 192.0.2.251:4500 Sep 21 07:16:30.162379: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.254:500 Sep 21 07:16:30.162408: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162413: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162416: adding interface eth0/eth0 192.0.22.254:4500 Sep 21 07:16:30.162445: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.251:500 Sep 21 07:16:30.162471: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162475: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162479: adding interface eth0/eth0 192.0.22.251:4500 Sep 21 07:16:30.162508: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:16:30.162534: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162538: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162542: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:30.162571: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:16:30.162599: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.162603: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.162607: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:16:30.162662: | no interfaces to sort Sep 21 07:16:30.162667: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:30.162680: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8000 Sep 21 07:16:30.162684: | libevent_malloc: new ptr-libevent@0x559ca62b8040 size 128 Sep 21 07:16:30.162689: | libevent_malloc: new ptr-libevent@0x559ca62b80d0 size 16 Sep 21 07:16:30.162699: | setup callback for interface lo 127.0.0.1:4500 fd 28 Sep 21 07:16:30.162702: | add_fd_read_event_handler: new ethX-pe@0x559ca62b80f0 Sep 21 07:16:30.162705: | libevent_malloc: new ptr-libevent@0x559ca62b8130 size 128 Sep 21 07:16:30.162707: | libevent_malloc: new ptr-libevent@0x559ca62b81c0 size 16 Sep 21 07:16:30.162712: | setup callback for interface lo 127.0.0.1:500 fd 27 Sep 21 07:16:30.162715: | add_fd_read_event_handler: new ethX-pe@0x559ca62b81e0 Sep 21 07:16:30.162717: | libevent_malloc: new ptr-libevent@0x559ca62b8220 size 128 Sep 21 07:16:30.162720: | libevent_malloc: new ptr-libevent@0x559ca62b82b0 size 16 Sep 21 07:16:30.162725: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Sep 21 07:16:30.162727: | add_fd_read_event_handler: new ethX-pe@0x559ca62b82d0 Sep 21 07:16:30.162730: | libevent_malloc: new ptr-libevent@0x559ca62b8310 size 128 Sep 21 07:16:30.162732: | libevent_malloc: new ptr-libevent@0x559ca62b83a0 size 16 Sep 21 07:16:30.162737: | setup callback for interface eth0 192.0.2.254:500 fd 25 Sep 21 07:16:30.162739: | add_fd_read_event_handler: new ethX-pe@0x559ca62b83c0 Sep 21 07:16:30.162742: | libevent_malloc: new ptr-libevent@0x559ca62b8ac0 size 128 Sep 21 07:16:30.162745: | libevent_malloc: new ptr-libevent@0x559ca62b8400 size 16 Sep 21 07:16:30.162749: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Sep 21 07:16:30.162752: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8b50 Sep 21 07:16:30.162759: | libevent_malloc: new ptr-libevent@0x559ca62b8b90 size 128 Sep 21 07:16:30.162762: | libevent_malloc: new ptr-libevent@0x559ca62b8420 size 16 Sep 21 07:16:30.162767: | setup callback for interface eth0 192.0.22.251:500 fd 23 Sep 21 07:16:30.162770: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8c20 Sep 21 07:16:30.162772: | libevent_malloc: new ptr-libevent@0x559ca62b8c60 size 128 Sep 21 07:16:30.162775: | libevent_malloc: new ptr-libevent@0x559ca62b8cf0 size 16 Sep 21 07:16:30.162780: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Sep 21 07:16:30.162782: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8d10 Sep 21 07:16:30.162792: | libevent_malloc: new ptr-libevent@0x559ca62b8d50 size 128 Sep 21 07:16:30.162795: | libevent_malloc: new ptr-libevent@0x559ca62b8de0 size 16 Sep 21 07:16:30.162799: | setup callback for interface eth0 192.0.22.254:500 fd 21 Sep 21 07:16:30.162802: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8e00 Sep 21 07:16:30.162805: | libevent_malloc: new ptr-libevent@0x559ca62b8e40 size 128 Sep 21 07:16:30.162807: | libevent_malloc: new ptr-libevent@0x559ca62b8ed0 size 16 Sep 21 07:16:30.162812: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Sep 21 07:16:30.162815: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8ef0 Sep 21 07:16:30.162817: | libevent_malloc: new ptr-libevent@0x559ca62b8f30 size 128 Sep 21 07:16:30.162820: | libevent_malloc: new ptr-libevent@0x559ca62b8fc0 size 16 Sep 21 07:16:30.162825: | setup callback for interface eth0 192.0.2.251:500 fd 19 Sep 21 07:16:30.162830: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8fe0 Sep 21 07:16:30.162833: | libevent_malloc: new ptr-libevent@0x559ca62b9020 size 128 Sep 21 07:16:30.162835: | libevent_malloc: new ptr-libevent@0x559ca62b90b0 size 16 Sep 21 07:16:30.162840: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:30.162843: | add_fd_read_event_handler: new ethX-pe@0x559ca62b90d0 Sep 21 07:16:30.162845: | libevent_malloc: new ptr-libevent@0x559ca62b9110 size 128 Sep 21 07:16:30.162848: | libevent_malloc: new ptr-libevent@0x559ca62b91a0 size 16 Sep 21 07:16:30.162853: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:30.162857: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.162859: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.162879: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.162897: | saving Modulus Sep 21 07:16:30.162900: | saving PublicExponent Sep 21 07:16:30.162904: | ignoring PrivateExponent Sep 21 07:16:30.162907: | ignoring Prime1 Sep 21 07:16:30.162910: | ignoring Prime2 Sep 21 07:16:30.162913: | ignoring Exponent1 Sep 21 07:16:30.162916: | ignoring Exponent2 Sep 21 07:16:30.162919: | ignoring Coefficient Sep 21 07:16:30.162922: | ignoring CKAIDNSS Sep 21 07:16:30.162962: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.162965: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.162969: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:16:30.162976: | certs and keys locked by 'process_secret' Sep 21 07:16:30.162980: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.162985: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.162995: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.163003: | spent 0.914 milliseconds in whack Sep 21 07:16:30.182041: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.182067: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182072: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.182075: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182078: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.182083: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182092: | Added new connection north-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.182104: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:30.182136: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:30.182141: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:30.182162: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:30.182168: | counting wild cards for @north is 0 Sep 21 07:16:30.182172: | counting wild cards for @east is 0 Sep 21 07:16:30.182183: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:16:30.182187: | new hp@0x559ca62846f0 Sep 21 07:16:30.182192: added connection description "north-eastnets/0x1" Sep 21 07:16:30.182216: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.182229: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:16:30.182237: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.182245: | spent 0.214 milliseconds in whack Sep 21 07:16:30.182278: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.182302: add keyid @north Sep 21 07:16:30.182307: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:30.182310: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:30.182313: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:30.182316: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:30.182319: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:30.182322: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:30.182325: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:30.182328: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:30.182331: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:30.182334: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:30.182337: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:30.182340: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:30.182343: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:30.182346: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:30.182349: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:30.182352: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:30.182355: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:30.182357: | add pubkey c7 5e a5 99 Sep 21 07:16:30.182382: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.182386: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.182393: | keyid: *AQPl33O2P Sep 21 07:16:30.182396: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:30.182399: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:30.182402: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:30.182405: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:30.182408: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:30.182411: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:30.182414: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:30.182417: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:30.182420: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:30.182423: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:30.182425: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:30.182429: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:30.182435: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:30.182438: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:30.182441: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:30.182444: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:30.182447: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:30.182450: | n a5 99 Sep 21 07:16:30.182452: | e 03 Sep 21 07:16:30.182455: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.182458: | CKAID 88 aa 7c 5d Sep 21 07:16:30.182467: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.182472: | spent 0.199 milliseconds in whack Sep 21 07:16:30.182492: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.182501: add keyid @east Sep 21 07:16:30.182505: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:30.182508: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:30.182511: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:30.182514: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:30.182517: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:30.182520: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:30.182523: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:30.182526: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:30.182529: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:30.182532: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:30.182536: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:30.182539: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:30.182542: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:30.182545: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:30.182548: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:30.182551: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:30.182554: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:30.182557: | add pubkey 51 51 48 ef Sep 21 07:16:30.182570: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.182573: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.182578: | keyid: *AQO9bJbr3 Sep 21 07:16:30.182581: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:30.182584: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:30.182587: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:30.182590: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:30.182593: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:30.182597: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:30.182600: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:30.182603: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:30.182607: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:30.182610: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:30.182613: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:30.182616: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:30.182619: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:30.182622: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:30.182625: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:30.182628: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:30.182631: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:30.182637: | n 48 ef Sep 21 07:16:30.182639: | e 03 Sep 21 07:16:30.182643: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.182645: | CKAID 8a 82 25 f1 Sep 21 07:16:30.182654: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.182660: | spent 0.171 milliseconds in whack Sep 21 07:16:30.182679: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.182688: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182692: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.182695: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182698: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.182702: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.182708: | Added new connection north-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.182712: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:30.182734: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:30.182737: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:30.182758: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:30.182763: | counting wild cards for @north is 0 Sep 21 07:16:30.182767: | counting wild cards for @east is 0 Sep 21 07:16:30.182776: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:30.182782: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x559ca62846f0: north-eastnets/0x1 Sep 21 07:16:30.182793: added connection description "north-eastnets/0x2" Sep 21 07:16:30.182804: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.182828: | 192.0.22.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:16:30.182847: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.182852: | spent 0.174 milliseconds in whack Sep 21 07:16:30.182879: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.182887: add keyid @north Sep 21 07:16:30.182905: | unreference key: 0x559ca62128f0 @north cnt 1-- Sep 21 07:16:30.182909: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:30.182911: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:30.182927: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:30.182930: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:30.182933: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:30.182936: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:30.182939: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:30.182942: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:30.182945: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:30.182960: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:30.182963: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:30.182966: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:30.182969: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:30.182972: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:30.182975: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:30.182977: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:30.182980: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:30.182983: | add pubkey c7 5e a5 99 Sep 21 07:16:30.182993: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.182999: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.183003: | keyid: *AQPl33O2P Sep 21 07:16:30.183006: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:30.183009: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:30.183012: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:30.183014: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:30.183017: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:30.183020: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:30.183023: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:30.183026: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:30.183028: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:30.183031: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:30.183034: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:30.183037: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:30.183039: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:30.183042: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:30.183045: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:30.183048: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:30.183051: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:30.183053: | n a5 99 Sep 21 07:16:30.183055: | e 03 Sep 21 07:16:30.183058: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.183061: | CKAID 88 aa 7c 5d Sep 21 07:16:30.183068: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.183073: | spent 0.198 milliseconds in whack Sep 21 07:16:30.183115: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.183123: add keyid @east Sep 21 07:16:30.183127: | unreference key: 0x559ca621b6c0 @east cnt 1-- Sep 21 07:16:30.183130: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:30.183133: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:30.183136: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:30.183139: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:30.183142: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:30.183145: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:30.183148: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:30.183151: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:30.183154: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:30.183157: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:30.183160: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:30.183163: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:30.183166: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:30.183169: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:30.183172: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:30.183175: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:30.183178: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:30.183180: | add pubkey 51 51 48 ef Sep 21 07:16:30.183189: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.183192: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.183195: | keyid: *AQO9bJbr3 Sep 21 07:16:30.183198: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:30.183201: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:30.183204: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:30.183210: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:30.183213: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:30.183216: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:30.183218: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:30.183221: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:30.183224: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:30.183227: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:30.183230: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:30.183233: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:30.183235: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:30.183238: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:30.183241: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:30.183244: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:30.183247: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:30.183249: | n 48 ef Sep 21 07:16:30.183252: | e 03 Sep 21 07:16:30.183255: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.183257: | CKAID 8a 82 25 f1 Sep 21 07:16:30.183265: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.183269: | spent 0.158 milliseconds in whack Sep 21 07:16:30.183294: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.183303: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.183308: listening for IKE messages Sep 21 07:16:30.183358: | Inspecting interface lo Sep 21 07:16:30.183365: | found lo with address 127.0.0.1 Sep 21 07:16:30.183368: | Inspecting interface eth0 Sep 21 07:16:30.183372: | found eth0 with address 192.0.2.254 Sep 21 07:16:30.183375: | Inspecting interface eth0 Sep 21 07:16:30.183379: | found eth0 with address 192.0.22.251 Sep 21 07:16:30.183382: | Inspecting interface eth0 Sep 21 07:16:30.183386: | found eth0 with address 192.0.22.254 Sep 21 07:16:30.183388: | Inspecting interface eth0 Sep 21 07:16:30.183393: | found eth0 with address 192.0.2.251 Sep 21 07:16:30.183395: | Inspecting interface eth1 Sep 21 07:16:30.183399: | found eth1 with address 192.1.2.23 Sep 21 07:16:30.183457: | no interfaces to sort Sep 21 07:16:30.183466: | libevent_free: release ptr-libevent@0x559ca62b8040 Sep 21 07:16:30.183470: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8000 Sep 21 07:16:30.183474: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8000 Sep 21 07:16:30.183477: | libevent_malloc: new ptr-libevent@0x559ca62b8040 size 128 Sep 21 07:16:30.183484: | setup callback for interface lo 127.0.0.1:4500 fd 28 Sep 21 07:16:30.183489: | libevent_free: release ptr-libevent@0x559ca62b8130 Sep 21 07:16:30.183492: | free_event_entry: release EVENT_NULL-pe@0x559ca62b80f0 Sep 21 07:16:30.183495: | add_fd_read_event_handler: new ethX-pe@0x559ca62b80f0 Sep 21 07:16:30.183499: | libevent_malloc: new ptr-libevent@0x559ca62b8130 size 128 Sep 21 07:16:30.183504: | setup callback for interface lo 127.0.0.1:500 fd 27 Sep 21 07:16:30.183509: | libevent_free: release ptr-libevent@0x559ca62b8220 Sep 21 07:16:30.183512: | free_event_entry: release EVENT_NULL-pe@0x559ca62b81e0 Sep 21 07:16:30.183515: | add_fd_read_event_handler: new ethX-pe@0x559ca62b81e0 Sep 21 07:16:30.183518: | libevent_malloc: new ptr-libevent@0x559ca62b8220 size 128 Sep 21 07:16:30.183524: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Sep 21 07:16:30.183528: | libevent_free: release ptr-libevent@0x559ca62b8310 Sep 21 07:16:30.183531: | free_event_entry: release EVENT_NULL-pe@0x559ca62b82d0 Sep 21 07:16:30.183534: | add_fd_read_event_handler: new ethX-pe@0x559ca62b82d0 Sep 21 07:16:30.183537: | libevent_malloc: new ptr-libevent@0x559ca62b8310 size 128 Sep 21 07:16:30.183543: | setup callback for interface eth0 192.0.2.254:500 fd 25 Sep 21 07:16:30.183550: | libevent_free: release ptr-libevent@0x559ca62b8ac0 Sep 21 07:16:30.183553: | free_event_entry: release EVENT_NULL-pe@0x559ca62b83c0 Sep 21 07:16:30.183569: | add_fd_read_event_handler: new ethX-pe@0x559ca62b83c0 Sep 21 07:16:30.183572: | libevent_malloc: new ptr-libevent@0x559ca62b8ac0 size 128 Sep 21 07:16:30.183578: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Sep 21 07:16:30.183582: | libevent_free: release ptr-libevent@0x559ca62b8b90 Sep 21 07:16:30.183585: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8b50 Sep 21 07:16:30.183588: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8b50 Sep 21 07:16:30.183592: | libevent_malloc: new ptr-libevent@0x559ca62b8b90 size 128 Sep 21 07:16:30.183597: | setup callback for interface eth0 192.0.22.251:500 fd 23 Sep 21 07:16:30.183602: | libevent_free: release ptr-libevent@0x559ca62b8c60 Sep 21 07:16:30.183605: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8c20 Sep 21 07:16:30.183608: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8c20 Sep 21 07:16:30.183611: | libevent_malloc: new ptr-libevent@0x559ca62b8c60 size 128 Sep 21 07:16:30.183617: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Sep 21 07:16:30.183622: | libevent_free: release ptr-libevent@0x559ca62b8d50 Sep 21 07:16:30.183625: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8d10 Sep 21 07:16:30.183628: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8d10 Sep 21 07:16:30.183632: | libevent_malloc: new ptr-libevent@0x559ca62b8d50 size 128 Sep 21 07:16:30.183638: | setup callback for interface eth0 192.0.22.254:500 fd 21 Sep 21 07:16:30.183642: | libevent_free: release ptr-libevent@0x559ca62b8e40 Sep 21 07:16:30.183645: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8e00 Sep 21 07:16:30.183649: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8e00 Sep 21 07:16:30.183652: | libevent_malloc: new ptr-libevent@0x559ca62b8e40 size 128 Sep 21 07:16:30.183658: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Sep 21 07:16:30.183663: | libevent_free: release ptr-libevent@0x559ca62b8f30 Sep 21 07:16:30.183666: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8ef0 Sep 21 07:16:30.183669: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8ef0 Sep 21 07:16:30.183672: | libevent_malloc: new ptr-libevent@0x559ca62b8f30 size 128 Sep 21 07:16:30.183678: | setup callback for interface eth0 192.0.2.251:500 fd 19 Sep 21 07:16:30.183682: | libevent_free: release ptr-libevent@0x559ca62b9020 Sep 21 07:16:30.183686: | free_event_entry: release EVENT_NULL-pe@0x559ca62b8fe0 Sep 21 07:16:30.183689: | add_fd_read_event_handler: new ethX-pe@0x559ca62b8fe0 Sep 21 07:16:30.183692: | libevent_malloc: new ptr-libevent@0x559ca62b9020 size 128 Sep 21 07:16:30.183698: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:30.183702: | libevent_free: release ptr-libevent@0x559ca62b9110 Sep 21 07:16:30.183705: | free_event_entry: release EVENT_NULL-pe@0x559ca62b90d0 Sep 21 07:16:30.183708: | add_fd_read_event_handler: new ethX-pe@0x559ca62b90d0 Sep 21 07:16:30.183712: | libevent_malloc: new ptr-libevent@0x559ca62b9110 size 128 Sep 21 07:16:30.183717: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:30.183721: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.183724: forgetting secrets Sep 21 07:16:30.183732: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.183748: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.183772: | saving Modulus Sep 21 07:16:30.183776: | saving PublicExponent Sep 21 07:16:30.183781: | ignoring PrivateExponent Sep 21 07:16:30.183789: | ignoring Prime1 Sep 21 07:16:30.183797: | ignoring Prime2 Sep 21 07:16:30.183802: | ignoring Exponent1 Sep 21 07:16:30.183806: | ignoring Exponent2 Sep 21 07:16:30.183811: | ignoring Coefficient Sep 21 07:16:30.183828: | ignoring CKAIDNSS Sep 21 07:16:30.183841: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.183845: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.183851: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:16:30.183859: | certs and keys locked by 'process_secret' Sep 21 07:16:30.183863: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.183869: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.183877: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.183882: | spent 0.589 milliseconds in whack Sep 21 07:16:30.183900: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.183909: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.183914: | start processing: connection "north-eastnets/0x1" (in whack_route_connection() at rcv_whack.c:106) Sep 21 07:16:30.183918: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:30.183921: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:30.183925: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.183928: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:30.183932: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.183935: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:30.183941: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:30.183945: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:30.183948: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:30.183951: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.183954: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:30.183957: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.183961: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:30.183964: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:30.183969: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 Sep 21 07:16:30.183977: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'add' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:30.183984: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:30.183987: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:30.183994: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:30.184055: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:30.184060: | route_and_eroute: firewall_notified: true Sep 21 07:16:30.184063: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:30.184066: | command executing prepare-client Sep 21 07:16:30.184101: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Sep 21 07:16:30.184106: | popen cmd is 1030 chars long Sep 21 07:16:30.184110: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:30.184113: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Sep 21 07:16:30.184121: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:16:30.184125: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:16:30.184128: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Sep 21 07:16:30.184132: | cmd( 400):='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLU: Sep 21 07:16:30.184135: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Sep 21 07:16:30.184139: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: Sep 21 07:16:30.184143: | cmd( 640):G+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: Sep 21 07:16:30.184146: | cmd( 720):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Sep 21 07:16:30.184149: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Sep 21 07:16:30.184153: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Sep 21 07:16:30.184156: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:30.196099: | running updown command "ipsec _updown" for verb route Sep 21 07:16:30.196110: | command executing route-client Sep 21 07:16:30.196131: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN Sep 21 07:16:30.196134: | popen cmd is 1028 chars long Sep 21 07:16:30.196136: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Sep 21 07:16:30.196137: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:16:30.196139: | cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Sep 21 07:16:30.196140: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:16:30.196142: | cmd( 320):TO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=': Sep 21 07:16:30.196143: | cmd( 400):@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO: Sep 21 07:16:30.196160: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:16:30.196161: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Sep 21 07:16:30.196163: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: Sep 21 07:16:30.196164: | cmd( 720):D='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Sep 21 07:16:30.196166: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Sep 21 07:16:30.196167: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Sep 21 07:16:30.196169: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:30.209813: | stop processing: connection "north-eastnets/0x1" (in whack_route_connection() at rcv_whack.c:116) Sep 21 07:16:30.209829: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.209838: | spent 0.567 milliseconds in whack Sep 21 07:16:30.209849: | kernel_process_msg_cb process netlink message Sep 21 07:16:30.209856: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:30.209858: | xfrm netlink msg len 376 Sep 21 07:16:30.209861: | xfrm acquire rtattribute type 5 Sep 21 07:16:30.209863: | xfrm acquire rtattribute type 16 Sep 21 07:16:30.209876: | add bare shunt 0x559ca62ba230 192.0.2.251/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.209882: initiate on demand from 192.0.2.251:8 to 192.0.3.254:0 proto=1 because: acquire Sep 21 07:16:30.209886: | find_connection: looking for policy for connection: 192.0.2.251:1/8 -> 192.0.3.254:1/0 Sep 21 07:16:30.209887: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:30.209891: | find_connection: conn "north-eastnets/0x1" has compatible peers: 192.0.2.0/24:0 -> 192.0.3.0/24:0 [pri: 25214986] Sep 21 07:16:30.209893: | find_connection: first OK "north-eastnets/0x1" [pri:25214986]{0x559ca62b9220} (child none) Sep 21 07:16:30.209896: | find_connection: concluding with "north-eastnets/0x1" [pri:25214986]{0x559ca62b9220} kind=CK_PERMANENT Sep 21 07:16:30.209898: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:30.209899: | assign_holdpass() need broad(er) shunt Sep 21 07:16:30.209901: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:30.209905: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:30.209907: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:30.209909: | raw_eroute result=success Sep 21 07:16:30.209910: | assign_holdpass() eroute_connection() done Sep 21 07:16:30.209912: | fiddle_bare_shunt called Sep 21 07:16:30.209913: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:30.209915: | removing specific host-to-host bare shunt Sep 21 07:16:30.209918: | delete narrow %hold eroute 192.0.2.251/32:8 --1-> 192.0.3.254/32:0 => %hold (raw_eroute) Sep 21 07:16:30.209919: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:30.209932: | raw_eroute result=success Sep 21 07:16:30.209934: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:30.209937: | delete bare shunt 0x559ca62ba230 192.0.2.251/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.209939: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:30.209941: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:30.209942: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.209954: | creating state object #1 at 0x559ca62baa20 Sep 21 07:16:30.209957: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:16:30.209963: | pstats #1 ikev2.ike started Sep 21 07:16:30.209965: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:30.209967: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Sep 21 07:16:30.209971: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:30.209977: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:30.209979: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Sep 21 07:16:30.209982: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x1" IKE SA #1 "north-eastnets/0x1" Sep 21 07:16:30.209985: "north-eastnets/0x1" #1: initiating v2 parent SA Sep 21 07:16:30.209987: | constructing local IKE proposals for north-eastnets/0x1 (IKE SA initiator selecting KE) Sep 21 07:16:30.209991: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Sep 21 07:16:30.209998: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.210000: "north-eastnets/0x1": constructed local IKE proposals for north-eastnets/0x1 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.210005: | adding ikev2_outI1 KE work-order 1 for state #1 Sep 21 07:16:30.210007: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:30.210010: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:30.210012: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:30.210021: | #1 spent 0.14 milliseconds in ikev2_parent_outI1() Sep 21 07:16:30.210025: | crypto helper 0 resuming Sep 21 07:16:30.210033: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:16:30.210037: | crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Sep 21 07:16:30.210026: | RESET processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:30.210053: | initiate on demand using RSASIG from 192.0.2.251 to 192.0.3.254 Sep 21 07:16:30.210058: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:30.210060: | xfrm netlink msg len 376 Sep 21 07:16:30.210062: | xfrm acquire rtattribute type 5 Sep 21 07:16:30.210064: | xfrm acquire rtattribute type 16 Sep 21 07:16:30.210071: | add bare shunt 0x559ca62ba230 192.0.2.254/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.210076: initiate on demand from 192.0.2.254:8 to 192.0.3.254:0 proto=1 because: acquire Sep 21 07:16:30.210080: | find_connection: looking for policy for connection: 192.0.2.254:1/8 -> 192.0.3.254:1/0 Sep 21 07:16:30.210082: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:30.210088: | find_connection: conn "north-eastnets/0x1" has compatible peers: 192.0.2.0/24:0 -> 192.0.3.0/24:0 [pri: 25214986] Sep 21 07:16:30.210091: | find_connection: first OK "north-eastnets/0x1" [pri:25214986]{0x559ca62b9220} (child none) Sep 21 07:16:30.210094: | find_connection: concluding with "north-eastnets/0x1" [pri:25214986]{0x559ca62b9220} kind=CK_PERMANENT Sep 21 07:16:30.210096: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:30.210098: | assign_holdpass() need broad(er) shunt Sep 21 07:16:30.210100: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:30.210105: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:30.210108: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:30.210110: | raw_eroute result=success Sep 21 07:16:30.210112: | assign_holdpass() eroute_connection() done Sep 21 07:16:30.210114: | fiddle_bare_shunt called Sep 21 07:16:30.210117: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:30.210119: | removing specific host-to-host bare shunt Sep 21 07:16:30.210124: | delete narrow %hold eroute 192.0.2.254/32:8 --1-> 192.0.3.254/32:0 => %hold (raw_eroute) Sep 21 07:16:30.210126: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:30.210133: | raw_eroute result=success Sep 21 07:16:30.210136: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:30.210141: | delete bare shunt 0x559ca62ba230 192.0.2.254/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.210144: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:30.210146: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:30.210148: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.210153: | Ignored already queued up pending IPsec SA negotiation with 192.1.3.33 "north-eastnets/0x1" Sep 21 07:16:30.210157: | initiate on demand using RSASIG from 192.0.2.254 to 192.0.3.254 Sep 21 07:16:30.210162: | spent 0.291 milliseconds in kernel message Sep 21 07:16:30.210168: | processing signal PLUTO_SIGCHLD Sep 21 07:16:30.210175: | waitpid returned nothing left to do (all child processes are busy) Sep 21 07:16:30.210179: | spent 0.00538 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:30.210182: | processing signal PLUTO_SIGCHLD Sep 21 07:16:30.210185: | waitpid returned nothing left to do (all child processes are busy) Sep 21 07:16:30.210188: | spent 0.00341 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:30.210199: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.210209: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.210213: | start processing: connection "north-eastnets/0x2" (in whack_route_connection() at rcv_whack.c:106) Sep 21 07:16:30.210215: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:30.210218: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:30.210221: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.210223: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:30.210226: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.210228: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:30.210233: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" prospective erouted; eroute owner: NULL Sep 21 07:16:30.210236: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:30.210238: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:30.210240: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.210243: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:30.210246: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:30.210248: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:30.210252: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" prospective erouted; eroute owner: NULL Sep 21 07:16:30.210255: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:north-eastnets/0x1 rosr:{0x559ca62b9370} and state: #0 Sep 21 07:16:30.210261: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'add' for rt_kind 'prospective erouted' using protoports 192.0.22.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:30.210266: | netlink_shunt_eroute for proto 0, and source 192.0.22.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:30.210269: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:30.210271: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:30.210502: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:30.210509: | route_and_eroute: firewall_notified: true Sep 21 07:16:30.210513: | stop processing: connection "north-eastnets/0x2" (in whack_route_connection() at rcv_whack.c:116) Sep 21 07:16:30.210523: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.210528: | spent 0.139 milliseconds in whack Sep 21 07:16:30.210534: | kernel_process_msg_cb process netlink message Sep 21 07:16:30.210540: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:30.210542: | xfrm netlink msg len 376 Sep 21 07:16:30.210545: | xfrm acquire rtattribute type 5 Sep 21 07:16:30.210547: | xfrm acquire rtattribute type 16 Sep 21 07:16:30.210555: | add bare shunt 0x559ca62ba230 192.0.22.254/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.210560: initiate on demand from 192.0.22.254:8 to 192.0.3.254:0 proto=1 because: acquire Sep 21 07:16:30.210565: | find_connection: looking for policy for connection: 192.0.22.254:1/8 -> 192.0.3.254:1/0 Sep 21 07:16:30.210567: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:30.210572: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.22.0/24:0 -> 192.0.3.0/24:0 [pri: 25214986] Sep 21 07:16:30.210575: | find_connection: first OK "north-eastnets/0x2" [pri:25214986]{0x559ca62ba470} (child none) Sep 21 07:16:30.210578: | find_connection: concluding with "north-eastnets/0x2" [pri:25214986]{0x559ca62ba470} kind=CK_PERMANENT Sep 21 07:16:30.210584: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:30.210586: | assign_holdpass() need broad(er) shunt Sep 21 07:16:30.210589: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:30.210594: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:30.210597: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:30.210600: | raw_eroute result=success Sep 21 07:16:30.210602: | assign_holdpass() eroute_connection() done Sep 21 07:16:30.210604: | fiddle_bare_shunt called Sep 21 07:16:30.210606: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:30.210609: | removing specific host-to-host bare shunt Sep 21 07:16:30.210614: | delete narrow %hold eroute 192.0.22.254/32:8 --1-> 192.0.3.254/32:0 => %hold (raw_eroute) Sep 21 07:16:30.210616: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:30.210624: | raw_eroute result=success Sep 21 07:16:30.210627: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:30.210633: | delete bare shunt 0x559ca62ba230 192.0.22.254/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.210636: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:30.210638: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:30.210640: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.210645: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x2" IKE SA #1 "north-eastnets/0x1" Sep 21 07:16:30.210650: | initiate on demand using RSASIG from 192.0.22.254 to 192.0.3.254 Sep 21 07:16:30.210656: | spent 0.117 milliseconds in kernel message Sep 21 07:16:30.211457: | kernel_process_msg_cb process netlink message Sep 21 07:16:30.211468: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:30.211471: | xfrm netlink msg len 376 Sep 21 07:16:30.211473: | xfrm acquire rtattribute type 5 Sep 21 07:16:30.211476: | xfrm acquire rtattribute type 16 Sep 21 07:16:30.211483: | add bare shunt 0x559ca62ba230 192.0.22.251/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.211488: initiate on demand from 192.0.22.251:8 to 192.0.3.254:0 proto=1 because: acquire Sep 21 07:16:30.211492: | find_connection: looking for policy for connection: 192.0.22.251:1/8 -> 192.0.3.254:1/0 Sep 21 07:16:30.211495: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:30.211500: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.22.0/24:0 -> 192.0.3.0/24:0 [pri: 25214986] Sep 21 07:16:30.211503: | find_connection: first OK "north-eastnets/0x2" [pri:25214986]{0x559ca62ba470} (child none) Sep 21 07:16:30.211506: | find_connection: concluding with "north-eastnets/0x2" [pri:25214986]{0x559ca62ba470} kind=CK_PERMANENT Sep 21 07:16:30.211509: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:30.211511: | assign_holdpass() need broad(er) shunt Sep 21 07:16:30.211514: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:30.211519: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:30.211521: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:30.211523: | raw_eroute result=success Sep 21 07:16:30.211526: | assign_holdpass() eroute_connection() done Sep 21 07:16:30.211528: | fiddle_bare_shunt called Sep 21 07:16:30.211530: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:30.211532: | removing specific host-to-host bare shunt Sep 21 07:16:30.211537: | delete narrow %hold eroute 192.0.22.251/32:8 --1-> 192.0.3.254/32:0 => %hold (raw_eroute) Sep 21 07:16:30.211539: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:30.211548: | raw_eroute result=success Sep 21 07:16:30.211551: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:30.211559: | delete bare shunt 0x559ca62ba230 192.0.22.251/32:8 --1--> 192.0.3.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:30.211561: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:30.211563: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:30.211566: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.211568: | crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.001529 seconds Sep 21 07:16:30.211570: | Ignored already queued up pending IPsec SA negotiation with 192.1.3.33 "north-eastnets/0x2" Sep 21 07:16:30.211581: | (#1) spent 0.968 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Sep 21 07:16:30.211591: | initiate on demand using RSASIG from 192.0.22.251 to 192.0.3.254 Sep 21 07:16:30.211593: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:16:30.211601: | spent 0.131 milliseconds in kernel message Sep 21 07:16:30.211602: | scheduling resume sending helper answer for #1 Sep 21 07:16:30.211610: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:30.211613: | processing signal PLUTO_SIGCHLD Sep 21 07:16:30.211616: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.211621: | waitpid returned pid 11853 (exited with status 0) Sep 21 07:16:30.211624: | reaped addconn helper child (status 0) Sep 21 07:16:30.211628: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:30.211632: | spent 0.0148 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:30.211638: | processing resume sending helper answer for #1 Sep 21 07:16:30.211642: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:30.211645: | crypto helper 0 replies to request ID 1 Sep 21 07:16:30.211646: | calling continuation function 0x559ca5d50630 Sep 21 07:16:30.211648: | ikev2_parent_outI1_continue for #1 Sep 21 07:16:30.211673: | **emit ISAKMP Message: Sep 21 07:16:30.211675: | initiator cookie: Sep 21 07:16:30.211676: | 9b c6 26 3f 77 ac 16 6c Sep 21 07:16:30.211678: | responder cookie: Sep 21 07:16:30.211679: | 00 00 00 00 00 00 00 00 Sep 21 07:16:30.211681: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:30.211683: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:30.211684: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:30.211686: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:30.211688: | Message ID: 0 (0x0) Sep 21 07:16:30.211690: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:30.211696: | using existing local IKE proposals for connection north-eastnets/0x1 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.211697: | Emitting ikev2_proposals ... Sep 21 07:16:30.211699: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:30.211701: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.211703: | flags: none (0x0) Sep 21 07:16:30.211705: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:30.211707: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.211709: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.211710: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:30.211712: | prop #: 1 (0x1) Sep 21 07:16:30.211716: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.211718: | spi size: 0 (0x0) Sep 21 07:16:30.211720: | # transforms: 4 (0x4) Sep 21 07:16:30.211723: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:30.211726: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.211728: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211733: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.211735: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:30.211738: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.211741: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.211743: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.211746: | length/value: 256 (0x100) Sep 21 07:16:30.211748: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:30.211751: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.211753: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211755: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.211757: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.211761: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211763: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.211766: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.211768: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.211771: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211773: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.211775: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:30.211778: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211781: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.211790: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.211796: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.211798: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.211801: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.211803: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.211806: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.211809: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.211811: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.211814: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:30.211817: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:30.211819: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:30.211822: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:30.211825: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:30.211828: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.211830: | flags: none (0x0) Sep 21 07:16:30.211832: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.211836: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:30.211838: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.211842: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:30.211844: | ikev2 g^x d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 d4 e9 b3 46 Sep 21 07:16:30.211847: | ikev2 g^x 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 04 8c 21 8f Sep 21 07:16:30.211849: | ikev2 g^x 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec bd f9 15 fb Sep 21 07:16:30.211855: | ikev2 g^x 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 b6 d4 f7 60 Sep 21 07:16:30.211858: | ikev2 g^x 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa 2f a2 83 a6 Sep 21 07:16:30.211860: | ikev2 g^x 73 ab aa bb b1 23 16 92 a3 0a 04 a4 83 93 b6 14 Sep 21 07:16:30.211862: | ikev2 g^x 78 48 0a d7 37 81 ee ce 7b 1e 01 60 4e 9a db 18 Sep 21 07:16:30.211864: | ikev2 g^x 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 2f d5 a6 2b Sep 21 07:16:30.211866: | ikev2 g^x 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 36 63 df 3b Sep 21 07:16:30.211868: | ikev2 g^x e7 23 5d 55 98 59 b5 d1 61 28 22 ea 0f 95 1b df Sep 21 07:16:30.211871: | ikev2 g^x 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 57 5a 91 ce Sep 21 07:16:30.211873: | ikev2 g^x 66 5b 01 f2 27 90 4a b4 11 d7 24 73 66 33 d0 d9 Sep 21 07:16:30.211875: | ikev2 g^x 81 81 38 7e 1b fe 6a d4 56 8a 57 84 cc 75 25 a5 Sep 21 07:16:30.211877: | ikev2 g^x 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 e0 94 84 f3 Sep 21 07:16:30.211880: | ikev2 g^x 96 61 e6 65 34 f2 98 64 1b b5 b8 78 91 7a ee c0 Sep 21 07:16:30.211882: | ikev2 g^x 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f 67 36 13 77 Sep 21 07:16:30.211885: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:30.211887: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:30.211890: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.211892: | flags: none (0x0) Sep 21 07:16:30.211895: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:30.211898: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:30.211900: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.211903: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:30.211906: | IKEv2 nonce fd 37 bb 25 2f b7 aa e5 65 43 03 88 9f 91 be 64 Sep 21 07:16:30.211908: | IKEv2 nonce 33 99 6a 02 87 59 04 f6 9a 79 b5 8b e0 a1 b2 48 Sep 21 07:16:30.211910: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:30.211913: | Adding a v2N Payload Sep 21 07:16:30.211915: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.211917: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.211919: | flags: none (0x0) Sep 21 07:16:30.211922: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.211924: | SPI size: 0 (0x0) Sep 21 07:16:30.211926: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:30.211929: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.211931: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.211933: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:30.211936: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:30.211938: | natd_hash: rcookie is zero Sep 21 07:16:30.211949: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:30.211952: | natd_hash: icookie= 9b c6 26 3f 77 ac 16 6c Sep 21 07:16:30.211954: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.211956: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:30.211958: | natd_hash: port= 01 f4 Sep 21 07:16:30.211961: | natd_hash: hash= bd 8b 19 8f 3b 8e 47 ed 83 18 71 d3 70 21 a8 8d Sep 21 07:16:30.211963: | natd_hash: hash= 10 87 ad 97 Sep 21 07:16:30.211965: | Adding a v2N Payload Sep 21 07:16:30.211967: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.211970: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.211972: | flags: none (0x0) Sep 21 07:16:30.211974: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.211976: | SPI size: 0 (0x0) Sep 21 07:16:30.211979: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:30.211981: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.211986: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.211989: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.211992: | Notify data bd 8b 19 8f 3b 8e 47 ed 83 18 71 d3 70 21 a8 8d Sep 21 07:16:30.211994: | Notify data 10 87 ad 97 Sep 21 07:16:30.211996: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.211998: | natd_hash: rcookie is zero Sep 21 07:16:30.212006: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:30.212009: | natd_hash: icookie= 9b c6 26 3f 77 ac 16 6c Sep 21 07:16:30.212011: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.212013: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:30.212016: | natd_hash: port= 01 f4 Sep 21 07:16:30.212018: | natd_hash: hash= 20 d5 70 2c a9 89 0a 9b 45 31 98 4c 13 97 0d 25 Sep 21 07:16:30.212020: | natd_hash: hash= 03 c2 73 b0 Sep 21 07:16:30.212022: | Adding a v2N Payload Sep 21 07:16:30.212025: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.212028: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.212030: | flags: none (0x0) Sep 21 07:16:30.212032: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.212034: | SPI size: 0 (0x0) Sep 21 07:16:30.212036: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:30.212039: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.212042: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.212044: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.212047: | Notify data 20 d5 70 2c a9 89 0a 9b 45 31 98 4c 13 97 0d 25 Sep 21 07:16:30.212049: | Notify data 03 c2 73 b0 Sep 21 07:16:30.212051: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.212054: | emitting length of ISAKMP Message: 440 Sep 21 07:16:30.212061: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Sep 21 07:16:30.212070: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:30.212073: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Sep 21 07:16:30.212075: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Sep 21 07:16:30.212078: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Sep 21 07:16:30.212079: | Message ID: updating counters for #1 to 4294967295 after switching state Sep 21 07:16:30.212081: | Message ID: IKE #1 skipping update_recv as MD is fake Sep 21 07:16:30.212085: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:30.212087: "north-eastnets/0x1" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:30.212090: | sending V2 reply packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:30.212097: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.212099: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:30.212100: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.212101: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.212103: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.212104: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.212105: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:30.212107: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:30.212108: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:30.212109: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:30.212111: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:30.212112: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:30.212115: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:30.212116: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:30.212118: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:30.212119: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:30.212120: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:30.212122: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:30.212123: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:30.212125: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:30.212126: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:30.212127: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:30.212129: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:30.212130: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:30.212131: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:30.212133: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:30.212134: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:30.212135: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:30.212137: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:30.212175: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:30.212179: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:30.212181: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:30.212183: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=50ms Sep 21 07:16:30.212185: | event_schedule: new EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:30.212188: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #1 Sep 21 07:16:30.212190: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:30.212193: | #1 STATE_PARENT_I1: retransmits: first event in 0.05 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48836.580449 Sep 21 07:16:30.212195: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:30.212200: | #1 spent 0.523 milliseconds in resume sending helper answer Sep 21 07:16:30.212203: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:30.212204: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:30.225662: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.225932: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:30.225940: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:30.226090: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:16:30.226095: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:30.226116: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.226124: | spent 0.467 milliseconds in whack Sep 21 07:16:30.262200: | timer_event_cb: processing event@0x559ca62ba1d0 Sep 21 07:16:30.262214: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:30.262223: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:30.262228: | IKEv2 retransmit event Sep 21 07:16:30.262232: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:30.262235: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:30.262237: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 1 Sep 21 07:16:30.262242: | retransmits: current time 48836.630504; retransmit count 0 exceeds limit? NO; deltatime 0.05 exceeds limit? NO; monotime 0.050055 exceeds limit? NO Sep 21 07:16:30.262245: | event_schedule: new EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:30.262264: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #1 Sep 21 07:16:30.262267: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:30.262271: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 0.05 seconds for response Sep 21 07:16:30.262275: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.262277: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:30.262278: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.262280: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.262281: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.262282: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.262284: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:30.262285: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:30.262286: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:30.262288: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:30.262289: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:30.262290: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:30.262306: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:30.262308: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:30.262309: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:30.262310: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:30.262312: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:30.262313: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:30.262315: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:30.262316: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:30.262317: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:30.262319: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:30.262320: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:30.262321: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:30.262323: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:30.262324: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:30.262325: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:30.262327: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:30.262328: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:30.262370: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:30.262372: | free_event_entry: release EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:30.262378: | #1 spent 0.158 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:30.262381: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:30.313512: | timer_event_cb: processing event@0x7fe420002b20 Sep 21 07:16:30.313530: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:30.313538: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:30.313541: | IKEv2 retransmit event Sep 21 07:16:30.313546: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:30.313551: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:30.313555: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 2 Sep 21 07:16:30.313561: | retransmits: current time 48836.681822; retransmit count 1 exceeds limit? NO; deltatime 0.1 exceeds limit? NO; monotime 0.101373 exceeds limit? NO Sep 21 07:16:30.313565: | event_schedule: new EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:30.313568: | inserting event EVENT_RETRANSMIT, timeout in 0.1 seconds for #1 Sep 21 07:16:30.313572: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:30.313580: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 0.1 seconds for response Sep 21 07:16:30.313587: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.313590: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:30.313592: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.313595: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.313597: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.313599: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.313601: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:30.313604: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:30.313606: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:30.313608: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:30.313611: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:30.313613: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:30.313615: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:30.313617: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:30.313620: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:30.313622: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:30.313624: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:30.313626: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:30.313629: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:30.313631: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:30.313633: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:30.313635: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:30.313638: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:30.313640: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:30.313642: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:30.313644: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:30.313647: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:30.313649: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:30.313651: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:30.313697: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:30.313701: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:30.313708: | #1 spent 0.172 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:30.313714: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:30.413819: | timer_event_cb: processing event@0x559ca62ba1d0 Sep 21 07:16:30.413831: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:30.413839: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:30.413843: | IKEv2 retransmit event Sep 21 07:16:30.413847: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:30.413852: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:30.413856: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 3 Sep 21 07:16:30.413862: | retransmits: current time 48836.782124; retransmit count 2 exceeds limit? NO; deltatime 0.2 exceeds limit? NO; monotime 0.201675 exceeds limit? NO Sep 21 07:16:30.413867: | event_schedule: new EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:30.413870: | inserting event EVENT_RETRANSMIT, timeout in 0.2 seconds for #1 Sep 21 07:16:30.413874: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:30.413879: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 0.2 seconds for response Sep 21 07:16:30.413890: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.413893: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:30.413895: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.413897: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.413899: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.413901: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.413904: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:30.413906: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:30.413908: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:30.413910: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:30.413913: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:30.413915: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:30.413920: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:30.413923: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:30.413925: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:30.413927: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:30.413929: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:30.413932: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:30.413934: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:30.413936: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:30.413938: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:30.413940: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:30.413943: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:30.413945: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:30.413947: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:30.413949: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:30.413952: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:30.413954: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:30.413956: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:30.414006: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:30.414010: | free_event_entry: release EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:30.414017: | #1 spent 0.171 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:30.414023: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:30.615326: | timer_event_cb: processing event@0x7fe420002b20 Sep 21 07:16:30.615337: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:30.615343: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:30.615345: | IKEv2 retransmit event Sep 21 07:16:30.615348: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:30.615351: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:30.615353: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 4 Sep 21 07:16:30.615357: | retransmits: current time 48836.98362; retransmit count 3 exceeds limit? NO; deltatime 0.4 exceeds limit? NO; monotime 0.403171 exceeds limit? NO Sep 21 07:16:30.615360: | event_schedule: new EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:30.615362: | inserting event EVENT_RETRANSMIT, timeout in 0.4 seconds for #1 Sep 21 07:16:30.615365: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:30.615368: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 0.4 seconds for response Sep 21 07:16:30.615372: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.615377: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:30.615378: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.615379: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.615381: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.615382: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.615383: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:30.615385: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:30.615386: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:30.615387: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:30.615389: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:30.615390: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:30.615391: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:30.615393: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:30.615394: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:30.615395: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:30.615397: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:30.615398: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:30.615399: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:30.615401: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:30.615402: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:30.615403: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:30.615404: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:30.615406: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:30.615407: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:30.615408: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:30.615410: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:30.615411: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:30.615412: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:30.615449: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:30.615452: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:30.615457: | #1 spent 0.111 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:30.615460: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.015802: | timer_event_cb: processing event@0x559ca62ba1d0 Sep 21 07:16:31.015815: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:31.015822: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:31.015826: | IKEv2 retransmit event Sep 21 07:16:31.015830: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:31.015835: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:31.015839: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 5 Sep 21 07:16:31.015845: | retransmits: current time 48837.384107; retransmit count 4 exceeds limit? NO; deltatime 0.8 exceeds limit? NO; monotime 0.803658 exceeds limit? NO Sep 21 07:16:31.015850: | event_schedule: new EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:31.015853: | inserting event EVENT_RETRANSMIT, timeout in 0.8 seconds for #1 Sep 21 07:16:31.015856: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:31.015861: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 0.8 seconds for response Sep 21 07:16:31.015867: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:31.015870: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:31.015876: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.015879: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.015881: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.015883: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.015886: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:31.015888: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:31.015890: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:31.015893: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:31.015895: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:31.015897: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:31.015899: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:31.015902: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:31.015904: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:31.015906: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:31.015909: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:31.015911: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:31.015913: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:31.015916: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:31.015918: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:31.015920: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:31.015922: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:31.015925: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:31.015927: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:31.015929: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:31.015932: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:31.015934: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:31.015936: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:31.015979: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:31.015983: | free_event_entry: release EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:31.015990: | #1 spent 0.166 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:31.015995: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.816808: | timer_event_cb: processing event@0x7fe420002b20 Sep 21 07:16:31.816826: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:31.816834: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:31.816837: | IKEv2 retransmit event Sep 21 07:16:31.816842: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:31.816846: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:31.816850: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 6 Sep 21 07:16:31.816856: | retransmits: current time 48838.185118; retransmit count 5 exceeds limit? NO; deltatime 1.6 exceeds limit? NO; monotime 1.604669 exceeds limit? NO Sep 21 07:16:31.816860: | event_schedule: new EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:31.816863: | inserting event EVENT_RETRANSMIT, timeout in 1.6 seconds for #1 Sep 21 07:16:31.816866: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:31.816871: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 1.6 seconds for response Sep 21 07:16:31.816877: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:31.816880: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:31.816882: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.816884: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.816889: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.816892: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.816894: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:31.816896: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:31.816898: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:31.816900: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:31.816902: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:31.816904: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:31.816906: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:31.816908: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:31.816910: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:31.816912: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:31.816914: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:31.816916: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:31.816918: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:31.816920: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:31.816922: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:31.816924: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:31.816926: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:31.816928: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:31.816930: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:31.816932: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:31.816934: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:31.816936: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:31.816938: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:31.816982: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:31.816986: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:31.816994: | #1 spent 0.162 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:31.816998: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.417845: | timer_event_cb: processing event@0x559ca62ba1d0 Sep 21 07:16:33.417856: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:33.417862: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.417865: | IKEv2 retransmit event Sep 21 07:16:33.417868: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:33.417871: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:33.417873: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 7 Sep 21 07:16:33.417878: | retransmits: current time 48839.786141; retransmit count 6 exceeds limit? NO; deltatime 3.2 exceeds limit? NO; monotime 3.205692 exceeds limit? NO Sep 21 07:16:33.417881: | event_schedule: new EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:33.417883: | inserting event EVENT_RETRANSMIT, timeout in 3.2 seconds for #1 Sep 21 07:16:33.417886: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:33.417889: "north-eastnets/0x1" #1: STATE_PARENT_I1: retransmission; will wait 3.2 seconds for response Sep 21 07:16:33.417895: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:33.417898: | 9b c6 26 3f 77 ac 16 6c 00 00 00 00 00 00 00 00 Sep 21 07:16:33.417900: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:33.417902: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:33.417904: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:33.417909: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:33.417911: | 00 0e 00 00 d2 13 2e 29 f1 04 e1 18 4b b3 e5 f8 Sep 21 07:16:33.417913: | d4 e9 b3 46 61 18 b8 a8 d4 b4 60 66 dd 4c 53 f6 Sep 21 07:16:33.417915: | 04 8c 21 8f 0f a8 4f 36 d2 ae 78 29 cd 0b 32 ec Sep 21 07:16:33.417917: | bd f9 15 fb 7c 03 37 a2 c7 f8 02 8c e9 32 68 c1 Sep 21 07:16:33.417918: | b6 d4 f7 60 8d 5a 37 b3 8d 08 c9 6b cb e9 02 fa Sep 21 07:16:33.417920: | 2f a2 83 a6 73 ab aa bb b1 23 16 92 a3 0a 04 a4 Sep 21 07:16:33.417921: | 83 93 b6 14 78 48 0a d7 37 81 ee ce 7b 1e 01 60 Sep 21 07:16:33.417922: | 4e 9a db 18 86 e9 eb e8 a0 29 22 da e3 a6 b9 e4 Sep 21 07:16:33.417924: | 2f d5 a6 2b 4b 03 59 8b c1 d6 ba f5 5a de 00 d1 Sep 21 07:16:33.417925: | 36 63 df 3b e7 23 5d 55 98 59 b5 d1 61 28 22 ea Sep 21 07:16:33.417926: | 0f 95 1b df 92 02 3a 6c a5 92 86 3f 10 6a 3f b9 Sep 21 07:16:33.417928: | 57 5a 91 ce 66 5b 01 f2 27 90 4a b4 11 d7 24 73 Sep 21 07:16:33.417929: | 66 33 d0 d9 81 81 38 7e 1b fe 6a d4 56 8a 57 84 Sep 21 07:16:33.417930: | cc 75 25 a5 8b aa 15 fa 9f f9 e8 dd 51 4f 8a 47 Sep 21 07:16:33.417932: | e0 94 84 f3 96 61 e6 65 34 f2 98 64 1b b5 b8 78 Sep 21 07:16:33.417933: | 91 7a ee c0 42 c3 a8 ce a2 56 5b 84 e1 0f dd 8f Sep 21 07:16:33.417935: | 67 36 13 77 29 00 00 24 fd 37 bb 25 2f b7 aa e5 Sep 21 07:16:33.417936: | 65 43 03 88 9f 91 be 64 33 99 6a 02 87 59 04 f6 Sep 21 07:16:33.417938: | 9a 79 b5 8b e0 a1 b2 48 29 00 00 08 00 00 40 2e Sep 21 07:16:33.417940: | 29 00 00 1c 00 00 40 04 bd 8b 19 8f 3b 8e 47 ed Sep 21 07:16:33.417941: | 83 18 71 d3 70 21 a8 8d 10 87 ad 97 00 00 00 1c Sep 21 07:16:33.417943: | 00 00 40 05 20 d5 70 2c a9 89 0a 9b 45 31 98 4c Sep 21 07:16:33.417945: | 13 97 0d 25 03 c2 73 b0 Sep 21 07:16:33.417989: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:33.417994: | free_event_entry: release EVENT_RETRANSMIT-pe@0x559ca62ba1d0 Sep 21 07:16:33.418001: | #1 spent 0.132 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:33.418006: | stop processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:34.825748: | spent 0.00397 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:34.825779: | *received 440 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:34.825792: | 37 34 b6 02 ea fb 65 7e 00 00 00 00 00 00 00 00 Sep 21 07:16:34.825799: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:34.825802: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:34.825805: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:34.825808: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:34.825812: | 00 0e 00 00 c9 13 f2 80 6e fb b3 58 8c b3 3d f1 Sep 21 07:16:34.825815: | 44 f8 6e be 68 e6 b1 bd 4c 91 5b b8 c8 07 fd 2b Sep 21 07:16:34.825818: | d5 24 40 b6 22 72 c8 9d 16 a6 63 87 c4 c5 2c f7 Sep 21 07:16:34.825821: | b2 35 a2 86 44 8d ff 73 f4 87 cf 5d ad 16 20 6a Sep 21 07:16:34.825824: | 68 e9 20 b8 92 24 48 46 9e 99 1d ed a0 24 c2 9b Sep 21 07:16:34.825827: | 2d 75 3a 41 da 40 b5 19 40 4f 1d d0 33 62 37 68 Sep 21 07:16:34.825830: | d5 d5 24 3c 09 5e 72 1c 48 8f d2 b9 c0 fd 34 d0 Sep 21 07:16:34.825833: | 0a 05 54 25 c6 03 8c 78 0f eb a4 30 d8 de 23 23 Sep 21 07:16:34.825836: | ce ac c8 e8 d1 02 76 45 98 7a da 2d 65 ce f5 9e Sep 21 07:16:34.825839: | 0d de 3a 11 8a 51 ee 02 bb e3 a6 9b cb f3 5e 77 Sep 21 07:16:34.825842: | 8f e2 30 2e cd e8 9a 0e 8a d4 04 23 81 b8 12 cd Sep 21 07:16:34.825846: | df 46 cf 85 a5 66 49 f7 61 5f 61 9f e9 45 9a 15 Sep 21 07:16:34.825848: | 1c b8 d4 f6 ad ef 70 62 db b5 d4 31 8e ab 16 3b Sep 21 07:16:34.825850: | eb ef 08 76 b9 ac a6 4a 0f ea 7d f4 0a 97 fe ad Sep 21 07:16:34.825852: | 16 4d c2 e3 d2 0d 76 78 b0 cb 14 a0 8b 33 79 d2 Sep 21 07:16:34.825854: | 22 50 92 6f ce 6d da 12 cd 9f e5 18 b9 05 bc 57 Sep 21 07:16:34.825859: | f6 87 de 67 29 00 00 24 2a 1b 10 9a 69 75 92 dc Sep 21 07:16:34.825861: | b3 b2 69 5c 6d 8a ec 9e 2c 82 34 43 38 d7 c0 f5 Sep 21 07:16:34.825863: | 91 6b 0e 48 7d e8 91 ca 29 00 00 08 00 00 40 2e Sep 21 07:16:34.825865: | 29 00 00 1c 00 00 40 04 71 5e f2 f2 a9 34 74 25 Sep 21 07:16:34.825867: | 9b 72 a0 39 60 a8 9b 57 72 c0 30 ea 00 00 00 1c Sep 21 07:16:34.825868: | 00 00 40 05 4e 27 45 89 8d ba a7 24 46 7b 20 84 Sep 21 07:16:34.825870: | 4d 6e f9 03 20 30 98 55 Sep 21 07:16:34.825875: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:34.825878: | **parse ISAKMP Message: Sep 21 07:16:34.825881: | initiator cookie: Sep 21 07:16:34.825883: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.825885: | responder cookie: Sep 21 07:16:34.825887: | 00 00 00 00 00 00 00 00 Sep 21 07:16:34.825889: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:34.825892: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:34.825894: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:34.825897: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:34.825899: | Message ID: 0 (0x0) Sep 21 07:16:34.825901: | length: 440 (0x1b8) Sep 21 07:16:34.825904: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:34.825907: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:16:34.825910: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:34.825913: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:34.825916: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:34.825918: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:34.825920: | flags: none (0x0) Sep 21 07:16:34.825922: | length: 48 (0x30) Sep 21 07:16:34.825924: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:16:34.825926: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:34.825929: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:34.825931: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:34.825933: | flags: none (0x0) Sep 21 07:16:34.825935: | length: 264 (0x108) Sep 21 07:16:34.825938: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:34.825940: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:34.825942: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:34.825944: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:34.825946: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:34.825948: | flags: none (0x0) Sep 21 07:16:34.825950: | length: 36 (0x24) Sep 21 07:16:34.825952: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:34.825954: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:34.825956: | ***parse IKEv2 Notify Payload: Sep 21 07:16:34.825958: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:34.825960: | flags: none (0x0) Sep 21 07:16:34.825962: | length: 8 (0x8) Sep 21 07:16:34.825965: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.825967: | SPI size: 0 (0x0) Sep 21 07:16:34.825969: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:34.825971: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:34.825973: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:34.825975: | ***parse IKEv2 Notify Payload: Sep 21 07:16:34.825978: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:34.825980: | flags: none (0x0) Sep 21 07:16:34.825982: | length: 28 (0x1c) Sep 21 07:16:34.825986: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.825988: | SPI size: 0 (0x0) Sep 21 07:16:34.825991: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:34.825994: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:34.825997: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:34.826000: | ***parse IKEv2 Notify Payload: Sep 21 07:16:34.826004: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.826009: | flags: none (0x0) Sep 21 07:16:34.826012: | length: 28 (0x1c) Sep 21 07:16:34.826015: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.826018: | SPI size: 0 (0x0) Sep 21 07:16:34.826021: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:34.826024: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:34.826028: | DDOS disabled and no cookie sent, continuing Sep 21 07:16:34.826035: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:34.826042: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:34.826047: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:34.826051: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:34.826056: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Sep 21 07:16:34.826059: | find_next_host_connection returns empty Sep 21 07:16:34.826063: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:34.826066: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:34.826068: | find_next_host_connection returns empty Sep 21 07:16:34.826071: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:16:34.826075: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:34.826079: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:34.826081: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:34.826084: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:34.826086: | find_next_host_connection returns north-eastnets/0x2 Sep 21 07:16:34.826088: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:34.826101: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Sep 21 07:16:34.826113: | find_next_host_connection returns north-eastnets/0x1 Sep 21 07:16:34.826119: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:34.826122: | find_next_host_connection returns empty Sep 21 07:16:34.826126: | found connection: north-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Sep 21 07:16:34.826149: | creating state object #2 at 0x559ca62bdd30 Sep 21 07:16:34.826153: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:16:34.826160: | pstats #2 ikev2.ike started Sep 21 07:16:34.826163: | Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:34.826166: | parent state #2: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:16:34.826171: | Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:34.826179: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:34.826182: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:34.826186: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:34.826189: | #2 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:34.826192: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:16:34.826196: | Message ID: start-responder #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:34.826199: | #2 in state PARENT_R0: processing SA_INIT request Sep 21 07:16:34.826201: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:16:34.826208: | Now let's proceed with state specific processing Sep 21 07:16:34.826210: | calling processor Respond to IKE_SA_INIT Sep 21 07:16:34.826216: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:34.826219: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA responder matching remote proposals) Sep 21 07:16:34.826223: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Sep 21 07:16:34.826229: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:34.826233: "north-eastnets/0x2": constructed local IKE proposals for north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:34.826236: | Comparing remote proposals against IKE responder 1 local proposals Sep 21 07:16:34.826239: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:34.826241: | local proposal 1 type PRF has 1 transforms Sep 21 07:16:34.826243: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:34.826245: | local proposal 1 type DH has 1 transforms Sep 21 07:16:34.826247: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:34.826250: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:34.826253: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:34.826255: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:34.826257: | length: 44 (0x2c) Sep 21 07:16:34.826260: | prop #: 1 (0x1) Sep 21 07:16:34.826262: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:34.826264: | spi size: 0 (0x0) Sep 21 07:16:34.826266: | # transforms: 4 (0x4) Sep 21 07:16:34.826269: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:34.826272: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:34.826274: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.826276: | length: 12 (0xc) Sep 21 07:16:34.826278: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:34.826280: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:34.826282: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:34.826285: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:34.826287: | length/value: 256 (0x100) Sep 21 07:16:34.826291: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:34.826293: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:34.826295: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.826297: | length: 8 (0x8) Sep 21 07:16:34.826299: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:34.826302: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:34.826305: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:34.826307: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:34.826309: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.826311: | length: 8 (0x8) Sep 21 07:16:34.826313: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:34.826315: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:34.826318: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:34.826320: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:34.826323: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:34.826325: | length: 8 (0x8) Sep 21 07:16:34.826327: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:34.826329: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:34.826332: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:34.826335: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Sep 21 07:16:34.826340: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Sep 21 07:16:34.826343: | remote proposal 1 matches local proposal 1 Sep 21 07:16:34.826347: "north-eastnets/0x2" #2: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Sep 21 07:16:34.826351: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:34.826353: | converting proposal to internal trans attrs Sep 21 07:16:34.826356: | natd_hash: rcookie is zero Sep 21 07:16:34.826364: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:34.826367: | natd_hash: icookie= 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.826369: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:34.826371: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:34.826373: | natd_hash: port= 01 f4 Sep 21 07:16:34.826375: | natd_hash: hash= 4e 27 45 89 8d ba a7 24 46 7b 20 84 4d 6e f9 03 Sep 21 07:16:34.826377: | natd_hash: hash= 20 30 98 55 Sep 21 07:16:34.826379: | natd_hash: rcookie is zero Sep 21 07:16:34.826384: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:34.826386: | natd_hash: icookie= 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.826388: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:34.826390: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:34.826392: | natd_hash: port= 01 f4 Sep 21 07:16:34.826394: | natd_hash: hash= 71 5e f2 f2 a9 34 74 25 9b 72 a0 39 60 a8 9b 57 Sep 21 07:16:34.826396: | natd_hash: hash= 72 c0 30 ea Sep 21 07:16:34.826398: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:34.826400: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:34.826402: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:34.826405: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:16:34.826411: | adding ikev2_inI1outR1 KE work-order 2 for state #2 Sep 21 07:16:34.826414: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:34.826417: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Sep 21 07:16:34.826420: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:34.826430: | #2 spent 0.215 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:16:34.826435: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:34.826438: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:34.826441: | suspending state #2 and saving MD Sep 21 07:16:34.826443: | #2 is busy; has a suspended MD Sep 21 07:16:34.826442: | crypto helper 1 resuming Sep 21 07:16:34.826459: | crypto helper 1 starting work-order 2 for state #2 Sep 21 07:16:34.826466: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 2 Sep 21 07:16:34.826448: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:34.826501: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:34.826506: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:34.826511: | #2 spent 0.726 milliseconds in ikev2_process_packet() Sep 21 07:16:34.826514: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:34.826517: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:34.826519: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:34.826523: | spent 0.738 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:34.827898: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 2 time elapsed 0.001432 seconds Sep 21 07:16:34.827917: | (#2) spent 1.44 milliseconds in crypto helper computing work-order 2: ikev2_inI1outR1 KE (pcr) Sep 21 07:16:34.827921: | crypto helper 1 sending results from work-order 2 for state #2 to event queue Sep 21 07:16:34.827925: | scheduling resume sending helper answer for #2 Sep 21 07:16:34.827930: | libevent_malloc: new ptr-libevent@0x7fe418006900 size 128 Sep 21 07:16:34.827939: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:34.827979: | processing resume sending helper answer for #2 Sep 21 07:16:34.827991: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:34.827996: | crypto helper 1 replies to request ID 2 Sep 21 07:16:34.827998: | calling continuation function 0x559ca5d50630 Sep 21 07:16:34.828001: | ikev2_parent_inI1outR1_continue for #2: calculated ke+nonce, sending R1 Sep 21 07:16:34.828007: | **emit ISAKMP Message: Sep 21 07:16:34.828009: | initiator cookie: Sep 21 07:16:34.828011: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.828014: | responder cookie: Sep 21 07:16:34.828016: | 41 58 a7 32 16 4b 4c eb Sep 21 07:16:34.828018: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:34.828020: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:34.828023: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:34.828025: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:34.828027: | Message ID: 0 (0x0) Sep 21 07:16:34.828030: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:34.828033: | Emitting ikev2_proposal ... Sep 21 07:16:34.828035: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:34.828037: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.828039: | flags: none (0x0) Sep 21 07:16:34.828042: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:34.828045: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828048: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:34.828050: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:34.828052: | prop #: 1 (0x1) Sep 21 07:16:34.828054: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:34.828056: | spi size: 0 (0x0) Sep 21 07:16:34.828058: | # transforms: 4 (0x4) Sep 21 07:16:34.828061: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:34.828063: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:34.828066: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828068: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:34.828070: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:34.828073: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:34.828075: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:34.828078: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:34.828080: | length/value: 256 (0x100) Sep 21 07:16:34.828082: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:34.828085: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:34.828087: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828089: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:34.828091: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:34.828094: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828096: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:34.828102: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:34.828104: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:34.828106: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828109: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:34.828111: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:34.828113: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828116: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:34.828118: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:34.828120: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:34.828122: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:34.828124: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:34.828127: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:34.828129: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:34.828132: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:34.828134: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:34.828136: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:34.828138: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:34.828141: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:34.828143: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:34.828146: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:34.828148: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.828150: | flags: none (0x0) Sep 21 07:16:34.828152: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:34.828155: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:34.828158: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828161: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:34.828163: | ikev2 g^x f9 5d 26 49 5c 19 e6 c7 c8 77 3a 24 a4 d6 72 6b Sep 21 07:16:34.828165: | ikev2 g^x a0 94 ac fd a1 4a 05 73 c2 0e 4b 8c a5 75 89 36 Sep 21 07:16:34.828167: | ikev2 g^x 3b 72 56 b3 a6 6d 78 d4 17 7e a3 85 e8 5e 5d c6 Sep 21 07:16:34.828169: | ikev2 g^x 20 e7 68 e2 c3 12 f7 77 71 53 e0 c3 87 1c 99 04 Sep 21 07:16:34.828171: | ikev2 g^x af e9 df 33 8e 19 f2 d4 92 63 d1 31 10 65 ba 9c Sep 21 07:16:34.828173: | ikev2 g^x 97 51 7e 25 51 c2 34 5e b6 cf 62 ab c0 60 79 d6 Sep 21 07:16:34.828175: | ikev2 g^x 54 89 e5 79 21 f5 2e 3f 3b 6b 83 70 49 86 23 75 Sep 21 07:16:34.828177: | ikev2 g^x d8 f0 49 ce f0 1c a8 5e 18 aa c0 9a 1c 90 65 68 Sep 21 07:16:34.828179: | ikev2 g^x ec cd 8b e0 c9 6a 23 81 42 2a 80 9e e6 6e 0d 02 Sep 21 07:16:34.828181: | ikev2 g^x 54 47 f5 96 09 0d 41 05 9a 8c 9e 4c be 2f b4 ef Sep 21 07:16:34.828183: | ikev2 g^x eb f3 90 2c ba 9f 81 02 88 71 76 6e 69 81 6d 00 Sep 21 07:16:34.828185: | ikev2 g^x 31 58 68 61 e4 8e 9b 67 ab 44 cb e9 51 c2 d9 f4 Sep 21 07:16:34.828187: | ikev2 g^x 75 7e cb 6f f4 57 9a 16 61 20 ed b4 cb da bb cb Sep 21 07:16:34.828189: | ikev2 g^x 40 bc ce 6d ae 93 cb b5 a6 21 b2 91 19 5e 27 8f Sep 21 07:16:34.828191: | ikev2 g^x db 9a e7 84 c8 bf b0 81 d7 10 32 22 35 c4 8f 79 Sep 21 07:16:34.828193: | ikev2 g^x 9b a9 be ae d2 66 08 99 86 f1 46 d6 11 be 6c 54 Sep 21 07:16:34.828196: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:34.828199: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:34.828202: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:34.828204: | flags: none (0x0) Sep 21 07:16:34.828206: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:34.828209: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:34.828211: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828214: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:34.828216: | IKEv2 nonce 8a a4 fa 29 c9 b5 d4 5c 35 8b 87 8d 81 2f d2 c5 Sep 21 07:16:34.828218: | IKEv2 nonce e7 25 b5 b1 89 70 b3 e4 ee 32 d7 c3 f4 44 3b 2b Sep 21 07:16:34.828220: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:34.828223: | Adding a v2N Payload Sep 21 07:16:34.828226: | ***emit IKEv2 Notify Payload: Sep 21 07:16:34.828228: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.828230: | flags: none (0x0) Sep 21 07:16:34.828232: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.828234: | SPI size: 0 (0x0) Sep 21 07:16:34.828236: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:34.828239: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:34.828242: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828244: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:34.828246: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:34.828258: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:34.828261: | natd_hash: icookie= 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.828263: | natd_hash: rcookie= 41 58 a7 32 16 4b 4c eb Sep 21 07:16:34.828265: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:34.828267: | natd_hash: port= 01 f4 Sep 21 07:16:34.828269: | natd_hash: hash= cb 85 c8 77 d5 bc 28 f3 1b 60 20 c3 6a d3 b8 ec Sep 21 07:16:34.828271: | natd_hash: hash= 55 27 fe 7d Sep 21 07:16:34.828273: | Adding a v2N Payload Sep 21 07:16:34.828275: | ***emit IKEv2 Notify Payload: Sep 21 07:16:34.828277: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.828279: | flags: none (0x0) Sep 21 07:16:34.828281: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.828284: | SPI size: 0 (0x0) Sep 21 07:16:34.828286: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:34.828288: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:34.828291: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828293: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:34.828296: | Notify data cb 85 c8 77 d5 bc 28 f3 1b 60 20 c3 6a d3 b8 ec Sep 21 07:16:34.828298: | Notify data 55 27 fe 7d Sep 21 07:16:34.828300: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:34.828305: | natd_hash: hasher=0x559ca5e267a0(20) Sep 21 07:16:34.828307: | natd_hash: icookie= 37 34 b6 02 ea fb 65 7e Sep 21 07:16:34.828309: | natd_hash: rcookie= 41 58 a7 32 16 4b 4c eb Sep 21 07:16:34.828311: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:34.828313: | natd_hash: port= 01 f4 Sep 21 07:16:34.828315: | natd_hash: hash= 89 28 8f 03 85 20 27 e8 3e 16 d0 24 59 dd f4 15 Sep 21 07:16:34.828317: | natd_hash: hash= 08 2c 25 51 Sep 21 07:16:34.828319: | Adding a v2N Payload Sep 21 07:16:34.828321: | ***emit IKEv2 Notify Payload: Sep 21 07:16:34.828323: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:34.828325: | flags: none (0x0) Sep 21 07:16:34.828327: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:34.828329: | SPI size: 0 (0x0) Sep 21 07:16:34.828334: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:34.828336: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:34.828339: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:34.828341: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:34.828343: | Notify data 89 28 8f 03 85 20 27 e8 3e 16 d0 24 59 dd f4 15 Sep 21 07:16:34.828345: | Notify data 08 2c 25 51 Sep 21 07:16:34.828347: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:34.828349: | emitting length of ISAKMP Message: 440 Sep 21 07:16:34.828355: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:34.828359: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:16:34.828361: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:16:34.828364: | parent state #2: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:16:34.828366: | Message ID: updating counters for #2 to 0 after switching state Sep 21 07:16:34.828371: | Message ID: recv #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:34.828375: | Message ID: sent #2 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:34.828379: "north-eastnets/0x2" #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Sep 21 07:16:34.828383: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:34.828388: | sending 440 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:34.828390: | 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:34.828392: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:34.828394: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:34.828396: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:34.828398: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:34.828400: | 00 0e 00 00 f9 5d 26 49 5c 19 e6 c7 c8 77 3a 24 Sep 21 07:16:34.828402: | a4 d6 72 6b a0 94 ac fd a1 4a 05 73 c2 0e 4b 8c Sep 21 07:16:34.828404: | a5 75 89 36 3b 72 56 b3 a6 6d 78 d4 17 7e a3 85 Sep 21 07:16:34.828406: | e8 5e 5d c6 20 e7 68 e2 c3 12 f7 77 71 53 e0 c3 Sep 21 07:16:34.828408: | 87 1c 99 04 af e9 df 33 8e 19 f2 d4 92 63 d1 31 Sep 21 07:16:34.828409: | 10 65 ba 9c 97 51 7e 25 51 c2 34 5e b6 cf 62 ab Sep 21 07:16:34.828411: | c0 60 79 d6 54 89 e5 79 21 f5 2e 3f 3b 6b 83 70 Sep 21 07:16:34.828413: | 49 86 23 75 d8 f0 49 ce f0 1c a8 5e 18 aa c0 9a Sep 21 07:16:34.828415: | 1c 90 65 68 ec cd 8b e0 c9 6a 23 81 42 2a 80 9e Sep 21 07:16:34.828417: | e6 6e 0d 02 54 47 f5 96 09 0d 41 05 9a 8c 9e 4c Sep 21 07:16:34.828419: | be 2f b4 ef eb f3 90 2c ba 9f 81 02 88 71 76 6e Sep 21 07:16:34.828421: | 69 81 6d 00 31 58 68 61 e4 8e 9b 67 ab 44 cb e9 Sep 21 07:16:34.828423: | 51 c2 d9 f4 75 7e cb 6f f4 57 9a 16 61 20 ed b4 Sep 21 07:16:34.828425: | cb da bb cb 40 bc ce 6d ae 93 cb b5 a6 21 b2 91 Sep 21 07:16:34.828427: | 19 5e 27 8f db 9a e7 84 c8 bf b0 81 d7 10 32 22 Sep 21 07:16:34.828429: | 35 c4 8f 79 9b a9 be ae d2 66 08 99 86 f1 46 d6 Sep 21 07:16:34.828431: | 11 be 6c 54 29 00 00 24 8a a4 fa 29 c9 b5 d4 5c Sep 21 07:16:34.828433: | 35 8b 87 8d 81 2f d2 c5 e7 25 b5 b1 89 70 b3 e4 Sep 21 07:16:34.828435: | ee 32 d7 c3 f4 44 3b 2b 29 00 00 08 00 00 40 2e Sep 21 07:16:34.828437: | 29 00 00 1c 00 00 40 04 cb 85 c8 77 d5 bc 28 f3 Sep 21 07:16:34.828439: | 1b 60 20 c3 6a d3 b8 ec 55 27 fe 7d 00 00 00 1c Sep 21 07:16:34.828441: | 00 00 40 05 89 28 8f 03 85 20 27 e8 3e 16 d0 24 Sep 21 07:16:34.828444: | 59 dd f4 15 08 2c 25 51 Sep 21 07:16:34.828476: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:34.828482: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:34.828487: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:34.828491: | event_schedule: new EVENT_SO_DISCARD-pe@0x559ca62ba1d0 Sep 21 07:16:34.828496: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #2 Sep 21 07:16:34.828500: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:34.828506: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Sep 21 07:16:34.828513: | #2 spent 0.5 milliseconds in resume sending helper answer Sep 21 07:16:34.828521: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:34.828525: | libevent_free: release ptr-libevent@0x7fe418006900 Sep 21 07:16:35.834434: | spent 0.00301 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:35.834457: | *received 464 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:35.834461: | 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.834463: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:35.834466: | c6 28 cb 95 cb 91 c6 f4 bc 91 37 54 bf 1c 47 a1 Sep 21 07:16:35.834468: | f9 51 66 9f b5 86 d8 73 70 dd 2e 53 b0 b3 ea b8 Sep 21 07:16:35.834470: | 53 fd 95 32 93 00 7a 4b 71 67 7f 98 6e af da 26 Sep 21 07:16:35.834472: | af a0 f9 a7 c3 9a 34 ea 5b 40 6b 43 8b 01 86 6f Sep 21 07:16:35.834474: | e9 08 bd 28 1d 1e 15 10 cb 8e f2 47 97 d6 82 fc Sep 21 07:16:35.834477: | 73 c3 ae 2e b3 b4 a8 56 66 90 47 c0 06 70 ef 45 Sep 21 07:16:35.834479: | f7 dd 23 a1 cd 80 f4 97 1e 02 d3 ca 14 38 cb b3 Sep 21 07:16:35.834481: | ad 14 d4 81 ad 68 08 5d 3a 5e bd c2 ee 12 e6 68 Sep 21 07:16:35.834483: | 4a 4d 91 e4 86 99 db f2 22 f8 62 1f b1 f3 fe 0c Sep 21 07:16:35.834486: | d3 3b 32 a3 69 2d 51 13 d9 c8 2d 88 a0 9d ff f9 Sep 21 07:16:35.834488: | 5c 1a 6b 48 3f 41 a3 e3 03 99 17 ef 14 25 71 73 Sep 21 07:16:35.834490: | bb 4c 45 3a 8d 8a c1 1a 29 d8 e2 56 9a 52 9f 3d Sep 21 07:16:35.834492: | 78 17 f9 e1 57 fa 09 5e 15 a8 e8 47 1b 85 2a 5f Sep 21 07:16:35.834495: | 80 ba 32 ca 8c 61 45 b9 19 bc e9 21 59 1a 85 98 Sep 21 07:16:35.834497: | 45 f9 cd ab 22 d9 cc 78 b8 4e bd 6b 17 9b 53 da Sep 21 07:16:35.834499: | 8e 34 95 cc ed 97 d7 26 03 e3 78 0a 0c d8 1f 28 Sep 21 07:16:35.834501: | 4e 27 57 b1 e4 34 0f b7 be 4c f9 0f 7c 38 c6 0a Sep 21 07:16:35.834504: | bd 2c 0e c3 81 61 75 48 8f fd 1e 89 5b e0 e5 90 Sep 21 07:16:35.834506: | 77 e0 26 98 d0 ce 6d 54 3b 5a 75 ff fe b9 a4 06 Sep 21 07:16:35.834508: | df b6 5c 2f 2f 5c b1 11 4d 2f fe 7b 25 e1 59 65 Sep 21 07:16:35.834510: | 3a 5a a5 6f 3b 28 85 6c 81 c2 60 6a 49 da 6c 0c Sep 21 07:16:35.834513: | 02 59 19 4e a4 a8 f0 82 15 91 68 c8 71 c8 ad 38 Sep 21 07:16:35.834515: | ca 1e 42 5f b9 99 fd 2e 6f c8 d0 5c 03 ce b8 1d Sep 21 07:16:35.834517: | e8 26 e9 35 9b 3e 8e bb 43 d1 fd 17 4d 52 52 b5 Sep 21 07:16:35.834519: | 08 ed de 1b 84 75 8a 77 6a 1b f0 1b 6f 03 ee 66 Sep 21 07:16:35.834522: | 62 1a fa 6a 01 d8 a8 01 cc 5a 6e 79 d1 7c 05 2d Sep 21 07:16:35.834524: | df 78 90 c8 77 43 7a 55 3c 98 6d 37 fc 09 43 d7 Sep 21 07:16:35.834529: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:35.834532: | **parse ISAKMP Message: Sep 21 07:16:35.834535: | initiator cookie: Sep 21 07:16:35.834537: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:35.834540: | responder cookie: Sep 21 07:16:35.834542: | 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.834544: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:35.834547: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:35.834550: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:35.834557: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:35.834559: | Message ID: 1 (0x1) Sep 21 07:16:35.834562: | length: 464 (0x1d0) Sep 21 07:16:35.834565: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:35.834568: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:16:35.834572: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:16:35.834578: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:35.834581: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:35.834585: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:35.834588: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:35.834592: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:16:35.834594: | unpacking clear payload Sep 21 07:16:35.834597: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:35.834600: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:35.834602: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:16:35.834605: | flags: none (0x0) Sep 21 07:16:35.834607: | length: 436 (0x1b4) Sep 21 07:16:35.834610: | processing payload: ISAKMP_NEXT_v2SK (len=432) Sep 21 07:16:35.834614: | Message ID: start-responder #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:35.834617: | #2 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:35.834620: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:35.834623: | Now let's proceed with state specific processing Sep 21 07:16:35.834625: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:35.834628: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:16:35.834635: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Sep 21 07:16:35.834638: | adding ikev2_inI2outR2 KE work-order 3 for state #2 Sep 21 07:16:35.834641: | state #2 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:16:35.834645: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:35.834648: | free_event_entry: release EVENT_SO_DISCARD-pe@0x559ca62ba1d0 Sep 21 07:16:35.834650: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:35.834654: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Sep 21 07:16:35.834657: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:35.834667: | #2 spent 0.0367 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:16:35.834672: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:35.834671: | crypto helper 3 resuming Sep 21 07:16:35.834678: | #2 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:35.834685: | crypto helper 3 starting work-order 3 for state #2 Sep 21 07:16:35.834689: | suspending state #2 and saving MD Sep 21 07:16:35.834694: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 Sep 21 07:16:35.834697: | #2 is busy; has a suspended MD Sep 21 07:16:35.834705: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:35.834709: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:35.834713: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:35.834717: | #2 spent 0.264 milliseconds in ikev2_process_packet() Sep 21 07:16:35.834723: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:35.834726: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:35.834729: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:35.834732: | spent 0.279 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:35.835319: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Sep 21 07:16:35.835722: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 time elapsed 0.001028 seconds Sep 21 07:16:35.835729: | (#2) spent 1.02 milliseconds in crypto helper computing work-order 3: ikev2_inI2outR2 KE (pcr) Sep 21 07:16:35.835731: | crypto helper 3 sending results from work-order 3 for state #2 to event queue Sep 21 07:16:35.835733: | scheduling resume sending helper answer for #2 Sep 21 07:16:35.835735: | libevent_malloc: new ptr-libevent@0x7fe41c000f40 size 128 Sep 21 07:16:35.835741: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:35.835750: | processing resume sending helper answer for #2 Sep 21 07:16:35.835758: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:35.835762: | crypto helper 3 replies to request ID 3 Sep 21 07:16:35.835764: | calling continuation function 0x559ca5d50630 Sep 21 07:16:35.835767: | ikev2_parent_inI2outR2_continue for #2: calculating g^{xy}, sending R2 Sep 21 07:16:35.835770: | #2 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:35.835799: | data for hmac: 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.835805: | data for hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:35.835808: | data for hmac: c6 28 cb 95 cb 91 c6 f4 bc 91 37 54 bf 1c 47 a1 Sep 21 07:16:35.835810: | data for hmac: f9 51 66 9f b5 86 d8 73 70 dd 2e 53 b0 b3 ea b8 Sep 21 07:16:35.835812: | data for hmac: 53 fd 95 32 93 00 7a 4b 71 67 7f 98 6e af da 26 Sep 21 07:16:35.835815: | data for hmac: af a0 f9 a7 c3 9a 34 ea 5b 40 6b 43 8b 01 86 6f Sep 21 07:16:35.835817: | data for hmac: e9 08 bd 28 1d 1e 15 10 cb 8e f2 47 97 d6 82 fc Sep 21 07:16:35.835819: | data for hmac: 73 c3 ae 2e b3 b4 a8 56 66 90 47 c0 06 70 ef 45 Sep 21 07:16:35.835822: | data for hmac: f7 dd 23 a1 cd 80 f4 97 1e 02 d3 ca 14 38 cb b3 Sep 21 07:16:35.835824: | data for hmac: ad 14 d4 81 ad 68 08 5d 3a 5e bd c2 ee 12 e6 68 Sep 21 07:16:35.835826: | data for hmac: 4a 4d 91 e4 86 99 db f2 22 f8 62 1f b1 f3 fe 0c Sep 21 07:16:35.835829: | data for hmac: d3 3b 32 a3 69 2d 51 13 d9 c8 2d 88 a0 9d ff f9 Sep 21 07:16:35.835831: | data for hmac: 5c 1a 6b 48 3f 41 a3 e3 03 99 17 ef 14 25 71 73 Sep 21 07:16:35.835834: | data for hmac: bb 4c 45 3a 8d 8a c1 1a 29 d8 e2 56 9a 52 9f 3d Sep 21 07:16:35.835836: | data for hmac: 78 17 f9 e1 57 fa 09 5e 15 a8 e8 47 1b 85 2a 5f Sep 21 07:16:35.835838: | data for hmac: 80 ba 32 ca 8c 61 45 b9 19 bc e9 21 59 1a 85 98 Sep 21 07:16:35.835841: | data for hmac: 45 f9 cd ab 22 d9 cc 78 b8 4e bd 6b 17 9b 53 da Sep 21 07:16:35.835843: | data for hmac: 8e 34 95 cc ed 97 d7 26 03 e3 78 0a 0c d8 1f 28 Sep 21 07:16:35.835845: | data for hmac: 4e 27 57 b1 e4 34 0f b7 be 4c f9 0f 7c 38 c6 0a Sep 21 07:16:35.835848: | data for hmac: bd 2c 0e c3 81 61 75 48 8f fd 1e 89 5b e0 e5 90 Sep 21 07:16:35.835850: | data for hmac: 77 e0 26 98 d0 ce 6d 54 3b 5a 75 ff fe b9 a4 06 Sep 21 07:16:35.835852: | data for hmac: df b6 5c 2f 2f 5c b1 11 4d 2f fe 7b 25 e1 59 65 Sep 21 07:16:35.835855: | data for hmac: 3a 5a a5 6f 3b 28 85 6c 81 c2 60 6a 49 da 6c 0c Sep 21 07:16:35.835857: | data for hmac: 02 59 19 4e a4 a8 f0 82 15 91 68 c8 71 c8 ad 38 Sep 21 07:16:35.835859: | data for hmac: ca 1e 42 5f b9 99 fd 2e 6f c8 d0 5c 03 ce b8 1d Sep 21 07:16:35.835862: | data for hmac: e8 26 e9 35 9b 3e 8e bb 43 d1 fd 17 4d 52 52 b5 Sep 21 07:16:35.835864: | data for hmac: 08 ed de 1b 84 75 8a 77 6a 1b f0 1b 6f 03 ee 66 Sep 21 07:16:35.835869: | data for hmac: 62 1a fa 6a 01 d8 a8 01 cc 5a 6e 79 d1 7c 05 2d Sep 21 07:16:35.835871: | calculated auth: df 78 90 c8 77 43 7a 55 3c 98 6d 37 fc 09 43 d7 Sep 21 07:16:35.835874: | provided auth: df 78 90 c8 77 43 7a 55 3c 98 6d 37 fc 09 43 d7 Sep 21 07:16:35.835876: | authenticator matched Sep 21 07:16:35.835885: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:35.835887: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:16:35.835890: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:16:35.835893: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:35.835896: | flags: none (0x0) Sep 21 07:16:35.835898: | length: 13 (0xd) Sep 21 07:16:35.835901: | ID type: ID_FQDN (0x2) Sep 21 07:16:35.835903: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Sep 21 07:16:35.835906: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:35.835908: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:35.835911: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:35.835913: | flags: none (0x0) Sep 21 07:16:35.835915: | length: 12 (0xc) Sep 21 07:16:35.835917: | ID type: ID_FQDN (0x2) Sep 21 07:16:35.835920: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:16:35.835922: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:35.835925: | **parse IKEv2 Authentication Payload: Sep 21 07:16:35.835927: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:35.835929: | flags: none (0x0) Sep 21 07:16:35.835944: | length: 282 (0x11a) Sep 21 07:16:35.835947: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:35.835949: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:16:35.835951: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:35.835954: | **parse IKEv2 Security Association Payload: Sep 21 07:16:35.835956: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:35.835958: | flags: none (0x0) Sep 21 07:16:35.835960: | length: 44 (0x2c) Sep 21 07:16:35.835963: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:16:35.835965: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:35.835967: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:35.835970: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:35.835972: | flags: none (0x0) Sep 21 07:16:35.835974: | length: 24 (0x18) Sep 21 07:16:35.835976: | number of TS: 1 (0x1) Sep 21 07:16:35.835979: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:35.835981: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:35.835983: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:35.835986: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.835988: | flags: none (0x0) Sep 21 07:16:35.835990: | length: 24 (0x18) Sep 21 07:16:35.835992: | number of TS: 1 (0x1) Sep 21 07:16:35.835995: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:35.835997: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:16:35.835999: | Now let's proceed with state specific processing Sep 21 07:16:35.836002: | calling processor Responder: process IKE_AUTH request Sep 21 07:16:35.836007: "north-eastnets/0x2" #2: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:16:35.836013: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:35.836016: | received IDr payload - extracting our alleged ID Sep 21 07:16:35.836019: | refine_host_connection for IKEv2: starting with "north-eastnets/0x2" Sep 21 07:16:35.836024: | match_id a=@north Sep 21 07:16:35.836026: | b=@north Sep 21 07:16:35.836028: | results matched Sep 21 07:16:35.836032: | refine_host_connection: checking "north-eastnets/0x2" against "north-eastnets/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:35.836034: | Warning: not switching back to template of current instance Sep 21 07:16:35.836039: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:35.836041: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:35.836045: | refine_host_connection: checked north-eastnets/0x2 against north-eastnets/0x2, now for see if best Sep 21 07:16:35.836049: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:35.836051: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:35.836054: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:16:35.836058: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:16:35.836061: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:16:35.836063: | line 1: match=002 Sep 21 07:16:35.836066: | match 002 beats previous best_match 000 match=0x559ca62ad1e0 (line=1) Sep 21 07:16:35.836068: | concluding with best_match=002 best=0x559ca62ad1e0 (lineno=1) Sep 21 07:16:35.836071: | returning because exact peer id match Sep 21 07:16:35.836073: | offered CA: '%none' Sep 21 07:16:35.836076: "north-eastnets/0x2" #2: IKEv2 mode peer ID is ID_FQDN: '@north' Sep 21 07:16:35.836091: | verifying AUTH payload Sep 21 07:16:35.836105: | required RSA CA is '%any' Sep 21 07:16:35.836108: | checking RSA keyid '@east' for match with '@north' Sep 21 07:16:35.836111: | checking RSA keyid '@north' for match with '@north' Sep 21 07:16:35.836114: | RSA key issuer CA is '%any' Sep 21 07:16:35.836175: | an RSA Sig check passed with *AQPl33O2P [preloaded keys] Sep 21 07:16:35.836181: | #2 spent 0.0623 milliseconds in try_all_keys() trying a pubkey Sep 21 07:16:35.836184: "north-eastnets/0x2" #2: Authenticated using RSA Sep 21 07:16:35.836188: | #2 spent 0.0925 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:16:35.836191: | parent state #2: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:16:35.836195: | #2 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:35.836198: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:35.836201: | libevent_free: release ptr-libevent@0x559ca62bc700 Sep 21 07:16:35.836204: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559ca62ba1d0 Sep 21 07:16:35.836206: | event_schedule: new EVENT_SA_REKEY-pe@0x559ca62ba1d0 Sep 21 07:16:35.836210: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #2 Sep 21 07:16:35.836213: | libevent_malloc: new ptr-libevent@0x559ca62bc700 size 128 Sep 21 07:16:35.836314: | pstats #2 ikev2.ike established Sep 21 07:16:35.836320: | **emit ISAKMP Message: Sep 21 07:16:35.836323: | initiator cookie: Sep 21 07:16:35.836326: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:35.836328: | responder cookie: Sep 21 07:16:35.836330: | 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.836333: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:35.836336: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:35.836338: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:35.836341: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:35.836343: | Message ID: 1 (0x1) Sep 21 07:16:35.836346: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:35.836349: | IKEv2 CERT: send a certificate? Sep 21 07:16:35.836351: | IKEv2 CERT: no certificate to send Sep 21 07:16:35.836353: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:35.836356: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.836358: | flags: none (0x0) Sep 21 07:16:35.836361: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:35.836364: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.836367: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:35.836374: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:35.836388: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:35.836393: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.836395: | flags: none (0x0) Sep 21 07:16:35.836397: | ID type: ID_FQDN (0x2) Sep 21 07:16:35.836400: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:35.836403: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.836406: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:16:35.836409: | my identity 65 61 73 74 Sep 21 07:16:35.836411: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:16:35.836418: | assembled IDr payload Sep 21 07:16:35.836420: | CHILD SA proposals received Sep 21 07:16:35.836422: | going to assemble AUTH payload Sep 21 07:16:35.836425: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:35.836427: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:35.836430: | flags: none (0x0) Sep 21 07:16:35.836432: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:35.836435: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:16:35.836438: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:35.836441: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.836445: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:35.836448: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:35.836451: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:16:35.836455: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:16:35.836458: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:16:35.836460: | line 1: match=002 Sep 21 07:16:35.836475: | match 002 beats previous best_match 000 match=0x559ca62ad1e0 (line=1) Sep 21 07:16:35.836478: | concluding with best_match=002 best=0x559ca62ad1e0 (lineno=1) Sep 21 07:16:35.841779: | #2 spent 5.2 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:16:35.841795: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:16:35.841799: | rsa signature 62 2c db e5 99 7f a2 a4 51 92 9c fb 98 4f 9f 01 Sep 21 07:16:35.841801: | rsa signature 11 33 6c 1a c5 7b 16 66 0b 4e 05 02 04 ed 36 ad Sep 21 07:16:35.841804: | rsa signature d5 d8 ab 02 2c b5 97 05 d5 a9 95 37 c6 50 f3 5b Sep 21 07:16:35.841806: | rsa signature 4e 8b fb 66 ed a7 8c e2 6c ea f5 ea 56 a8 a3 23 Sep 21 07:16:35.841808: | rsa signature 6b ea 0a 74 53 c5 01 2b 33 a6 ae 97 39 57 ca d0 Sep 21 07:16:35.841810: | rsa signature 26 94 db 41 5b c0 cd 89 c3 91 f6 31 25 76 c4 f6 Sep 21 07:16:35.841813: | rsa signature 92 d6 42 0e 1e 53 14 44 ed 54 a8 0c d4 32 2e 1d Sep 21 07:16:35.841815: | rsa signature 46 a1 34 3e 26 8f 36 18 20 4b 30 2b 98 c8 c3 8c Sep 21 07:16:35.841817: | rsa signature c3 07 ff 0d e1 99 64 29 78 aa 45 eb 93 eb 83 69 Sep 21 07:16:35.841820: | rsa signature 13 db 35 c1 2e cd 55 65 b8 f1 3a 8a ad 87 67 91 Sep 21 07:16:35.841822: | rsa signature b4 5b c4 08 50 27 58 f8 e4 56 e3 9a 3f 6b bb 3c Sep 21 07:16:35.841824: | rsa signature 1f 87 51 2c 6e 75 93 ef 4a fe f7 f2 83 1e 61 40 Sep 21 07:16:35.841827: | rsa signature 8c 85 2e 34 8e dc 6f e6 a1 98 0e 89 54 50 ce 9e Sep 21 07:16:35.841829: | rsa signature 7a 93 b2 fb 7c 69 b3 c4 dd 4e 70 42 31 92 c6 44 Sep 21 07:16:35.841831: | rsa signature a0 5e 8d fc 1f e5 ee 64 37 3a e6 78 2b 59 d9 9b Sep 21 07:16:35.841833: | rsa signature 1c 97 20 07 68 52 f1 e3 05 59 22 42 2f 41 35 7d Sep 21 07:16:35.841836: | rsa signature 50 01 36 f5 0c fb 92 47 29 e6 2a 35 02 93 42 c6 Sep 21 07:16:35.841838: | rsa signature 20 28 Sep 21 07:16:35.841843: | #2 spent 5.31 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:16:35.841852: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:16:35.841858: | creating state object #3 at 0x559ca62c6b40 Sep 21 07:16:35.841861: | State DB: adding IKEv2 state #3 in UNDEFINED Sep 21 07:16:35.841867: | pstats #3 ikev2.child started Sep 21 07:16:35.841870: | duplicating state object #2 "north-eastnets/0x2" as #3 for IPSEC SA Sep 21 07:16:35.841876: | #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:35.841882: | Message ID: init_child #2.