Sep 21 07:16:30.621425: FIPS Product: YES Sep 21 07:16:30.621463: FIPS Kernel: NO Sep 21 07:16:30.621466: FIPS Mode: NO Sep 21 07:16:30.621468: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:16:30.621617: Initializing NSS Sep 21 07:16:30.621621: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:16:30.655147: NSS initialized Sep 21 07:16:30.655158: NSS crypto library initialized Sep 21 07:16:30.655161: FIPS HMAC integrity support [enabled] Sep 21 07:16:30.655163: FIPS mode disabled for pluto daemon Sep 21 07:16:30.698777: FIPS HMAC integrity verification self-test FAILED Sep 21 07:16:30.698882: libcap-ng support [enabled] Sep 21 07:16:30.698891: Linux audit support [enabled] Sep 21 07:16:30.698915: Linux audit activated Sep 21 07:16:30.698921: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:12244 Sep 21 07:16:30.698923: core dump dir: /tmp Sep 21 07:16:30.698924: secrets file: /etc/ipsec.secrets Sep 21 07:16:30.698925: leak-detective disabled Sep 21 07:16:30.698926: NSS crypto [enabled] Sep 21 07:16:30.698928: XAUTH PAM support [enabled] Sep 21 07:16:30.698982: | libevent is using pluto's memory allocator Sep 21 07:16:30.698986: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:16:30.698998: | libevent_malloc: new ptr-libevent@0x5621a1386090 size 40 Sep 21 07:16:30.699000: | libevent_malloc: new ptr-libevent@0x5621a1387340 size 40 Sep 21 07:16:30.699002: | libevent_malloc: new ptr-libevent@0x5621a1387370 size 40 Sep 21 07:16:30.699004: | creating event base Sep 21 07:16:30.699005: | libevent_malloc: new ptr-libevent@0x5621a1387300 size 56 Sep 21 07:16:30.699007: | libevent_malloc: new ptr-libevent@0x5621a13873a0 size 664 Sep 21 07:16:30.699016: | libevent_malloc: new ptr-libevent@0x5621a1387640 size 24 Sep 21 07:16:30.699020: | libevent_malloc: new ptr-libevent@0x5621a1378e10 size 384 Sep 21 07:16:30.699028: | libevent_malloc: new ptr-libevent@0x5621a1387660 size 16 Sep 21 07:16:30.699030: | libevent_malloc: new ptr-libevent@0x5621a1387680 size 40 Sep 21 07:16:30.699032: | libevent_malloc: new ptr-libevent@0x5621a13876b0 size 48 Sep 21 07:16:30.699036: | libevent_realloc: new ptr-libevent@0x5621a1309370 size 256 Sep 21 07:16:30.699038: | libevent_malloc: new ptr-libevent@0x5621a13876f0 size 16 Sep 21 07:16:30.699042: | libevent_free: release ptr-libevent@0x5621a1387300 Sep 21 07:16:30.699044: | libevent initialized Sep 21 07:16:30.699046: | libevent_realloc: new ptr-libevent@0x5621a1387710 size 64 Sep 21 07:16:30.699049: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:16:30.699062: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:16:30.699063: NAT-Traversal support [enabled] Sep 21 07:16:30.699065: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:16:30.699069: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:16:30.699071: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:16:30.699099: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:16:30.699101: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:16:30.699103: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:16:30.699139: Encryption algorithms: Sep 21 07:16:30.699146: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:16:30.699149: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:16:30.699151: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:16:30.699153: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:16:30.699155: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:16:30.699162: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:16:30.699164: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:16:30.699166: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:16:30.699168: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:16:30.699170: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:16:30.699172: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:16:30.699174: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:16:30.699176: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:16:30.699179: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:16:30.699181: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:16:30.699182: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:16:30.699184: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:16:30.699189: Hash algorithms: Sep 21 07:16:30.699191: MD5 IKEv1: IKE IKEv2: Sep 21 07:16:30.699193: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:16:30.699195: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:16:30.699196: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:16:30.699198: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:16:30.699206: PRF algorithms: Sep 21 07:16:30.699208: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:16:30.699210: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:16:30.699212: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:16:30.699214: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:16:30.699215: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:16:30.699217: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:16:30.699231: Integrity algorithms: Sep 21 07:16:30.699233: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:16:30.699235: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:16:30.699238: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:16:30.699240: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:16:30.699242: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:16:30.699244: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:16:30.699246: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:16:30.699248: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:16:30.699249: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:16:30.699257: DH algorithms: Sep 21 07:16:30.699259: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:16:30.699260: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:16:30.699262: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:16:30.699265: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:16:30.699267: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:16:30.699269: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:16:30.699270: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:16:30.699272: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:16:30.699274: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:16:30.699276: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:16:30.699278: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:16:30.699279: testing CAMELLIA_CBC: Sep 21 07:16:30.699281: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.699366: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.699384: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.699401: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.699418: testing AES_GCM_16: Sep 21 07:16:30.699420: empty string Sep 21 07:16:30.699437: one block Sep 21 07:16:30.699452: two blocks Sep 21 07:16:30.699467: two blocks with associated data Sep 21 07:16:30.699483: testing AES_CTR: Sep 21 07:16:30.699484: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:16:30.699500: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:16:30.699516: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:16:30.699533: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:16:30.699547: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:16:30.699563: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:16:30.699579: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:16:30.699595: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:16:30.699610: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:16:30.699626: testing AES_CBC: Sep 21 07:16:30.699628: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:16:30.699643: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.699660: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.699677: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.699696: testing AES_XCBC: Sep 21 07:16:30.699698: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:16:30.699793: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:16:30.699917: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:16:30.699999: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:16:30.700081: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:16:30.700162: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:16:30.700238: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:16:30.700405: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:16:30.700479: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:16:30.700558: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:16:30.700697: testing HMAC_MD5: Sep 21 07:16:30.700699: RFC 2104: MD5_HMAC test 1 Sep 21 07:16:30.700842: RFC 2104: MD5_HMAC test 2 Sep 21 07:16:30.700935: RFC 2104: MD5_HMAC test 3 Sep 21 07:16:30.701046: 8 CPU cores online Sep 21 07:16:30.701048: starting up 7 crypto helpers Sep 21 07:16:30.701076: started thread for crypto helper 0 Sep 21 07:16:30.701102: | starting up helper thread 0 Sep 21 07:16:30.701111: | starting up helper thread 1 Sep 21 07:16:30.701120: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:16:30.701106: started thread for crypto helper 1 Sep 21 07:16:30.701178: started thread for crypto helper 2 Sep 21 07:16:30.701121: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:30.701123: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:16:30.701195: | starting up helper thread 2 Sep 21 07:16:30.701203: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:16:30.701205: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.701203: | starting up helper thread 3 Sep 21 07:16:30.701215: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:30.701218: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:16:30.701222: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:30.701195: started thread for crypto helper 3 Sep 21 07:16:30.701259: started thread for crypto helper 4 Sep 21 07:16:30.701284: | starting up helper thread 4 Sep 21 07:16:30.701288: started thread for crypto helper 5 Sep 21 07:16:30.701292: | starting up helper thread 5 Sep 21 07:16:30.701360: | starting up helper thread 6 Sep 21 07:16:30.701298: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:16:30.701369: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:16:30.701367: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:16:30.701358: started thread for crypto helper 6 Sep 21 07:16:30.701374: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:30.701384: | checking IKEv1 state table Sep 21 07:16:30.701394: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:30.701405: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:30.701405: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701413: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:16:30.701415: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701417: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:16:30.701418: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.701420: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:16:30.701421: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.701423: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.701424: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.701426: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:16:30.701427: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.701428: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.701430: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:16:30.701431: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.701433: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.701434: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.701436: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:16:30.701437: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.701439: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.701440: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.701442: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:16:30.701443: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701445: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:16:30.701446: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701448: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701449: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:16:30.701451: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701452: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.701454: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.701455: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.701457: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.701458: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.701460: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:16:30.701461: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701463: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.701464: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701466: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:16:30.701470: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:16:30.701472: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:16:30.701473: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:16:30.701475: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:16:30.701476: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:16:30.701478: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:16:30.701479: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701481: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:16:30.701482: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701484: | INFO: category: informational flags: 0: Sep 21 07:16:30.701485: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701487: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:16:30.701488: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701490: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:16:30.701491: | -> XAUTH_R1 EVENT_NULL Sep 21 07:16:30.701493: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.701494: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.701496: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:16:30.701498: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:16:30.701499: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.701501: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:16:30.701502: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.701504: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.701505: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.701507: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.701508: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.701510: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:16:30.701511: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.701513: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:16:30.701518: | checking IKEv2 state table Sep 21 07:16:30.701522: | PARENT_I0: category: ignore flags: 0: Sep 21 