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:35.841887: | Message ID: switch-from #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:35.841891: | Message ID: switch-to #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:35.841894: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:16:35.841897: | TSi: parsing 1 traffic selectors Sep 21 07:16:35.841900: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:35.841903: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:35.841906: | IP Protocol ID: 0 (0x0) Sep 21 07:16:35.841908: | length: 16 (0x10) Sep 21 07:16:35.841910: | start port: 0 (0x0) Sep 21 07:16:35.841912: | end port: 65535 (0xffff) Sep 21 07:16:35.841915: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:35.841918: | TS low c0 00 03 00 Sep 21 07:16:35.841920: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:35.841922: | TS high c0 00 03 ff Sep 21 07:16:35.841925: | TSi: parsed 1 traffic selectors Sep 21 07:16:35.841927: | TSr: parsing 1 traffic selectors Sep 21 07:16:35.841930: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:35.841932: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:35.841934: | IP Protocol ID: 0 (0x0) Sep 21 07:16:35.841937: | length: 16 (0x10) Sep 21 07:16:35.841939: | start port: 0 (0x0) Sep 21 07:16:35.841941: | end port: 65535 (0xffff) Sep 21 07:16:35.841944: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:35.841946: | TS low c0 00 02 00 Sep 21 07:16:35.841948: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:35.841950: | TS high c0 00 02 ff Sep 21 07:16:35.841953: | TSr: parsed 1 traffic selectors Sep 21 07:16:35.841955: | looking for best SPD in current connection Sep 21 07:16:35.841961: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:35.841966: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.841973: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:35.841976: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:35.841979: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:35.841982: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:35.841985: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:35.841989: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.841995: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:35.841997: | looking for better host pair Sep 21 07:16:35.842003: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:35.842007: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:16:35.842010: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:35.842013: | match_id a=@north Sep 21 07:16:35.842016: | b=@north Sep 21 07:16:35.842018: | results matched Sep 21 07:16:35.842024: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:35.842033: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.842038: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:35.842041: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:35.842044: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:35.842046: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:35.842049: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:35.842053: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.842059: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:35.842062: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:35.842064: | match_id a=@north Sep 21 07:16:35.842067: | b=@north Sep 21 07:16:35.842069: | results matched Sep 21 07:16:35.842074: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:35.842078: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.842084: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:35.842087: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:35.842090: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:35.842092: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:35.842095: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:35.842099: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:35.842105: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:35.842108: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:35.842110: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:35.842113: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:35.842115: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:35.842118: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:35.842120: | protocol fitness found better match d north-eastnets/0x1, TSi[0],TSr[0] Sep 21 07:16:35.842123: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:35.842126: | printing contents struct traffic_selector Sep 21 07:16:35.842128: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:35.842130: | ipprotoid: 0 Sep 21 07:16:35.842133: | port range: 0-65535 Sep 21 07:16:35.842137: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:35.842139: | printing contents struct traffic_selector Sep 21 07:16:35.842141: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:35.842143: | ipprotoid: 0 Sep 21 07:16:35.842145: | port range: 0-65535 Sep 21 07:16:35.842149: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:35.842153: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:16:35.842158: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:35.842164: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:35.842169: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:35.842172: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:35.842175: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:35.842178: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:35.842181: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:35.842183: | local proposal 1 type DH has 1 transforms Sep 21 07:16:35.842187: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:35.842190: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:35.842193: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:35.842196: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:35.842199: | length: 40 (0x28) Sep 21 07:16:35.842201: | prop #: 1 (0x1) Sep 21 07:16:35.842203: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:35.842206: | spi size: 4 (0x4) Sep 21 07:16:35.842208: | # transforms: 3 (0x3) Sep 21 07:16:35.842211: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:35.842214: | remote SPI af da 9a 3b Sep 21 07:16:35.842217: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:35.842219: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842222: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842224: | length: 12 (0xc) Sep 21 07:16:35.842227: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:35.842229: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:35.842232: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:35.842234: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:35.842237: | length/value: 128 (0x80) Sep 21 07:16:35.842241: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:35.842243: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842246: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842248: | length: 8 (0x8) Sep 21 07:16:35.842251: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:35.842253: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:35.842256: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:35.842259: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842261: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:35.842263: | length: 8 (0x8) Sep 21 07:16:35.842266: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:35.842268: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:35.842271: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:35.842275: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:16:35.842280: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:16:35.842282: | remote proposal 1 matches local proposal 1 Sep 21 07:16:35.842287: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=afda9a3b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Sep 21 07:16:35.842292: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=afda9a3b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Sep 21 07:16:35.842295: | converting proposal to internal trans attrs Sep 21 07:16:35.842315: | netlink_get_spi: allocated 0xd62b72fb for esp.0@192.1.2.23 Sep 21 07:16:35.842318: | Emitting ikev2_proposal ... Sep 21 07:16:35.842320: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:35.842323: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.842326: | flags: none (0x0) Sep 21 07:16:35.842329: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:35.842332: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.842335: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:35.842338: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:35.842340: | prop #: 1 (0x1) Sep 21 07:16:35.842344: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:35.842347: | spi size: 4 (0x4) Sep 21 07:16:35.842349: | # transforms: 3 (0x3) Sep 21 07:16:35.842352: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:35.842355: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:35.842357: | our spi d6 2b 72 fb Sep 21 07:16:35.842359: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842362: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842364: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:35.842366: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:35.842369: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:35.842372: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:35.842375: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:35.842377: | length/value: 128 (0x80) Sep 21 07:16:35.842380: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:35.842382: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842384: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842387: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:35.842389: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:35.842392: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842395: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:35.842398: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:35.842400: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:35.842402: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:35.842405: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:35.842407: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:35.842410: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:35.842412: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:35.842415: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:35.842417: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:16:35.842420: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:35.842422: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:16:35.842425: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:35.842428: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:35.842431: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.842433: | flags: none (0x0) Sep 21 07:16:35.842435: | number of TS: 1 (0x1) Sep 21 07:16:35.842438: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:35.842441: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.842444: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:35.842446: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:35.842448: | IP Protocol ID: 0 (0x0) Sep 21 07:16:35.842451: | start port: 0 (0x0) Sep 21 07:16:35.842453: | end port: 65535 (0xffff) Sep 21 07:16:35.842456: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:35.842458: | IP start c0 00 03 00 Sep 21 07:16:35.842462: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:35.842464: | IP end c0 00 03 ff Sep 21 07:16:35.842467: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:35.842469: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:35.842471: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:35.842474: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:35.842476: | flags: none (0x0) Sep 21 07:16:35.842478: | number of TS: 1 (0x1) Sep 21 07:16:35.842481: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:35.842484: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:35.842487: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:35.842489: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:35.842491: | IP Protocol ID: 0 (0x0) Sep 21 07:16:35.842493: | start port: 0 (0x0) Sep 21 07:16:35.842496: | end port: 65535 (0xffff) Sep 21 07:16:35.842498: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:35.842501: | IP start c0 00 02 00 Sep 21 07:16:35.842503: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:35.842505: | IP end c0 00 02 ff Sep 21 07:16:35.842508: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:35.842510: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:35.842513: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:35.842516: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:35.842835: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:16:35.842844: | install_ipsec_sa() for #3: inbound and outbound Sep 21 07:16:35.842847: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:35.842850: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:35.842853: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:35.842855: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:35.842859: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:35.842861: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:35.842865: | route owner of "north-eastnets/0x1" prospective erouted: self; eroute owner: self Sep 21 07:16:35.842869: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:35.842872: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:35.842875: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:35.842879: | setting IPsec SA replay-window to 32 Sep 21 07:16:35.842882: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:35.842885: | netlink: enabling tunnel mode Sep 21 07:16:35.842887: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:35.842890: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:35.842973: | netlink response for Add SA esp.afda9a3b@192.1.3.33 included non-error error Sep 21 07:16:35.842977: | set up outgoing SA, ref=0/0 Sep 21 07:16:35.842980: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:35.842983: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:35.842985: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:35.842989: | setting IPsec SA replay-window to 32 Sep 21 07:16:35.842992: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:35.842994: | netlink: enabling tunnel mode Sep 21 07:16:35.842996: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:35.842999: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:35.843056: | netlink response for Add SA esp.d62b72fb@192.1.2.23 included non-error error Sep 21 07:16:35.843060: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:35.843068: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:35.843071: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:35.843116: | raw_eroute result=success Sep 21 07:16:35.843119: | set up incoming SA, ref=0/0 Sep 21 07:16:35.843121: | sr for #3: prospective erouted Sep 21 07:16:35.843124: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:35.843126: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:35.843129: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:35.843132: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:35.843135: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:35.843137: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:35.843140: | route owner of "north-eastnets/0x1" prospective erouted: self; eroute owner: self Sep 21 07:16:35.843144: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:north-eastnets/0x1 esr:{(nil)} ro:north-eastnets/0x1 rosr:{(nil)} and state: #3 Sep 21 07:16:35.843147: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:35.843155: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:35.843157: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:35.843180: | raw_eroute result=success Sep 21 07:16:35.843183: | running updown command "ipsec _updown" for verb up Sep 21 07:16:35.843185: | command executing up-client Sep 21 07:16:35.843212: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xafda Sep 21 07:16:35.843216: | popen cmd is 1038 chars long Sep 21 07:16:35.843218: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Sep 21 07:16:35.843221: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:16:35.843224: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLU: Sep 21 07:16:35.843226: | cmd( 240):TO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_: Sep 21 07:16:35.843229: | cmd( 320):SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@nor: Sep 21 07:16:35.843231: | cmd( 400):th' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEE: Sep 21 07:16:35.843234: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:16:35.843236: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCR: Sep 21 07:16:35.843239: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Sep 21 07:16:35.843241: | cmd( 720):K_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0': Sep 21 07:16:35.843244: | cmd( 800): PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG: Sep 21 07:16:35.843248: | cmd( 880):_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTIN: Sep 21 07:16:35.843251: | cmd( 960):G='no' VTI_SHARED='no' SPI_IN=0xafda9a3b SPI_OUT=0xd62b72fb ipsec _updown 2>&1: Sep 21 07:16:35.851771: | route_and_eroute: firewall_notified: true Sep 21 07:16:35.851808: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x559ca62b9370,sr=0x559ca62b9370} to #3 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:35.851886: | #2 spent 0.547 milliseconds in install_ipsec_sa() Sep 21 07:16:35.851894: | ISAKMP_v2_IKE_AUTH: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #2 Sep 21 07:16:35.851897: | adding 14 bytes of padding (including 1 byte padding-length) Sep 21 07:16:35.851901: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851904: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851907: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851910: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851912: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851915: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851917: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851920: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851922: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851925: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851927: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851930: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851932: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851934: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:35.851937: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:35.851940: | emitting length of IKEv2 Encryption Payload: 436 Sep 21 07:16:35.851942: | emitting length of ISAKMP Message: 464 Sep 21 07:16:35.851996: | data being hmac: 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.852000: | data being hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:35.852003: | data being hmac: 0c 57 c2 7b f3 56 49 d5 31 73 b2 31 ea 58 08 03 Sep 21 07:16:35.852005: | data being hmac: 5f e7 44 3e 9c e8 1e 54 f2 b9 92 bf 21 25 e5 48 Sep 21 07:16:35.852007: | data being hmac: bc 4f cf 0f 72 b5 7d b0 0c b5 8c ba 0c 8f c9 e6 Sep 21 07:16:35.852009: | data being hmac: d3 79 b2 3e 4c c4 9a bb 9d fa 1e 01 09 41 12 2a Sep 21 07:16:35.852011: | data being hmac: 33 86 9c 5b 62 c3 8b 74 83 f6 86 59 37 74 19 02 Sep 21 07:16:35.852014: | data being hmac: e0 dc de 48 7a 15 34 f5 ca 7e 43 39 62 62 ca b2 Sep 21 07:16:35.852016: | data being hmac: c1 a9 f9 ba 8c f6 2d 68 ab 71 1d 72 0f 49 9c bd Sep 21 07:16:35.852018: | data being hmac: b6 2c b9 58 29 92 d1 d7 15 cb de c5 dc d0 a0 d1 Sep 21 07:16:35.852021: | data being hmac: 5a 6f ff fa 52 2b 32 c7 72 d1 cb 9c f2 f6 85 40 Sep 21 07:16:35.852023: | data being hmac: 85 22 ae 9d 0d ab 29 25 70 43 a3 94 9a b1 f0 0d Sep 21 07:16:35.852025: | data being hmac: c6 c6 92 a1 1a 3c fd ee 9e 82 00 a9 34 2b 50 3b Sep 21 07:16:35.852027: | data being hmac: d9 7c 14 07 13 5e 9e 02 de ef 12 b4 24 96 df 29 Sep 21 07:16:35.852030: | data being hmac: 90 37 c4 3a a4 5f d8 6d af f6 d5 a6 47 81 05 63 Sep 21 07:16:35.852031: | data being hmac: db 5d e4 c4 af dc ad 5b cb c9 df 29 be c4 c9 78 Sep 21 07:16:35.852037: | data being hmac: c3 83 fd e8 ae 00 13 8f d4 fe 94 e4 df a9 99 ea Sep 21 07:16:35.852039: | data being hmac: 8c 0a 48 0d d0 c6 3a 35 47 e2 c6 87 ae 44 8d 0b Sep 21 07:16:35.852041: | data being hmac: 82 76 d3 c5 a5 e9 e2 21 af 55 a6 02 ca 7c 9b 73 Sep 21 07:16:35.852043: | data being hmac: a8 cf 28 aa 80 66 61 d6 61 32 a9 69 6e 5f 85 9d Sep 21 07:16:35.852046: | data being hmac: a6 fc 22 ad 9b 36 8b b8 8f cd 5a d8 ed a3 15 38 Sep 21 07:16:35.852048: | data being hmac: 3c 3e 57 65 cf fb 2e e1 d9 a4 f3 12 eb 00 13 2c Sep 21 07:16:35.852051: | data being hmac: 75 c5 cf c1 6e 10 10 1f 5a a8 ae e3 26 c2 8d a6 Sep 21 07:16:35.852053: | data being hmac: 26 8a 02 7a 77 c3 d0 10 17 04 d3 da 76 7f f5 0b Sep 21 07:16:35.852055: | data being hmac: 6e 40 b7 4c 34 f0 57 96 05 82 28 61 7d f2 a0 4c Sep 21 07:16:35.852058: | data being hmac: 42 50 1b da 1b 7e b6 06 00 eb d1 47 bc d9 5e a1 Sep 21 07:16:35.852060: | data being hmac: 01 64 8d 20 bf 8c 67 8a ec c1 e4 1c 81 af e1 7a Sep 21 07:16:35.852062: | data being hmac: d9 77 91 f7 47 67 ed 5e bf d2 93 25 88 bd b0 c4 Sep 21 07:16:35.852065: | out calculated auth: Sep 21 07:16:35.852067: | 16 a6 24 98 16 97 96 59 ef d1 aa 26 a2 81 61 bf Sep 21 07:16:35.852072: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:16:35.852078: | #2 spent 7.49 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:16:35.852085: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:35.852090: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:35.852095: | #3 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:16:35.852098: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:16:35.852101: | child state #3: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:35.852105: | Message ID: updating counters for #3 to 1 after switching state Sep 21 07:16:35.852110: | Message ID: recv #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:35.852116: | Message ID: sent #2.