07:16:30.701523: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:16:30.701525: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701527: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:16:30.701529: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:16:30.701531: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.701532: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:16:30.701534: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:16:30.701536: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:16:30.701537: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:16:30.701539: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:16:30.701541: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:16:30.701542: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:16:30.701544: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:16:30.701546: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:16:30.701547: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:16:30.701549: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701550: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:16:30.701552: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.701554: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:16:30.701555: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:16:30.701557: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.701560: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:16:30.701562: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:16:30.701563: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:16:30.701565: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:16:30.701567: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.701568: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:16:30.701570: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.701572: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:16:30.701573: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.701575: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.701577: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.701578: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:16:30.701580: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.701582: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:16:30.701583: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:16:30.701585: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.701587: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:16:30.701588: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.701590: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.701592: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:16:30.701594: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:16:30.701595: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:16:30.701597: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:16:30.701598: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:16:30.701600: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:16:30.701643: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:16:30.701693: | Hard-wiring algorithms Sep 21 07:16:30.701696: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:16:30.701699: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:16:30.701701: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:16:30.701702: | adding 3DES_CBC to kernel algorithm db Sep 21 07:16:30.701704: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:16:30.701705: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:16:30.701707: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:16:30.701708: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:16:30.701709: | adding AES_CTR to kernel algorithm db Sep 21 07:16:30.701711: | adding AES_CBC to kernel algorithm db Sep 21 07:16:30.701712: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:16:30.701714: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:16:30.701715: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:16:30.701717: | adding NULL to kernel algorithm db Sep 21 07:16:30.701718: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:16:30.701720: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:16:30.701722: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:16:30.701723: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:16:30.701725: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:16:30.701726: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:16:30.701728: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:16:30.701729: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:16:30.701731: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:16:30.701732: | adding NONE to kernel algorithm db Sep 21 07:16:30.701750: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:16:30.701754: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:16:30.701756: | setup kernel fd callback Sep 21 07:16:30.701758: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5621a138cd20 Sep 21 07:16:30.701760: | libevent_malloc: new ptr-libevent@0x5621a1398ec0 size 128 Sep 21 07:16:30.701762: | libevent_malloc: new ptr-libevent@0x5621a138c000 size 16 Sep 21 07:16:30.701766: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5621a138cce0 Sep 21 07:16:30.701768: | libevent_malloc: new ptr-libevent@0x5621a1398f50 size 128 Sep 21 07:16:30.701770: | libevent_malloc: new ptr-libevent@0x5621a138c020 size 16 Sep 21 07:16:30.701914: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:16:30.701924: selinux support is enabled. Sep 21 07:16:30.701985: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:16:30.702112: | unbound context created - setting debug level to 5 Sep 21 07:16:30.702133: | /etc/hosts lookups activated Sep 21 07:16:30.702144: | /etc/resolv.conf usage activated Sep 21 07:16:30.702184: | outgoing-port-avoid set 0-65535 Sep 21 07:16:30.702202: | outgoing-port-permit set 32768-60999 Sep 21 07:16:30.702204: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:16:30.702206: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:16:30.702208: | Setting up events, loop start Sep 21 07:16:30.702210: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5621a1387300 Sep 21 07:16:30.702212: | libevent_malloc: new ptr-libevent@0x5621a13a34c0 size 128 Sep 21 07:16:30.702214: | libevent_malloc: new ptr-libevent@0x5621a13a3550 size 16 Sep 21 07:16:30.702219: | libevent_realloc: new ptr-libevent@0x5621a13075b0 size 256 Sep 21 07:16:30.702221: | libevent_malloc: new ptr-libevent@0x5621a13a3570 size 8 Sep 21 07:16:30.702223: | libevent_realloc: new ptr-libevent@0x5621a1398240 size 144 Sep 21 07:16:30.702224: | libevent_malloc: new ptr-libevent@0x5621a13a3590 size 152 Sep 21 07:16:30.702227: | libevent_malloc: new ptr-libevent@0x5621a13a3630 size 16 Sep 21 07:16:30.702230: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:16:30.702232: | libevent_malloc: new ptr-libevent@0x5621a13a3650 size 8 Sep 21 07:16:30.702233: | libevent_malloc: new ptr-libevent@0x5621a13a3670 size 152 Sep 21 07:16:30.702235: | signal event handler PLUTO_SIGTERM installed Sep 21 07:16:30.702237: | libevent_malloc: new ptr-libevent@0x5621a13a3710 size 8 Sep 21 07:16:30.702239: | libevent_malloc: new ptr-libevent@0x5621a13a3730 size 152 Sep 21 07:16:30.702240: | signal event handler PLUTO_SIGHUP installed Sep 21 07:16:30.702242: | libevent_malloc: new ptr-libevent@0x5621a13a37d0 size 8 Sep 21 07:16:30.702244: | libevent_realloc: release ptr-libevent@0x5621a1398240 Sep 21 07:16:30.702245: | libevent_realloc: new ptr-libevent@0x5621a13a37f0 size 256 Sep 21 07:16:30.702247: | libevent_malloc: new ptr-libevent@0x5621a1398240 size 152 Sep 21 07:16:30.702249: | signal event handler PLUTO_SIGSYS installed Sep 21 07:16:30.702476: | created addconn helper (pid:12309) using fork+execve Sep 21 07:16:30.702485: | forked child 12309 Sep 21 