#3 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:35.852119: | pstats #3 ikev2.child established Sep 21 07:16:35.852127: "north-eastnets/0x1" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:35.852132: | NAT-T: encaps is 'auto' Sep 21 07:16:35.852137: "north-eastnets/0x1" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xafda9a3b <0xd62b72fb xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Sep 21 07:16:35.852142: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:35.852148: | sending 464 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:35.852150: | 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:35.852152: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:35.852154: | 0c 57 c2 7b f3 56 49 d5 31 73 b2 31 ea 58 08 03 Sep 21 07:16:35.852156: | 5f e7 44 3e 9c e8 1e 54 f2 b9 92 bf 21 25 e5 48 Sep 21 07:16:35.852158: | bc 4f cf 0f 72 b5 7d b0 0c b5 8c ba 0c 8f c9 e6 Sep 21 07:16:35.852161: | d3 79 b2 3e 4c c4 9a bb 9d fa 1e 01 09 41 12 2a Sep 21 07:16:35.852163: | 33 86 9c 5b 62 c3 8b 74 83 f6 86 59 37 74 19 02 Sep 21 07:16:35.852165: | e0 dc de 48 7a 15 34 f5 ca 7e 43 39 62 62 ca b2 Sep 21 07:16:35.852167: | c1 a9 f9 ba 8c f6 2d 68 ab 71 1d 72 0f 49 9c bd Sep 21 07:16:35.852169: | b6 2c b9 58 29 92 d1 d7 15 cb de c5 dc d0 a0 d1 Sep 21 07:16:35.852174: | 5a 6f ff fa 52 2b 32 c7 72 d1 cb 9c f2 f6 85 40 Sep 21 07:16:35.852176: | 85 22 ae 9d 0d ab 29 25 70 43 a3 94 9a b1 f0 0d Sep 21 07:16:35.852178: | c6 c6 92 a1 1a 3c fd ee 9e 82 00 a9 34 2b 50 3b Sep 21 07:16:35.852181: | d9 7c 14 07 13 5e 9e 02 de ef 12 b4 24 96 df 29 Sep 21 07:16:35.852183: | 90 37 c4 3a a4 5f d8 6d af f6 d5 a6 47 81 05 63 Sep 21 07:16:35.852185: | db 5d e4 c4 af dc ad 5b cb c9 df 29 be c4 c9 78 Sep 21 07:16:35.852187: | c3 83 fd e8 ae 00 13 8f d4 fe 94 e4 df a9 99 ea Sep 21 07:16:35.852189: | 8c 0a 48 0d d0 c6 3a 35 47 e2 c6 87 ae 44 8d 0b Sep 21 07:16:35.852191: | 82 76 d3 c5 a5 e9 e2 21 af 55 a6 02 ca 7c 9b 73 Sep 21 07:16:35.852193: | a8 cf 28 aa 80 66 61 d6 61 32 a9 69 6e 5f 85 9d Sep 21 07:16:35.852196: | a6 fc 22 ad 9b 36 8b b8 8f cd 5a d8 ed a3 15 38 Sep 21 07:16:35.852198: | 3c 3e 57 65 cf fb 2e e1 d9 a4 f3 12 eb 00 13 2c Sep 21 07:16:35.852200: | 75 c5 cf c1 6e 10 10 1f 5a a8 ae e3 26 c2 8d a6 Sep 21 07:16:35.852202: | 26 8a 02 7a 77 c3 d0 10 17 04 d3 da 76 7f f5 0b Sep 21 07:16:35.852204: | 6e 40 b7 4c 34 f0 57 96 05 82 28 61 7d f2 a0 4c Sep 21 07:16:35.852206: | 42 50 1b da 1b 7e b6 06 00 eb d1 47 bc d9 5e a1 Sep 21 07:16:35.852208: | 01 64 8d 20 bf 8c 67 8a ec c1 e4 1c 81 af e1 7a Sep 21 07:16:35.852211: | d9 77 91 f7 47 67 ed 5e bf d2 93 25 88 bd b0 c4 Sep 21 07:16:35.852213: | 16 a6 24 98 16 97 96 59 ef d1 aa 26 a2 81 61 bf Sep 21 07:16:35.852261: | releasing whack for #3 (sock=fd@-1) Sep 21 07:16:35.852266: | releasing whack and unpending for parent #2 Sep 21 07:16:35.852269: | unpending state #2 connection "north-eastnets/0x1" Sep 21 07:16:35.852274: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:35.852277: | event_schedule: new EVENT_SA_REKEY-pe@0x559ca62c3d80 Sep 21 07:16:35.852281: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Sep 21 07:16:35.852284: | libevent_malloc: new ptr-libevent@0x559ca62c6420 size 128 Sep 21 07:16:35.852290: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Sep 21 07:16:35.852296: | #2 spent 7.92 milliseconds in resume sending helper answer Sep 21 07:16:35.852302: | stop processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:35.852306: | libevent_free: release ptr-libevent@0x7fe41c000f40 Sep 21 07:16:35.852317: | processing signal PLUTO_SIGCHLD Sep 21 07:16:35.852323: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:35.852328: | spent 0.00555 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:36.636902: | timer_event_cb: processing event@0x7fe420002b20 Sep 21 07:16:36.636920: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:36.636929: | start processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:36.636933: | IKEv2 retransmit event Sep 21 07:16:36.636938: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:36.636943: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x1" #1 attempt 2 of 0 Sep 21 07:16:36.636948: | and parent for 192.1.3.33 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 8 Sep 21 07:16:36.636951: "north-eastnets/0x1" #1: suppressing retransmit because superseded by #3 try=1. Drop this negotitation Sep 21 07:16:36.636955: | pstats #1 ikev2.ike failed too-many-retransmits Sep 21 07:16:36.636958: | pstats #1 ikev2.ike deleted too-many-retransmits Sep 21 07:16:36.636962: | #1 spent 2.7 milliseconds in total Sep 21 07:16:36.636967: | [RE]START processing: state #1 connection "north-eastnets/0x1" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:36.636971: "north-eastnets/0x1" #1: deleting state (STATE_PARENT_I1) aged 6.427s and NOT sending notification Sep 21 07:16:36.636974: | parent state #1: PARENT_I1(half-open IKE SA) => delete Sep 21 07:16:36.636983: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:36.636986: | removing pending policy for "north-eastnets/0x2" {0x559ca6242ec0} Sep 21 07:16:36.636989: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:36.636991: | removing pending policy for "north-eastnets/0x1" {0x559ca6240f50} Sep 21 07:16:36.636995: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:36.636999: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:36.637002: | State DB: deleting IKEv2 state #1 in PARENT_I1 Sep 21 07:16:36.637006: | parent state #1: PARENT_I1(half-open IKE SA) => UNDEFINED(ignore) Sep 21 07:16:36.637026: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:36.637033: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:36.637036: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fe420002b20 Sep 21 07:16:36.637039: | in statetime_stop() and could not find #1 Sep 21 07:16:36.637042: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Sep 21 07:16:36.975229: | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:36.975251: | *received 608 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:36.975256: | 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:36.975258: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:36.975260: | c5 fb 50 f2 61 ad d0 18 f2 4a e9 72 04 77 55 3d Sep 21 07:16:36.975262: | c2 9f 3d 73 b2 ca c3 ea 9e ba 3f 70 ee 3a 1c 0e Sep 21 07:16:36.975265: | d4 ad 61 5c d9 53 63 f8 c9 f0 68 fc 73 64 b2 cf Sep 21 07:16:36.975267: | d0 f5 67 d1 cc 5d 73 32 5c f0 1d b5 51 19 1a 12 Sep 21 07:16:36.975269: | 43 e4 ca 4a 80 ad e4 2c 92 00 ff b8 10 95 55 9b Sep 21 07:16:36.975271: | 7c 03 2e 86 4d 2a 6a 36 ed ec f6 a6 69 9d 87 8b Sep 21 07:16:36.975274: | 83 d7 eb 88 17 ce f7 d8 d9 19 74 ee 04 42 d6 7c Sep 21 07:16:36.975276: | 70 39 01 a5 be 5d ad 62 23 ec 90 97 88 c6 6d c5 Sep 21 07:16:36.975278: | 46 de c8 2a ac 2b a6 f3 96 4f be ec 4b af 1d 36 Sep 21 07:16:36.975284: | 83 6e d1 a9 71 4e cf 23 ec 3a 7b 3d 41 b4 d4 2c Sep 21 07:16:36.975287: | 83 14 8b 94 89 59 05 8c ab 35 f7 6e f3 66 e7 1e Sep 21 07:16:36.975290: | 9d 8a 4a e6 f7 89 8a a5 95 06 44 18 c2 5e 2d 14 Sep 21 07:16:36.975292: | bf c1 6c 68 bd 48 79 26 6c ac d9 49 42 b0 ff 7a Sep 21 07:16:36.975295: | bd cf ba 7c bb c5 40 12 a5 7f 3e aa 83 b9 e1 79 Sep 21 07:16:36.975298: | 45 24 c7 1b f9 39 4f 48 68 45 13 17 ab 91 99 4f Sep 21 07:16:36.975301: | 57 26 8d 47 4f cb 4a 6b 97 90 ea 33 8d 0a c4 bc Sep 21 07:16:36.975303: | ab 19 f7 3c 93 f6 92 06 0c 6c af 22 a0 40 7d 93 Sep 21 07:16:36.975306: | 46 59 a9 2d 61 a3 a4 dc 29 b0 d4 7a 30 77 a4 0a Sep 21 07:16:36.975309: | ba 47 86 7a 68 22 5e ce 7e ba 16 5e 5c 1c a9 48 Sep 21 07:16:36.975312: | db 78 64 dd 57 f3 5c 71 12 28 ff 43 bd c2 0c 9c Sep 21 07:16:36.975314: | f3 ac 0c 5b 98 24 fe d0 df 53 c2 f6 c7 75 46 ca Sep 21 07:16:36.975317: | 01 70 28 c9 e6 96 7c 37 2f 28 23 d5 cf 2b 27 c7 Sep 21 07:16:36.975320: | 93 a3 36 b0 2e b8 60 5f 41 4e 0f 1a e2 2f 4a 20 Sep 21 07:16:36.975322: | fa 1d b7 c8 c8 fc 53 32 e7 b6 ca 45 81 ae 6b 70 Sep 21 07:16:36.975325: | 66 da 56 3b 83 2e 52 c9 d6 34 b1 9e 20 8f 14 57 Sep 21 07:16:36.975331: | 79 73 55 34 dd e8 a8 bf 50 7c 0c 77 9f cc 85 b0 Sep 21 07:16:36.975334: | c4 34 bc e7 e2 dd d9 ec a9 56 12 95 6f 00 87 b2 Sep 21 07:16:36.975336: | 88 87 82 91 f6 21 62 68 7b 9b 2d 7a bf 60 31 b7 Sep 21 07:16:36.975339: | f4 70 c3 83 0e 39 03 0c e5 db 23 56 1e 0c 72 e1 Sep 21 07:16:36.975341: | 5c c8 80 02 34 cc 11 bd 66 dc 05 d7 dd ef a5 fa Sep 21 07:16:36.975343: | cb e2 ee d3 e1 e9 86 27 73 71 5d 09 46 cb 75 d9 Sep 21 07:16:36.975345: | 61 56 c5 4f 79 15 aa 9f da 12 a8 85 2d 09 cf bd Sep 21 07:16:36.975348: | 68 ee 28 da 82 16 9e c0 4d fe d2 a2 7a 40 7c a3 Sep 21 07:16:36.975353: | d3 f8 c5 ac 06 86 56 22 da 4e 8b 16 7a c3 cd a6 Sep 21 07:16:36.975356: | 74 52 fe fb cd c0 f1 c2 d0 09 c9 a6 eb 7b d2 09 Sep 21 07:16:36.975358: | 0e 90 0d 84 fc 37 f6 47 cf bc 71 37 e2 ad 87 08 Sep 21 07:16:36.975364: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:36.975367: | **parse ISAKMP Message: Sep 21 07:16:36.975370: | initiator cookie: Sep 21 07:16:36.975373: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:36.975375: | responder cookie: Sep 21 07:16:36.975378: | 41 58 a7 32 16 4b 4c eb Sep 21 07:16:36.975380: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:36.975383: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:36.975386: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:36.975389: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:36.975391: | Message ID: 2 (0x2) Sep 21 07:16:36.975394: | length: 608 (0x260) Sep 21 07:16:36.975397: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:16:36.975401: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Sep 21 07:16:36.975405: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:36.975412: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:36.975416: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:36.975421: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:36.975424: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:16:36.975428: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:16:36.975431: | unpacking clear payload Sep 21 07:16:36.975434: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:36.975437: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:36.975440: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:36.975442: | flags: none (0x0) Sep 21 07:16:36.975444: | length: 580 (0x244) Sep 21 07:16:36.975447: | processing payload: ISAKMP_NEXT_v2SK (len=576) Sep 21 07:16:36.975452: | Message ID: start-responder #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:36.975455: | #2 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:36.975489: | data for hmac: 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:36.975494: | data for hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:36.975496: | data for hmac: c5 fb 50 f2 61 ad d0 18 f2 4a e9 72 04 77 55 3d Sep 21 07:16:36.975499: | data for hmac: c2 9f 3d 73 b2 ca c3 ea 9e ba 3f 70 ee 3a 1c 0e Sep 21 07:16:36.975501: | data for hmac: d4 ad 61 5c d9 53 63 f8 c9 f0 68 fc 73 64 b2 cf Sep 21 07:16:36.975504: | data for hmac: d0 f5 67 d1 cc 5d 73 32 5c f0 1d b5 51 19 1a 12 Sep 21 07:16:36.975506: | data for hmac: 43 e4 ca 4a 80 ad e4 2c 92 00 ff b8 10 95 55 9b Sep 21 07:16:36.975509: | data for hmac: 7c 03 2e 86 4d 2a 6a 36 ed ec f6 a6 69 9d 87 8b Sep 21 07:16:36.975511: | data for hmac: 83 d7 eb 88 17 ce f7 d8 d9 19 74 ee 04 42 d6 7c Sep 21 07:16:36.975514: | data for hmac: 70 39 01 a5 be 5d ad 62 23 ec 90 97 88 c6 6d c5 Sep 21 07:16:36.975516: | data for hmac: 46 de c8 2a ac 2b a6 f3 96 4f be ec 4b af 1d 36 Sep 21 07:16:36.975519: | data for hmac: 83 6e d1 a9 71 4e cf 23 ec 3a 7b 3d 41 b4 d4 2c Sep 21 07:16:36.975521: | data for hmac: 83 14 8b 94 89 59 05 8c ab 35 f7 6e f3 66 e7 1e Sep 21 07:16:36.975523: | data for hmac: 9d 8a 4a e6 f7 89 8a a5 95 06 44 18 c2 5e 2d 14 Sep 21 07:16:36.975526: | data for hmac: bf c1 6c 68 bd 48 79 26 6c ac d9 49 42 b0 ff 7a Sep 21 07:16:36.975528: | data for hmac: bd cf ba 7c bb c5 40 12 a5 7f 3e aa 83 b9 e1 79 Sep 21 07:16:36.975533: | data for hmac: 45 24 c7 1b f9 39 4f 48 68 45 13 17 ab 91 99 4f Sep 21 07:16:36.975536: | data for hmac: 57 26 8d 47 4f cb 4a 6b 97 90 ea 33 8d 0a c4 bc Sep 21 07:16:36.975538: | data for hmac: ab 19 f7 3c 93 f6 92 06 0c 6c af 22 a0 40 7d 93 Sep 21 07:16:36.975540: | data for hmac: 46 59 a9 2d 61 a3 a4 dc 29 b0 d4 7a 30 77 a4 0a Sep 21 07:16:36.975543: | data for hmac: ba 47 86 7a 68 22 5e ce 7e ba 16 5e 5c 1c a9 48 Sep 21 07:16:36.975545: | data for hmac: db 78 64 dd 57 f3 5c 71 12 28 ff 43 bd c2 0c 9c Sep 21 07:16:36.975548: | data for hmac: f3 ac 0c 5b 98 24 fe d0 df 53 c2 f6 c7 75 46 ca Sep 21 07:16:36.975550: | data for hmac: 01 70 28 c9 e6 96 7c 37 2f 28 23 d5 cf 2b 27 c7 Sep 21 07:16:36.975553: | data for hmac: 93 a3 36 b0 2e b8 60 5f 41 4e 0f 1a e2 2f 4a 20 Sep 21 07:16:36.975555: | data for hmac: fa 1d b7 c8 c8 fc 53 32 e7 b6 ca 45 81 ae 6b 70 Sep 21 07:16:36.975558: | data for hmac: 66 da 56 3b 83 2e 52 c9 d6 34 b1 9e 20 8f 14 57 Sep 21 07:16:36.975560: | data for hmac: 79 73 55 34 dd e8 a8 bf 50 7c 0c 77 9f cc 85 b0 Sep 21 07:16:36.975562: | data for hmac: c4 34 bc e7 e2 dd d9 ec a9 56 12 95 6f 00 87 b2 Sep 21 07:16:36.975565: | data for hmac: 88 87 82 91 f6 21 62 68 7b 9b 2d 7a bf 60 31 b7 Sep 21 07:16:36.975567: | data for hmac: f4 70 c3 83 0e 39 03 0c e5 db 23 56 1e 0c 72 e1 Sep 21 07:16:36.975570: | data for hmac: 5c c8 80 02 34 cc 11 bd 66 dc 05 d7 dd ef a5 fa Sep 21 07:16:36.975572: | data for hmac: cb e2 ee d3 e1 e9 86 27 73 71 5d 09 46 cb 75 d9 Sep 21 07:16:36.975574: | data for hmac: 61 56 c5 4f 79 15 aa 9f da 12 a8 85 2d 09 cf bd Sep 21 07:16:36.975577: | data for hmac: 68 ee 28 da 82 16 9e c0 4d fe d2 a2 7a 40 7c a3 Sep 21 07:16:36.975579: | data for hmac: d3 f8 c5 ac 06 86 56 22 da 4e 8b 16 7a c3 cd a6 Sep 21 07:16:36.975582: | data for hmac: 74 52 fe fb cd c0 f1 c2 d0 09 c9 a6 eb 7b d2 09 Sep 21 07:16:36.975584: | calculated auth: 0e 90 0d 84 fc 37 f6 47 cf bc 71 37 e2 ad 87 08 Sep 21 07:16:36.975587: | provided auth: 0e 90 0d 84 fc 37 f6 47 cf bc 71 37 e2 ad 87 08 Sep 21 07:16:36.975589: | authenticator matched Sep 21 07:16:36.975600: | #2 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:16:36.975603: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:36.975606: | **parse IKEv2 Security Association Payload: Sep 21 07:16:36.975609: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:36.975611: | flags: none (0x0) Sep 21 07:16:36.975614: | length: 52 (0x34) Sep 21 07:16:36.975616: | processing payload: ISAKMP_NEXT_v2SA (len=48) Sep 21 07:16:36.975619: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:36.975622: | **parse IKEv2 Nonce Payload: Sep 21 07:16:36.975624: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:36.975627: | flags: none (0x0) Sep 21 07:16:36.975629: | length: 36 (0x24) Sep 21 07:16:36.975632: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:36.975634: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:36.975637: | **parse IKEv2 Key Exchange Payload: Sep 21 07:16:36.975639: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:36.975642: | flags: none (0x0) Sep 21 07:16:36.975644: | length: 392 (0x188) Sep 21 07:16:36.975647: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:36.975649: | processing payload: ISAKMP_NEXT_v2KE (len=384) Sep 21 07:16:36.975652: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:36.975655: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:36.975657: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:36.975660: | flags: none (0x0) Sep 21 07:16:36.975662: | length: 24 (0x18) Sep 21 07:16:36.975664: | number of TS: 1 (0x1) Sep 21 07:16:36.975667: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:36.975670: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:36.975672: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:36.975675: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.975679: | flags: none (0x0) Sep 21 07:16:36.975682: | length: 24 (0x18) Sep 21 07:16:36.975684: | number of TS: 1 (0x1) Sep 21 07:16:36.975687: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:36.975690: | state #2 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Sep 21 07:16:36.975693: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:36.975699: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:36.975704: | creating state object #4 at 0x559ca62baa20 Sep 21 07:16:36.975707: | State DB: adding IKEv2 state #4 in UNDEFINED Sep 21 07:16:36.975711: | pstats #4 ikev2.child started Sep 21 07:16:36.975714: | duplicating state object #2 "north-eastnets/0x2" as #4 for IPSEC SA Sep 21 07:16:36.975719: | #4 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:36.975726: | Message ID: init_child #2.#4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:36.975730: | child state #4: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Sep 21 07:16:36.975735: | "north-eastnets/0x2" #2 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "north-eastnets/0x2" #4 in STATE_V2_CREATE_R will process it further Sep 21 07:16:36.975740: | Message ID: switch-from #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:36.975745: | Message ID: switch-to #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:36.975748: | forcing ST #2 to CHILD #2.#4 in FSM processor Sep 21 07:16:36.975750: | Now let's proceed with state specific processing Sep 21 07:16:36.975752: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:36.975758: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:16:36.975762: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Sep 21 07:16:36.975768: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:36.975774: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:36.975779: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:36.975786: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:36.975793: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:36.975796: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:36.975798: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:36.975801: | local proposal 1 type DH has 1 transforms Sep 21 07:16:36.975804: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:36.975807: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:16:36.975811: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:36.975813: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:36.975816: | length: 48 (0x30) Sep 21 07:16:36.975818: | prop #: 1 (0x1) Sep 21 07:16:36.975821: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:36.975823: | spi size: 4 (0x4) Sep 21 07:16:36.975826: | # transforms: 4 (0x4) Sep 21 07:16:36.975829: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:36.975832: | remote SPI a2 72 15 47 Sep 21 07:16:36.975835: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:36.975841: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:36.975844: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.975846: | length: 12 (0xc) Sep 21 07:16:36.975849: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:36.975851: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:36.975854: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:36.975857: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:36.975859: | length/value: 128 (0x80) Sep 21 07:16:36.975864: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:36.975867: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:36.975869: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.975872: | length: 8 (0x8) Sep 21 07:16:36.975874: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:36.975877: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:36.975881: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:36.975884: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:36.975886: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.975889: | length: 8 (0x8) Sep 21 07:16:36.975891: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:36.975894: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:36.975897: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:36.975900: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:36.975903: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:36.975905: | length: 8 (0x8) Sep 21 07:16:36.975908: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:36.975910: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:36.975914: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:36.975918: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Sep 21 07:16:36.975923: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Sep 21 07:16:36.975926: | remote proposal 1 matches local proposal 1 Sep 21 07:16:36.975932: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=a2721547;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Sep 21 07:16:36.975937: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=a2721547;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:36.975940: | converting proposal to internal trans attrs Sep 21 07:16:36.975945: | updating #4's .st_oakley with preserved PRF, but why update? Sep 21 07:16:36.975952: | Child SA TS Request has child->sa == md->st; so using child connection Sep 21 07:16:36.975955: | TSi: parsing 1 traffic selectors Sep 21 07:16:36.975958: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:36.975960: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:36.975963: | IP Protocol ID: 0 (0x0) Sep 21 07:16:36.975965: | length: 16 (0x10) Sep 21 07:16:36.975967: | start port: 0 (0x0) Sep 21 07:16:36.975970: | end port: 65535 (0xffff) Sep 21 07:16:36.975972: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:36.975975: | TS low c0 00 03 00 Sep 21 07:16:36.975978: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:36.975980: | TS high c0 00 03 ff Sep 21 07:16:36.975982: | TSi: parsed 1 traffic selectors Sep 21 07:16:36.975985: | TSr: parsing 1 traffic selectors Sep 21 07:16:36.975987: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:36.975990: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:36.975992: | IP Protocol ID: 0 (0x0) Sep 21 07:16:36.975994: | length: 16 (0x10) Sep 21 07:16:36.975998: | start port: 0 (0x0) Sep 21 07:16:36.976001: | end port: 65535 (0xffff) Sep 21 07:16:36.976003: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:36.976005: | TS low c0 00 16 00 Sep 21 07:16:36.976008: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:36.976010: | TS high c0 00 16 ff Sep 21 07:16:36.976012: | TSr: parsed 1 traffic selectors Sep 21 07:16:36.976015: | looking for best SPD in current connection Sep 21 07:16:36.976021: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:36.976027: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976033: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:36.976037: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:36.976039: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:36.976042: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:36.976046: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:36.976051: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976057: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:36.976060: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:36.976062: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:36.976065: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:36.976068: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:36.976070: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:36.976073: | found better spd route for TSi[0],TSr[0] Sep 21 07:16:36.976075: | looking for better host pair Sep 21 07:16:36.976080: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:36.976086: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:16:36.976088: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:36.976092: | match_id a=@north Sep 21 07:16:36.976095: | b=@north Sep 21 07:16:36.976097: | results matched Sep 21 07:16:36.976102: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:36.976107: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976113: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:36.976116: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:36.976119: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:36.976121: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:36.976124: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:36.976128: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976134: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:36.976137: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:36.976140: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:36.976142: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:36.976145: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:36.976148: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:36.976150: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:36.976153: | match_id a=@north Sep 21 07:16:36.976155: | b=@north Sep 21 07:16:36.976158: | results matched Sep 21 07:16:36.976163: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:36.976167: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976173: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:36.976178: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:36.976181: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:36.976183: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:36.976186: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:36.976191: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:36.976197: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: NO Sep 21 07:16:36.976199: | did not find a better connection using host pair Sep 21 07:16:36.976202: | printing contents struct traffic_selector Sep 21 07:16:36.976204: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:36.976206: | ipprotoid: 0 Sep 21 07:16:36.976209: | port range: 0-65535 Sep 21 07:16:36.976212: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:16:36.976215: | printing contents struct traffic_selector Sep 21 07:16:36.976217: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:36.976219: | ipprotoid: 0 Sep 21 07:16:36.976221: | port range: 0-65535 Sep 21 07:16:36.976225: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:36.976229: | adding Child Responder KE and nonce nr work-order 4 for state #4 Sep 21 07:16:36.976233: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fe420002b20 Sep 21 07:16:36.976237: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:36.976240: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:36.976251: | #4 spent 0.491 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Sep 21 07:16:36.976258: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:36.976262: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:36.976266: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:36.976268: | suspending state #4 and saving MD Sep 21 07:16:36.976271: | #4 is busy; has a suspended MD Sep 21 07:16:36.976275: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:36.976279: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:36.976283: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:36.976288: | #2 spent 1.04 milliseconds in ikev2_process_packet() Sep 21 07:16:36.976292: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:36.976295: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:36.976298: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:36.976302: | spent 1.06 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:36.976316: | crypto helper 2 resuming Sep 21 07:16:36.976321: | crypto helper 2 starting work-order 4 for state #4 Sep 21 07:16:36.976325: | crypto helper 2 doing build KE and nonce (Child Responder KE and nonce nr); request ID 4 Sep 21 07:16:36.978565: | crypto helper 2 finished build KE and nonce (Child Responder KE and nonce nr); request ID 4 time elapsed 0.002239 seconds Sep 21 07:16:36.978575: | (#4) spent 2.22 milliseconds in crypto helper computing work-order 4: Child Responder KE and nonce nr (pcr) Sep 21 07:16:36.978579: | crypto helper 2 sending results from work-order 4 for state #4 to event queue Sep 21 07:16:36.978582: | scheduling resume sending helper answer for #4 Sep 21 07:16:36.978585: | libevent_malloc: new ptr-libevent@0x7fe410005780 size 128 Sep 21 07:16:36.978588: | libevent_realloc: release ptr-libevent@0x559ca629b790 Sep 21 07:16:36.978594: | libevent_realloc: new ptr-libevent@0x559ca6242c50 size 128 Sep 21 07:16:36.978602: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:36.978614: | processing resume sending helper answer for #4 Sep 21 07:16:36.978624: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:36.978628: | crypto helper 2 replies to request ID 4 Sep 21 07:16:36.978631: | calling continuation function 0x559ca5d50630 Sep 21 07:16:36.978634: | ikev2_child_inIoutR_continue for #4 STATE_V2_CREATE_R Sep 21 07:16:36.978639: | adding DHv2 for child sa work-order 5 for state #4 Sep 21 07:16:36.978641: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:36.978645: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:36.978648: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fe420002b20 Sep 21 07:16:36.978650: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fe420002b20 Sep 21 07:16:36.978654: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:36.978657: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:36.978667: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:36.978670: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:36.978673: | suspending state #4 and saving MD Sep 21 07:16:36.978675: | #4 is busy; has a suspended MD Sep 21 07:16:36.978680: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:36.978679: | crypto helper 4 resuming Sep 21 07:16:36.978685: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:36.978701: | resume sending helper answer for #4 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:36.978707: | #4 spent 0.0729 milliseconds in resume sending helper answer Sep 21 07:16:36.978711: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:36.978714: | libevent_free: release ptr-libevent@0x7fe410005780 Sep 21 07:16:36.978694: | crypto helper 4 starting work-order 5 for state #4 Sep 21 07:16:36.978724: | crypto helper 4 doing crypto (DHv2 for child sa); request ID 5 Sep 21 07:16:36.981231: | crypto helper 4 finished crypto (DHv2 for child sa); request ID 5 time elapsed 0.002507 seconds Sep 21 07:16:36.981241: | (#4) spent 2.48 milliseconds in crypto helper computing work-order 5: DHv2 for child sa (dh) Sep 21 07:16:36.981245: | crypto helper 4 sending results from work-order 5 for state #4 to event queue Sep 21 07:16:36.981247: | scheduling resume sending helper answer for #4 Sep 21 07:16:36.981250: | libevent_malloc: new ptr-libevent@0x7fe414001100 size 128 Sep 21 07:16:36.981258: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:36.981654: | processing resume sending helper answer for #4 Sep 21 07:16:36.981663: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:36.981667: | crypto helper 4 replies to request ID 5 Sep 21 07:16:36.981670: | calling continuation function 0x559ca5d514f0 Sep 21 07:16:36.981673: | ikev2_child_inIoutR_continue_continue for #4 STATE_V2_CREATE_R Sep 21 07:16:36.981678: | **emit ISAKMP Message: Sep 21 07:16:36.981681: | initiator cookie: Sep 21 07:16:36.981683: | 37 34 b6 02 ea fb 65 7e Sep 21 07:16:36.981686: | responder cookie: Sep 21 07:16:36.981688: | 41 58 a7 32 16 4b 4c eb Sep 21 07:16:36.981690: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:36.981693: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:36.981696: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:36.981698: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:36.981701: | Message ID: 2 (0x2) Sep 21 07:16:36.981707: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:36.981710: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:36.981712: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.981715: | flags: none (0x0) Sep 21 07:16:36.981717: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:36.981720: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.981723: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:36.981747: | netlink_get_spi: allocated 0x4e78290b for esp.0@192.1.2.23 Sep 21 07:16:36.981750: | Emitting ikev2_proposal ... Sep 21 07:16:36.981752: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:36.981754: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.981757: | flags: none (0x0) Sep 21 07:16:36.981760: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:36.981762: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.981765: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:36.981767: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:36.981769: | prop #: 1 (0x1) Sep 21 07:16:36.981772: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:36.981774: | spi size: 4 (0x4) Sep 21 07:16:36.981776: | # transforms: 4 (0x4) Sep 21 07:16:36.981779: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:36.981782: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:36.981790: | our spi 4e 78 29 0b Sep 21 07:16:36.981793: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:36.981795: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981798: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:36.981800: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:36.981803: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:36.981806: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:36.981808: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:36.981810: | length/value: 128 (0x80) Sep 21 07:16:36.981813: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:36.981815: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:36.981818: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981820: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:36.981822: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:36.981825: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981828: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:36.981830: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:36.981832: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:36.981835: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981837: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:36.981839: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:36.981842: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981844: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:36.981847: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:36.981851: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:36.981853: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:36.981855: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:36.981858: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:36.981860: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:36.981863: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:36.981865: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:36.981867: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:36.981870: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:36.981872: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:36.981875: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:36.981877: | ****emit IKEv2 Nonce Payload: Sep 21 07:16:36.981879: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.981881: | flags: none (0x0) Sep 21 07:16:36.981884: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:36.981887: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.981890: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:36.981892: | IKEv2 nonce 3d ad 57 a3 7f bd 51 c0 bb 06 1b f1 6b d8 6d 74 Sep 21 07:16:36.981894: | IKEv2 nonce 05 bc 41 f5 5b ae 52 63 f2 74 87 c9 a6 58 67 38 Sep 21 07:16:36.981897: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:36.981899: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:16:36.981901: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.981904: | flags: none (0x0) Sep 21 07:16:36.981906: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:36.981909: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:36.981911: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.981914: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:36.981916: | ikev2 g^x 22 ca a1 28 a3 22 62 5d c6 b4 9c de e3 ef 8b 69 Sep 21 07:16:36.981918: | ikev2 g^x c3 c0 85 d1 b4 bc 96 50 a8 3b d6 b1 28 ed cc 53 Sep 21 07:16:36.981920: | ikev2 g^x 5a 2e a9 aa 27 6b f1 5c 08 87 e8 9d d9 41 52 1c Sep 21 07:16:36.981922: | ikev2 g^x 40 d6 f4 56 5a c2 f7 29 a4 0f 14 f9 63 a4 21 73 Sep 21 07:16:36.981924: | ikev2 g^x 84 c1 bc 90 78 0f fa 53 c7 80 d2 4e d1 69 ca 45 Sep 21 07:16:36.981927: | ikev2 g^x 22 77 41 54 62 16 20 58 bc 0a ba 38 f8 ce 2b 44 Sep 21 07:16:36.981929: | ikev2 g^x 2d a9 c7 ea a8 d5 5b ab a0 8c a3 39 36 7f 1f 53 Sep 21 07:16:36.981931: | ikev2 g^x 16 75 f3 15 9d 03 a4 1c 97 e3 49 ce ed c3 d6 20 Sep 21 07:16:36.981933: | ikev2 g^x a4 64 a4 cb ff 09 68 ea d9 a8 00 be 3e dd 76 ef Sep 21 07:16:36.981935: | ikev2 g^x 06 f6 cf 93 65 a7 78 90 c0 d3 b5 3a 2f 66 51 d5 Sep 21 07:16:36.981937: | ikev2 g^x 6f db ef 65 85 9b 42 9a ec fa 70 c4 80 6d 0d 3c Sep 21 07:16:36.981939: | ikev2 g^x 93 82 65 28 82 26 6f a6 fa a5 d6 35 8a f7 1a 4f Sep 21 07:16:36.981941: | ikev2 g^x b7 75 47 83 17 53 20 84 bf 0b 2d 43 80 98 c5 dd Sep 21 07:16:36.981943: | ikev2 g^x 24 14 43 67 c1 1f 53 b7 6e 52 e4 32 60 87 4f 93 Sep 21 07:16:36.981945: | ikev2 g^x 7c eb 3d c4 f8 fb 92 ae f4 bd 67 12 13 01 ab f2 Sep 21 07:16:36.981947: | ikev2 g^x e6 f8 ed 00 ad 8b 6a 66 fc be e5 6e 02 d6 52 16 Sep 21 07:16:36.981949: | ikev2 g^x f2 e4 82 b5 59 2c bb d1 62 24 ce 2e a9 2c b3 72 Sep 21 07:16:36.981953: | ikev2 g^x 7b ce e2 50 57 d4 ea 35 f8 b7 88 54 f6 33 76 50 Sep 21 07:16:36.981955: | ikev2 g^x 3c 9b c6 04 d6 f1 d1 10 25 68 87 b0 43 e8 09 29 Sep 21 07:16:36.981957: | ikev2 g^x 58 f3 0d d1 66 34 38 93 9d 30 aa 17 73 61 e7 91 Sep 21 07:16:36.981959: | ikev2 g^x cb 9c 1b 83 3b d2 08 ac 28 29 0a b7 fb 29 72 fa Sep 21 07:16:36.981961: | ikev2 g^x 84 56 2c ee 27 ef a4 8c 81 4a 26 e0 3b 85 f7 24 Sep 21 07:16:36.981963: | ikev2 g^x e9 c1 41 47 09 00 ff 6c 95 c1 b4 c7 75 ef d9 8c Sep 21 07:16:36.981966: | ikev2 g^x 19 64 db 98 11 a2 7a db 95 8d 1e 8a 76 e4 56 73 Sep 21 07:16:36.981968: | emitting length of IKEv2 Key Exchange Payload: 392 Sep 21 07:16:36.981971: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:36.981973: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.981975: | flags: none (0x0) Sep 21 07:16:36.981977: | number of TS: 1 (0x1) Sep 21 07:16:36.981980: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:36.981983: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.981985: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:36.981987: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:36.981990: | IP Protocol ID: 0 (0x0) Sep 21 07:16:36.981992: | start port: 0 (0x0) Sep 21 07:16:36.981994: | end port: 65535 (0xffff) Sep 21 07:16:36.981997: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:36.981999: | IP start c0 00 03 00 Sep 21 07:16:36.982002: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:36.982004: | IP end c0 00 03 ff Sep 21 07:16:36.982007: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:36.982009: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:36.982011: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:36.982014: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:36.982016: | flags: none (0x0) Sep 21 07:16:36.982018: | number of TS: 1 (0x1) Sep 21 07:16:36.982021: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:36.982023: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:36.982026: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:36.982028: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:36.982030: | IP Protocol ID: 0 (0x0) Sep 21 07:16:36.982032: | start port: 0 (0x0) Sep 21 07:16:36.982034: | end port: 65535 (0xffff) Sep 21 07:16:36.982037: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:36.982039: | IP start c0 00 16 00 Sep 21 07:16:36.982041: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:36.982043: | IP end c0 00 16 ff Sep 21 07:16:36.982046: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:36.982048: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:36.982050: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:36.982054: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:36.982447: | install_ipsec_sa() for #4: inbound and outbound Sep 21 07:16:36.982454: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:36.982456: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:36.982459: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:36.982462: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:36.982464: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:36.982467: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:36.982474: | route owner of "north-eastnets/0x2" prospective erouted: "north-eastnets/0x1" erouted; eroute owner: self Sep 21 07:16:36.982477: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:36.982480: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:36.982483: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:36.982487: | setting IPsec SA replay-window to 32 Sep 21 07:16:36.982490: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:36.982493: | netlink: enabling tunnel mode Sep 21 07:16:36.982495: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:36.982498: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:36.982584: | netlink response for Add SA esp.a2721547@192.1.3.33 included non-error error Sep 21 07:16:36.982588: | set up outgoing SA, ref=0/0 Sep 21 07:16:36.982590: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:36.982593: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:36.982596: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:36.982599: | setting IPsec SA replay-window to 32 Sep 21 07:16:36.982601: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:36.982604: | netlink: enabling tunnel mode Sep 21 07:16:36.982606: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:36.982608: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:36.982656: | netlink response for Add SA esp.4e78290b@192.1.2.23 included non-error error Sep 21 07:16:36.982660: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:36.982667: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:36.982670: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:36.982713: | raw_eroute result=success Sep 21 07:16:36.982716: | set up incoming SA, ref=0/0 Sep 21 07:16:36.982718: | sr for #4: prospective erouted Sep 21 07:16:36.982721: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:36.982723: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:36.982726: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:36.982728: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:36.982731: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:36.982733: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:36.982737: | route owner of "north-eastnets/0x2" prospective erouted: "north-eastnets/0x1" erouted; eroute owner: self Sep 21 07:16:36.982741: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:north-eastnets/0x2 esr:{(nil)} ro:north-eastnets/0x1 rosr:{0x559ca62b9370} and state: #4 Sep 21 07:16:36.982743: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:36.982751: | eroute_connection replace eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:36.982753: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:36.982775: | raw_eroute result=success Sep 21 07:16:36.982778: | running updown command "ipsec _updown" for verb up Sep 21 07:16:36.982781: | command executing up-client Sep 21 07:16:36.982843: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xa2 Sep 21 07:16:36.982853: | popen cmd is 1040 chars long Sep 21 07:16:36.982856: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Sep 21 07:16:36.982858: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:16:36.982861: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' P: Sep 21 07:16:36.982863: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Sep 21 07:16:36.982866: | cmd( 320):O_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Sep 21 07:16:36.982868: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Sep 21 07:16:36.982871: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:36.982873: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Sep 21 07:16:36.982876: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=: Sep 21 07:16:36.982878: | cmd( 720):'CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=': Sep 21 07:16:36.982880: | cmd( 800):0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_C: Sep 21 07:16:36.982883: | cmd( 880):FG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUT: Sep 21 07:16:36.982886: | cmd( 960):ING='no' VTI_SHARED='no' SPI_IN=0xa2721547 SPI_OUT=0x4e78290b ipsec _updown 2>&1: Sep 21 07:16:37.008172: | route_and_eroute: firewall_notified: true Sep 21 07:16:37.008193: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x559ca62ba5c0,sr=0x559ca62ba5c0} to #4 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:37.008264: | #2 spent 0.538 milliseconds in install_ipsec_sa() Sep 21 07:16:37.008272: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #2 Sep 21 07:16:37.008275: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:37.008280: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008284: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008287: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008291: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008295: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008298: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008301: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008305: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008308: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008312: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008316: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008319: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008323: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008327: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008334: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008338: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:37.008342: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:37.008345: | emitting length of IKEv2 Encryption Payload: 580 Sep 21 07:16:37.008348: | emitting length of ISAKMP Message: 608 Sep 21 07:16:37.008397: | data being hmac: 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:37.008403: | data being hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:37.008409: | data being hmac: ca 75 2b 55 a9 ab c1 ac 95 27 dd d1 67 88 cb 90 Sep 21 07:16:37.008412: | data being hmac: bf 24 c9 d2 73 35 48 5f 6b b2 94 c4 0b 2e 77 54 Sep 21 07:16:37.008415: | data being hmac: d4 c6 77 75 19 5f fd f7 70 eb 56 fa 6b a6 b8 0c Sep 21 07:16:37.008418: | data being hmac: 1b 50 a5 13 75 59 70 11 d0 98 18 df ea d0 a3 a8 Sep 21 07:16:37.008421: | data being hmac: 07 e1 73 5b f3 99 1e b4 a3 49 b1 ed b7 67 28 e5 Sep 21 07:16:37.008424: | data being hmac: af 68 b7 d1 2d ee c4 5f aa 10 0d 86 06 90 eb 61 Sep 21 07:16:37.008427: | data being hmac: 05 2b 35 4b cf 4e f5 4b 19 b7 ee 9e 4e 06 bf f9 Sep 21 07:16:37.008429: | data being hmac: a9 22 80 87 8a 47 3f c5 b0 9c c1 f0 d4 55 7e 69 Sep 21 07:16:37.008432: | data being hmac: 2f 6f 53 62 21 68 8f db a4 d1 09 42 cd cc 56 61 Sep 21 07:16:37.008435: | data being hmac: c5 0c a8 9f 41 89 ea 34 12 07 c6 2f d1 09 e7 3d Sep 21 07:16:37.008438: | data being hmac: 89 74 ca 94 d5 93 f4 78 cf 1d 5f bc 9f d4 ab 51 Sep 21 07:16:37.008441: | data being hmac: 5b 8e 84 e4 44 83 3a 55 c3 c1 e9 cc 54 b8 7b a7 Sep 21 07:16:37.008444: | data being hmac: a0 19 77 35 a5 5d 45 8c d6 95 98 40 6e 7e f1 fa Sep 21 07:16:37.008447: | data being hmac: e5 b5 df 20 b9 55 a5 ee be d1 16 a8 8d 44 d7 d0 Sep 21 07:16:37.008449: | data being hmac: a0 1e 39 c2 a5 08 26 7e 0f 89 1b ab 49 c1 ba 3c Sep 21 07:16:37.008452: | data being hmac: 36 81 e9 5e d0 98 85 07 41 a6 13 ae 6c f7 88 32 Sep 21 07:16:37.008455: | data being hmac: 67 cb da 36 c4 47 ac 6b 42 38 ad e8 fd 20 c9 ab Sep 21 07:16:37.008458: | data being hmac: 62 d8 69 26 a2 51 08 c1 c1 4d f5 83 f5 93 e6 d8 Sep 21 07:16:37.008461: | data being hmac: 52 66 ab 90 66 68 5e f6 02 b0 ee 18 39 56 1d a9 Sep 21 07:16:37.008464: | data being hmac: 32 7f f3 31 8e ad 27 a4 ba 89 d5 2b d9 f8 94 3d Sep 21 07:16:37.008467: | data being hmac: 5b fd 47 e9 d0 6e fa e8 8b 47 58 89 14 54 9d d6 Sep 21 07:16:37.008470: | data being hmac: 16 58 1b 6f 02 72 50 9d df 94 d3 9e d2 06 9c f9 Sep 21 07:16:37.008472: | data being hmac: e3 f6 b9 64 6f 80 ab e4 5e 6c e8 f9 8e 97 57 89 Sep 21 07:16:37.008475: | data being hmac: a6 24 b1 d8 9d f9 1f 78 af 6d b4 76 2c 25 03 e8 Sep 21 07:16:37.008478: | data being hmac: da c8 90 64 b0 4e 2d a8 dc e1 5b b3 fe 9d e0 54 Sep 21 07:16:37.008480: | data being hmac: 64 66 a4 07 dc 0b 4f 57 67 ed ca 1b 1c d4 da 04 Sep 21 07:16:37.008483: | data being hmac: 7e 36 a5 08 2c 92 62 57 34 95 dd 50 d6 36 2f b9 Sep 21 07:16:37.008486: | data being hmac: d7 8e 31 90 89 28 51 f0 ec d1 d1 65 82 5a 37 77 Sep 21 07:16:37.008489: | data being hmac: 16 01 87 97 c5 bc 62 5f b0 93 3b 08 1f 70 1d b1 Sep 21 07:16:37.008492: | data being hmac: 7f f5 8f 06 8a 5c 1d 5c 9f c5 2c 71 9b 03 c3 a7 Sep 21 07:16:37.008495: | data being hmac: b3 ec 4b 33 70 b1 a5 a1 6a 08 0a c5 f7 a3 61 f2 Sep 21 07:16:37.008498: | data being hmac: 54 12 35 b6 98 33 ea e3 48 6f 02 65 03 d5 68 ca Sep 21 07:16:37.008500: | data being hmac: aa 33 07 a9 bd 35 ba 4a 6c 5d 83 8e 6e d4 ca f7 Sep 21 07:16:37.008503: | data being hmac: 67 a9 69 26 d2 a1 00 eb 91 30 0c 04 76 40 5b 02 Sep 21 07:16:37.008506: | data being hmac: 07 0e 4f b6 ca bc ff 4c 44 6d f1 ee 50 02 5a 13 Sep 21 07:16:37.008508: | out calculated auth: Sep 21 07:16:37.008513: | e0 a9 e8 80 28 ef 2a 15 d1 52 e2 08 06 c5 e7 b7 Sep 21 07:16:37.008523: "north-eastnets/0x2" #4: negotiated new IPsec SA [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:37.008532: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:37.008538: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Sep 21 07:16:37.008542: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Sep 21 07:16:37.008546: | child state #4: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:37.008549: | Message ID: updating counters for #4 to 2 after switching state Sep 21 07:16:37.008556: | Message ID: recv #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:37.008562: | Message ID: sent #2.#4 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:37.008566: | pstats #4 ikev2.child established Sep 21 07:16:37.008573: "north-eastnets/0x2" #4: negotiated connection [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:37.008578: | NAT-T: encaps is 'auto' Sep 21 07:16:37.008583: "north-eastnets/0x2" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xa2721547 <0x4e78290b xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Sep 21 07:16:37.008589: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:37.008596: | sending 608 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:37.008600: | 37 34 b6 02 ea fb 65 7e 41 58 a7 32 16 4b 4c eb Sep 21 07:16:37.008603: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:37.008606: | ca 75 2b 55 a9 ab c1 ac 95 27 dd d1 67 88 cb 90 Sep 21 07:16:37.008609: | bf 24 c9 d2 73 35 48 5f 6b b2 94 c4 0b 2e 77 54 Sep 21 07:16:37.008612: | d4 c6 77 75 19 5f fd f7 70 eb 56 fa 6b a6 b8 0c Sep 21 07:16:37.008614: | 1b 50 a5 13 75 59 70 11 d0 98 18 df ea d0 a3 a8 Sep 21 07:16:37.008617: | 07 e1 73 5b f3 99 1e b4 a3 49 b1 ed b7 67 28 e5 Sep 21 07:16:37.008620: | af 68 b7 d1 2d ee c4 5f aa 10 0d 86 06 90 eb 61 Sep 21 07:16:37.008623: | 05 2b 35 4b cf 4e f5 4b 19 b7 ee 9e 4e 06 bf f9 Sep 21 07:16:37.008625: | a9 22 80 87 8a 47 3f c5 b0 9c c1 f0 d4 55 7e 69 Sep 21 07:16:37.008629: | 2f 6f 53 62 21 68 8f db a4 d1 09 42 cd cc 56 61 Sep 21 07:16:37.008632: | c5 0c a8 9f 41 89 ea 34 12 07 c6 2f d1 09 e7 3d Sep 21 07:16:37.008635: | 89 74 ca 94 d5 93 f4 78 cf 1d 5f bc 9f d4 ab 51 Sep 21 07:16:37.008638: | 5b 8e 84 e4 44 83 3a 55 c3 c1 e9 cc 54 b8 7b a7 Sep 21 07:16:37.008641: | a0 19 77 35 a5 5d 45 8c d6 95 98 40 6e 7e f1 fa Sep 21 07:16:37.008644: | e5 b5 df 20 b9 55 a5 ee be d1 16 a8 8d 44 d7 d0 Sep 21 07:16:37.008646: | a0 1e 39 c2 a5 08 26 7e 0f 89 1b ab 49 c1 ba 3c Sep 21 07:16:37.008649: | 36 81 e9 5e d0 98 85 07 41 a6 13 ae 6c f7 88 32 Sep 21 07:16:37.008652: | 67 cb da 36 c4 47 ac 6b 42 38 ad e8 fd 20 c9 ab Sep 21 07:16:37.008655: | 62 d8 69 26 a2 51 08 c1 c1 4d f5 83 f5 93 e6 d8 Sep 21 07:16:37.008658: | 52 66 ab 90 66 68 5e f6 02 b0 ee 18 39 56 1d a9 Sep 21 07:16:37.008661: | 32 7f f3 31 8e ad 27 a4 ba 89 d5 2b d9 f8 94 3d Sep 21 07:16:37.008663: | 5b fd 47 e9 d0 6e fa e8 8b 47 58 89 14 54 9d d6 Sep 21 07:16:37.008666: | 16 58 1b 6f 02 72 50 9d df 94 d3 9e d2 06 9c f9 Sep 21 07:16:37.008669: | e3 f6 b9 64 6f 80 ab e4 5e 6c e8 f9 8e 97 57 89 Sep 21 07:16:37.008672: | a6 24 b1 d8 9d f9 1f 78 af 6d b4 76 2c 25 03 e8 Sep 21 07:16:37.008674: | da c8 90 64 b0 4e 2d a8 dc e1 5b b3 fe 9d e0 54 Sep 21 07:16:37.008677: | 64 66 a4 07 dc 0b 4f 57 67 ed ca 1b 1c d4 da 04 Sep 21 07:16:37.008680: | 7e 36 a5 08 2c 92 62 57 34 95 dd 50 d6 36 2f b9 Sep 21 07:16:37.008685: | d7 8e 31 90 89 28 51 f0 ec d1 d1 65 82 5a 37 77 Sep 21 07:16:37.008688: | 16 01 87 97 c5 bc 62 5f b0 93 3b 08 1f 70 1d b1 Sep 21 07:16:37.008691: | 7f f5 8f 06 8a 5c 1d 5c 9f c5 2c 71 9b 03 c3 a7 Sep 21 07:16:37.008694: | b3 ec 4b 33 70 b1 a5 a1 6a 08 0a c5 f7 a3 61 f2 Sep 21 07:16:37.008697: | 54 12 35 b6 98 33 ea e3 48 6f 02 65 03 d5 68 ca Sep 21 07:16:37.008700: | aa 33 07 a9 bd 35 ba 4a 6c 5d 83 8e 6e d4 ca f7 Sep 21 07:16:37.008703: | 67 a9 69 26 d2 a1 00 eb 91 30 0c 04 76 40 5b 02 Sep 21 07:16:37.008705: | 07 0e 4f b6 ca bc ff 4c 44 6d f1 ee 50 02 5a 13 Sep 21 07:16:37.008708: | e0 a9 e8 80 28 ef 2a 15 d1 52 e2 08 06 c5 e7 b7 Sep 21 07:16:37.008736: | releasing whack for #4 (sock=fd@-1) Sep 21 07:16:37.008740: | releasing whack and unpending for parent #2 Sep 21 07:16:37.008744: | unpending state #2 connection "north-eastnets/0x2" Sep 21 07:16:37.008749: | #4 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:37.008753: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:37.008759: | libevent_free: release ptr-libevent@0x7fe420006900 Sep 21 07:16:37.008765: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fe420002b20 Sep 21 07:16:37.008767: | event_schedule: new EVENT_SA_REKEY-pe@0x7fe420002b20 Sep 21 07:16:37.008771: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #4 Sep 21 07:16:37.008774: | libevent_malloc: new ptr-libevent@0x7fe420006900 size 128 Sep 21 07:16:37.008782: | #4 spent 1.76 milliseconds in resume sending helper answer Sep 21 07:16:37.008794: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:37.008797: | libevent_free: release ptr-libevent@0x7fe414001100 Sep 21 07:16:37.008809: | processing signal PLUTO_SIGCHLD Sep 21 07:16:37.008815: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:37.008819: | spent 0.00553 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:50.159821: | processing global timer EVENT_SHUNT_SCAN Sep 21 07:16:50.159832: | expiring aged bare shunts from shunt table Sep 21 07:16:50.159837: | spent 0.00368 milliseconds in global timer EVENT_SHUNT_SCAN