07:16:30.702513: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.702527: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.702532: listening for IKE messages Sep 21 07:16:30.702560: | Inspecting interface lo Sep 21 07:16:30.702565: | found lo with address 127.0.0.1 Sep 21 07:16:30.702567: | Inspecting interface eth0 Sep 21 07:16:30.702570: | found eth0 with address 192.0.3.254 Sep 21 07:16:30.702571: | Inspecting interface eth1 Sep 21 07:16:30.702574: | found eth1 with address 192.1.3.33 Sep 21 07:16:30.702608: Kernel supports NIC esp-hw-offload Sep 21 07:16:30.702617: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.3.33:500 Sep 21 07:16:30.702637: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.702644: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.702646: adding interface eth1/eth1 192.1.3.33:4500 Sep 21 07:16:30.702668: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.3.254:500 Sep 21 07:16:30.702687: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.702690: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.702693: adding interface eth0/eth0 192.0.3.254:4500 Sep 21 07:16:30.702714: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:16:30.702733: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.702736: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.702738: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:16:30.702775: | no interfaces to sort Sep 21 07:16:30.702778: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:30.702790: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3b60 Sep 21 07:16:30.702797: | libevent_malloc: new ptr-libevent@0x5621a13a3ba0 size 128 Sep 21 07:16:30.702800: | libevent_malloc: new ptr-libevent@0x5621a13a3c30 size 16 Sep 21 07:16:30.702807: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:30.702810: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3c50 Sep 21 07:16:30.702812: | libevent_malloc: new ptr-libevent@0x5621a13a3c90 size 128 Sep 21 07:16:30.702814: | libevent_malloc: new ptr-libevent@0x5621a13a3d20 size 16 Sep 21 07:16:30.702817: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:30.702819: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3d40 Sep 21 07:16:30.702820: | libevent_malloc: new ptr-libevent@0x5621a13a3d80 size 128 Sep 21 07:16:30.702822: | libevent_malloc: new ptr-libevent@0x5621a13a3e10 size 16 Sep 21 07:16:30.702825: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Sep 21 07:16:30.702826: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3e30 Sep 21 07:16:30.702828: | libevent_malloc: new ptr-libevent@0x5621a13a3e70 size 128 Sep 21 07:16:30.702829: | libevent_malloc: new ptr-libevent@0x5621a13a3f00 size 16 Sep 21 07:16:30.702832: | setup callback for interface eth0 192.0.3.254:500 fd 19 Sep 21 07:16:30.702834: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3f20 Sep 21 07:16:30.702835: | libevent_malloc: new ptr-libevent@0x5621a13a3f60 size 128 Sep 21 07:16:30.702850: | libevent_malloc: new ptr-libevent@0x5621a13a3ff0 size 16 Sep 21 07:16:30.702852: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Sep 21 07:16:30.702854: | add_fd_read_event_handler: new ethX-pe@0x5621a13a4010 Sep 21 07:16:30.702855: | libevent_malloc: new ptr-libevent@0x5621a13a4050 size 128 Sep 21 07:16:30.702857: | libevent_malloc: new ptr-libevent@0x5621a13a40e0 size 16 Sep 21 07:16:30.702860: | setup callback for interface eth1 192.1.3.33:500 fd 17 Sep 21 07:16:30.702862: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.702864: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.702878: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.702892: | saving Modulus Sep 21 07:16:30.702894: | saving PublicExponent Sep 21 07:16:30.702896: | ignoring PrivateExponent Sep 21 07:16:30.702898: | ignoring Prime1 Sep 21 07:16:30.702900: | ignoring Prime2 Sep 21 07:16:30.702902: | ignoring Exponent1 Sep 21 07:16:30.702904: | ignoring Exponent2 Sep 21 07:16:30.702906: | ignoring Coefficient Sep 21 07:16:30.702907: | ignoring CKAIDNSS Sep 21 07:16:30.702929: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.702931: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.702934: loaded private key for keyid: PKK_RSA:AQPl33O2P Sep 21 07:16:30.702939: | certs and keys locked by 'process_secret' Sep 21 07:16:30.702942: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.702946: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.702952: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.702960: | spent 0.45 milliseconds in whack Sep 21 07:16:30.732169: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.732197: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.732203: listening for IKE messages Sep 21 07:16:30.732236: | Inspecting interface lo Sep 21 07:16:30.732243: | found lo with address 127.0.0.1 Sep 21 07:16:30.732246: | Inspecting interface eth0 Sep 21 07:16:30.732250: | found eth0 with address 192.0.3.254 Sep 21 07:16:30.732252: | Inspecting interface eth1 Sep 21 07:16:30.732256: | found eth1 with address 192.1.3.33 Sep 21 07:16:30.732308: | no interfaces to sort Sep 21 07:16:30.732317: | libevent_free: release ptr-libevent@0x5621a13a3ba0 Sep 21 07:16:30.732320: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3b60 Sep 21 07:16:30.732323: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3b60 Sep 21 07:16:30.732326: | libevent_malloc: new ptr-libevent@0x5621a13a3ba0 size 128 Sep 21 07:16:30.732334: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:30.732337: | libevent_free: release ptr-libevent@0x5621a13a3c90 Sep 21 07:16:30.732340: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3c50 Sep 21 07:16:30.732342: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3c50 Sep 21 07:16:30.732344: | libevent_malloc: new ptr-libevent@0x5621a13a3c90 size 128 Sep 21 07:16:30.732349: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:30.732353: | libevent_free: release ptr-libevent@0x5621a13a3d80 Sep 21 07:16:30.732355: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3d40 Sep 21 07:16:30.732358: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3d40 Sep 21 07:16:30.732360: | libevent_malloc: new ptr-libevent@0x5621a13a3d80 size 128 Sep 21 07:16:30.732365: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Sep 21 07:16:30.732369: | libevent_free: release ptr-libevent@0x5621a13a3e70 Sep 21 07:16:30.732371: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3e30 Sep 21 07:16:30.732373: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3e30 Sep 21 07:16:30.732376: | libevent_malloc: new ptr-libevent@0x5621a13a3e70 size 128 Sep 21 07:16:30.732380: | setup callback for interface eth0 192.0.3.254:500 fd 19 Sep 21 07:16:30.732384: | libevent_free: release ptr-libevent@0x5621a13a3f60 Sep 21 07:16:30.732386: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3f20 Sep 21 07:16:30.732389: | add_fd_read_event_handler: new ethX-pe@0x5621a13a3f20 Sep 21 07:16:30.732391: | libevent_malloc: new ptr-libevent@0x5621a13a3f60 size 128 Sep 21 07:16:30.732396: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Sep 21 07:16:30.732400: | libevent_free: release ptr-libevent@0x5621a13a4050 Sep 21 07:16:30.732402: | free_event_entry: release EVENT_NULL-pe@0x5621a13a4010 Sep 21 07:16:30.732404: | add_fd_read_event_handler: new ethX-pe@0x5621a13a4010 Sep 21 07:16:30.732407: | libevent_malloc: new ptr-libevent@0x5621a13a4050 size 128 Sep 21 07:16:30.732412: | setup callback for interface eth1 192.1.3.33:500 fd 17 Sep 21 07:16:30.732415: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.732417: forgetting secrets Sep 21 07:16:30.732425: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.732440: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.732452: | saving Modulus Sep 21 07:16:30.732455: | saving PublicExponent Sep 21 07:16:30.732458: | ignoring PrivateExponent Sep 21 07:16:30.732461: | ignoring Prime1 Sep 21 07:16:30.732464: | ignoring Prime2 Sep 21 07:16:30.732468: | ignoring Exponent1 Sep 21 07:16:30.732471: | ignoring Exponent2 Sep 21 07:16:30.732474: | ignoring Coefficient Sep 21 07:16:30.732477: | ignoring CKAIDNSS Sep 21 07:16:30.732500: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.732504: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.732508: loaded private key for keyid: PKK_RSA:AQPl33O2P Sep 21 07:16:30.732513: | certs and keys locked by 'process_secret' Sep 21 07:16:30.732522: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.732529: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.732536: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.732544: | spent 0.382 milliseconds in whack Sep 21 07:16:30.733130: | processing signal PLUTO_SIGCHLD Sep 21 07:16:30.733143: | waitpid returned pid 12309 (exited with status 0) Sep 21 07:16:30.733146: | reaped addconn helper child (status 0) Sep 21 07:16:30.733149: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:30.733153: | spent 0.0124 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.060258: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.060282: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060285: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:31.060287: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060288: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:31.060291: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060297: | Added new connection north-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:31.060299: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:31.060316: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:31.060318: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:31.060328: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:31.060332: | counting wild cards for @north is 0 Sep 21 07:16:31.060334: | counting wild cards for @east is 0 Sep 21 07:16:31.060342: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@(nil): none Sep 21 07:16:31.060345: | new hp@0x5621a13705a0 Sep 21 07:16:31.060348: added connection description "north-eastnets/0x1" Sep 21 07:16:31.060357: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:31.060368: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24 Sep 21 07:16:31.060374: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.060381: | spent 0.13 milliseconds in whack Sep 21 07:16:31.060561: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.060571: add keyid @north Sep 21 07:16:31.060575: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:31.060576: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:31.060578: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:31.060579: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:31.060581: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:31.060582: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:31.060584: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:31.060585: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:31.060587: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:31.060588: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:31.060590: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:31.060591: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:31.060592: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:31.060594: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:31.060595: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:31.060597: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:31.060598: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:31.060604: | add pubkey c7 5e a5 99 Sep 21 07:16:31.060624: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:31.060626: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:31.060631: | keyid: *AQPl33O2P Sep 21 07:16:31.060632: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:31.060634: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:31.060635: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:31.060637: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:31.060638: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:31.060640: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:31.060641: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:31.060643: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:31.060644: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:31.060645: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:31.060647: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:31.060648: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:31.060650: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:31.060651: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:31.060653: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:31.060654: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:31.060655: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:31.060657: | n a5 99 Sep 21 07:16:31.060658: | e 03 Sep 21 07:16:31.060660: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:31.060661: | CKAID 88 aa 7c 5d Sep 21 07:16:31.060668: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.060673: | spent 0.116 milliseconds in whack Sep 21 07:16:31.060806: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.060818: add keyid @east Sep 21 07:16:31.060822: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:31.060823: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:31.060825: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:31.060826: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:31.060828: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:31.060829: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:31.060831: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:31.060832: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:31.060833: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:31.060835: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:31.060836: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:31.060838: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:31.060839: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:31.060841: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:31.060842: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:31.060844: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:31.060845: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:31.060846: | add pubkey 51 51 48 ef Sep 21 07:16:31.060855: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:31.060857: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:31.060860: | keyid: *AQO9bJbr3 Sep 21 07:16:31.060861: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:31.060866: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:31.060868: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:31.060869: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:31.060870: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:31.060872: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:31.060873: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:31.060875: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:31.060876: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:31.060878: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:31.060879: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:31.060880: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:31.060882: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:31.060883: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:31.060885: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:31.060886: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:31.060888: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:31.060889: | n 48 ef Sep 21 07:16:31.060890: | e 03 Sep 21 07:16:31.060892: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:31.060893: | CKAID 8a 82 25 f1 Sep 21 07:16:31.060899: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.060905: | spent 0.102 milliseconds in whack Sep 21 07:16:31.060957: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.060965: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060969: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:31.060970: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060972: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:31.060974: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.060978: | Added new connection north-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:31.060980: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:31.060992: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:31.060994: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:31.061003: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:31.061006: | counting wild cards for @north is 0 Sep 21 07:16:31.061008: | counting wild cards for @east is 0 Sep 21 07:16:31.061012: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Sep 21 07:16:31.061015: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@0x5621a13705a0: north-eastnets/0x1 Sep 21 07:16:31.061017: added connection description "north-eastnets/0x2" Sep 21 07:16:31.061025: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:31.061035: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.22.0/24 Sep 21 07:16:31.061042: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.061046: | spent 0.0926 milliseconds in whack Sep 21 07:16:31.061136: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.061145: add keyid @north Sep 21 07:16:31.061149: | unreference key: 0x5621a12fe8f0 @north cnt 1-- Sep 21 07:16:31.061152: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:31.061153: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:31.061155: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:31.061156: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:31.061161: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:31.061162: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:31.061164: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:31.061165: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:31.061167: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:31.061168: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:31.061170: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:31.061171: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:31.061173: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:31.061174: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:31.061176: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:31.061177: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:31.061178: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:31.061180: | add pubkey c7 5e a5 99 Sep 21 07:16:31.061187: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:31.061188: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:31.061191: | keyid: *AQPl33O2P Sep 21 07:16:31.061192: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:31.061194: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:31.061195: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:31.061197: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:31.061198: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:31.061200: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:31.061201: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:31.061203: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:31.061204: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:31.061206: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:31.061207: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:31.061208: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:31.061210: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:31.061211: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:31.061213: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:31.061214: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:31.061216: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:31.061217: | n a5 99 Sep 21 07:16:31.061218: | e 03 Sep 21 07:16:31.061220: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:31.061221: | CKAID 88 aa 7c 5d Sep 21 07:16:31.061227: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.061232: | spent 0.0999 milliseconds in whack Sep 21 07:16:31.061334: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.061343: add keyid @east Sep 21 07:16:31.061347: | unreference key: 0x5621a13076c0 @east cnt 1-- Sep 21 07:16:31.061349: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:31.061351: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:31.061352: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:31.061354: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:31.061355: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:31.061357: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:31.061358: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:31.061360: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:31.061364: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:31.061366: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:31.061367: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:31.061369: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:31.061370: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:31.061372: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:31.061373: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:31.061375: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:31.061376: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:31.061378: | add pubkey 51 51 48 ef Sep 21 07:16:31.061384: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:31.061386: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:31.061388: | keyid: *AQO9bJbr3 Sep 21 07:16:31.061390: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:31.061391: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:31.061393: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:31.061394: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:31.061396: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:31.061397: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:31.061399: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:31.061400: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:31.061402: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:31.061403: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:31.061405: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:31.061406: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:31.061407: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:31.061409: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:31.061410: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:31.061412: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:31.061413: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:31.061415: | n 48 ef Sep 21 07:16:31.061416: | e 03 Sep 21 07:16:31.061418: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:31.061419: | CKAID 8a 82 25 f1 Sep 21 07:16:31.061425: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.061430: | spent 0.0999 milliseconds in whack Sep 21 07:16:31.066166: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.066188: | dup_any(fd@16) -> fd@23 (in whack_process() at rcv_whack.c:590) Sep 21 07:16:31.066192: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:31.066194: initiating all conns with alias='north-eastnets' Sep 21 07:16:31.066200: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:31.066206: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Sep 21 07:16:31.066209: | connection 'north-eastnets/0x2' +POLICY_UP Sep 21 07:16:31.066212: | dup_any(fd@23) -> fd@24 (in initiate_a_connection() at initiate.c:342) Sep 21 07:16:31.066215: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:31.066238: | creating state object #1 at 0x5621a13a5ee0 Sep 21 07:16:31.066241: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:16:31.066250: | pstats #1 ikev2.ike started Sep 21 07:16:31.066253: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:31.066256: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Sep 21 07:16:31.066261: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.066274: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:31.066279: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:31.066282: | dup_any(fd@24) -> fd@25 (in ikev2_parent_outI1() at ikev2_parent.c:551) Sep 21 07:16:31.066287: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x2" IKE SA #1 "north-eastnets/0x2" Sep 21 07:16:31.066291: "north-eastnets/0x2" #1: initiating v2 parent SA Sep 21 07:16:31.066300: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE) Sep 21 07:16:31.066307: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Sep 21 07:16:31.066314: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.066318: "north-eastnets/0x2": constructed local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.066325: | adding ikev2_outI1 KE work-order 1 for state #1 Sep 21 07:16:31.066329: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a56a0 Sep 21 07:16:31.066333: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:31.066336: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:31.066349: | #1 spent 0.142 milliseconds in ikev2_parent_outI1() Sep 21 07:16:31.066352: | processing: RESET whack log_fd (was fd@16) (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:31.066352: | crypto helper 1 resuming Sep 21 07:16:31.066357: | RESET processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:31.066364: | crypto helper 1 starting work-order 1 for state #1 Sep 21 07:16:31.066371: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:31.066377: | crypto helper 1 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Sep 21 07:16:31.066379: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Sep 21 07:16:31.066384: | start processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:186) Sep 21 07:16:31.066386: | connection 'north-eastnets/0x1' +POLICY_UP Sep 21 07:16:31.066390: | dup_any(fd@23) -> fd@26 (in initiate_a_connection() at initiate.c:342) Sep 21 07:16:31.066392: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:31.066397: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x1" IKE SA #1 "north-eastnets/0x2" Sep 21 07:16:31.066401: | stop processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:349) Sep 21 07:16:31.066403: | close_any(fd@23) (in initiate_connection() at initiate.c:384) Sep 21 07:16:31.066406: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.066409: | spent 0.246 milliseconds in whack Sep 21 07:16:31.067424: | crypto helper 1 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.001047 seconds Sep 21 07:16:31.067435: | (#1) spent 1.05 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Sep 21 07:16:31.067438: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Sep 21 07:16:31.067441: | scheduling resume sending helper answer for #1 Sep 21 07:16:31.067444: | libevent_malloc: new ptr-libevent@0x7f08c8006900 size 128 Sep 21 07:16:31.067451: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:31.067480: | processing resume sending helper answer for #1 Sep 21 07:16:31.067489: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.067493: | crypto helper 1 replies to request ID 1 Sep 21 07:16:31.067495: | calling continuation function 0x56219f926630 Sep 21 07:16:31.067500: | ikev2_parent_outI1_continue for #1 Sep 21 07:16:31.067525: | **emit ISAKMP Message: Sep 21 07:16:31.067527: | initiator cookie: Sep 21 07:16:31.067529: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.067530: | responder cookie: Sep 21 07:16:31.067532: | 00 00 00 00 00 00 00 00 Sep 21 07:16:31.067534: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.067536: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.067538: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.067540: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.067542: | Message ID: 0 (0x0) Sep 21 07:16:31.067544: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.067548: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.067550: | Emitting ikev2_proposals ... Sep 21 07:16:31.067552: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:31.067554: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.067556: | flags: none (0x0) Sep 21 07:16:31.067558: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.067560: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067562: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.067563: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.067565: | prop #: 1 (0x1) Sep 21 07:16:31.067567: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.067568: | spi size: 0 (0x0) Sep 21 07:16:31.067570: | # transforms: 4 (0x4) Sep 21 07:16:31.067572: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.067573: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.067575: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067577: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.067578: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.067580: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.067582: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.067584: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.067585: | length/value: 256 (0x100) Sep 21 07:16:31.067587: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.067589: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.067590: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067592: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.067593: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.067595: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067597: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.067599: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.067600: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.067602: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067603: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.067605: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.067607: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067608: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.067613: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.067615: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.067616: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.067618: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.067619: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.067621: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.067623: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.067624: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.067626: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:31.067628: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.067629: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:31.067631: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.067633: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.067634: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.067636: | flags: none (0x0) Sep 21 07:16:31.067638: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.067640: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.067641: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067644: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.067645: | ikev2 g^x bb c8 87 f1 7a 0a f2 9e a5 ad 1c 59 f6 85 f9 b6 Sep 21 07:16:31.067647: | ikev2 g^x b1 13 90 c9 41 73 f2 63 78 ea fa d6 f4 75 36 62 Sep 21 07:16:31.067648: | ikev2 g^x cc 5a 80 e5 e4 00 1f 12 59 cd 63 b9 d7 a5 5a 45 Sep 21 07:16:31.067650: | ikev2 g^x 0e 57 17 41 fa d8 94 23 c1 46 85 cc f9 0d 33 f2 Sep 21 07:16:31.067651: | ikev2 g^x 4b 65 b5 81 36 14 e6 2d 93 c4 0a cb a9 61 e6 fb Sep 21 07:16:31.067653: | ikev2 g^x c3 c6 46 8e fd 14 6e c3 c4 01 16 32 a1 f8 86 8b Sep 21 07:16:31.067654: | ikev2 g^x 40 f8 c8 d8 bd b9 69 94 0b 9c 33 05 e4 f0 40 37 Sep 21 07:16:31.067657: | ikev2 g^x 6e 9f 36 22 11 b0 f1 46 9d 0c 46 31 94 82 05 1a Sep 21 07:16:31.067659: | ikev2 g^x 4f 75 0c 79 62 b6 1f 80 d9 64 3b b1 68 bd 7a d0 Sep 21 07:16:31.067661: | ikev2 g^x f2 97 e3 97 2e d7 5a 6f ba f6 2d fd 8f f1 51 bf Sep 21 07:16:31.067663: | ikev2 g^x 85 4e c5 62 96 fb ee 48 8b f1 e7 c0 c1 98 c7 9a Sep 21 07:16:31.067665: | ikev2 g^x a4 8b 08 ee 93 5c 88 52 75 f8 2a bb 61 fc 9b 39 Sep 21 07:16:31.067668: | ikev2 g^x 52 b7 3c ed 99 62 80 29 3f 47 73 72 e4 7a 3f 43 Sep 21 07:16:31.067670: | ikev2 g^x 1c af a3 56 e1 52 a8 b5 21 73 ee a0 9b 8d 66 63 Sep 21 07:16:31.067673: | ikev2 g^x 4b 34 60 9d 4e 83 31 74 d6 7f 0b 19 04 3d ad 89 Sep 21 07:16:31.067675: | ikev2 g^x f7 d6 db fb eb f1 02 f5 21 92 53 a6 e8 5f f8 2e Sep 21 07:16:31.067678: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:31.067680: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:31.067683: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.067685: | flags: none (0x0) Sep 21 07:16:31.067688: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:31.067691: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.067694: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067697: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.067702: | IKEv2 nonce 34 21 18 f3 82 64 71 6c a7 52 32 08 b1 c8 53 fa Sep 21 07:16:31.067704: | IKEv2 nonce 2a 69 90 cf 2c ce ed 12 38 93 fe 6f f1 ce b9 3f Sep 21 07:16:31.067707: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.067709: | Adding a v2N Payload Sep 21 07:16:31.067712: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.067714: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.067717: | flags: none (0x0) Sep 21 07:16:31.067719: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.067721: | SPI size: 0 (0x0) Sep 21 07:16:31.067724: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.067727: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.067730: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067732: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:31.067736: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:31.067738: | natd_hash: rcookie is zero Sep 21 07:16:31.067750: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.067753: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.067755: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.067758: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.067760: | natd_hash: port= 01 f4 Sep 21 07:16:31.067763: | natd_hash: hash= 7e 14 1e 8c 25 8c ba 97 b5 11 ca ea f9 40 88 6d Sep 21 07:16:31.067765: | natd_hash: hash= 23 8c a0 25 Sep 21 07:16:31.067767: | Adding a v2N Payload Sep 21 07:16:31.067769: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.067772: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.067774: | flags: none (0x0) Sep 21 07:16:31.067777: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.067779: | SPI size: 0 (0x0) Sep 21 07:16:31.067782: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.067794: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.067797: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067800: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.067803: | Notify data 7e 14 1e 8c 25 8c ba 97 b5 11 ca ea f9 40 88 6d Sep 21 07:16:31.067805: | Notify data 23 8c a0 25 Sep 21 07:16:31.067807: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.067809: | natd_hash: rcookie is zero Sep 21 07:16:31.067817: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.067820: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.067823: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.067825: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.067827: | natd_hash: port= 01 f4 Sep 21 07:16:31.067830: | natd_hash: hash= 44 69 b3 1f b6 fe e3 8d e3 28 91 5a 97 f1 be f3 Sep 21 07:16:31.067832: | natd_hash: hash= 19 73 f7 76 Sep 21 07:16:31.067834: | Adding a v2N Payload Sep 21 07:16:31.067837: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.067839: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.067841: | flags: none (0x0) Sep 21 07:16:31.067844: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.067846: | SPI size: 0 (0x0) Sep 21 07:16:31.067849: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.067852: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.067855: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.067858: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.067861: | Notify data 44 69 b3 1f b6 fe e3 8d e3 28 91 5a 97 f1 be f3 Sep 21 07:16:31.067863: | Notify data 19 73 f7 76 Sep 21 07:16:31.067868: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.067870: | emitting length of ISAKMP Message: 440 Sep 21 07:16:31.067878: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Sep 21 07:16:31.067890: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.067895: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Sep 21 07:16:31.067899: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Sep 21 07:16:31.067902: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Sep 21 07:16:31.067905: | Message ID: updating counters for #1 to 4294967295 after switching state Sep 21 07:16:31.067909: | Message ID: IKE #1 skipping update_recv as MD is fake Sep 21 07:16:31.067914: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:31.067917: "north-eastnets/0x2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:31.067928: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.067939: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Sep 21 07:16:31.067943: | df a1 f0 f4 bf 5a d1 b5 00 00 00 00 00 00 00 00 Sep 21 07:16:31.067945: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.067948: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.067950: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.067952: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.067955: | 00 0e 00 00 bb c8 87 f1 7a 0a f2 9e a5 ad 1c 59 Sep 21 07:16:31.067957: | f6 85 f9 b6 b1 13 90 c9 41 73 f2 63 78 ea fa d6 Sep 21 07:16:31.067959: | f4 75 36 62 cc 5a 80 e5 e4 00 1f 12 59 cd 63 b9 Sep 21 07:16:31.067962: | d7 a5 5a 45 0e 57 17 41 fa d8 94 23 c1 46 85 cc Sep 21 07:16:31.067964: | f9 0d 33 f2 4b 65 b5 81 36 14 e6 2d 93 c4 0a cb Sep 21 07:16:31.067967: | a9 61 e6 fb c3 c6 46 8e fd 14 6e c3 c4 01 16 32 Sep 21 07:16:31.067969: | a1 f8 86 8b 40 f8 c8 d8 bd b9 69 94 0b 9c 33 05 Sep 21 07:16:31.067972: | e4 f0 40 37 6e 9f 36 22 11 b0 f1 46 9d 0c 46 31 Sep 21 07:16:31.067974: | 94 82 05 1a 4f 75 0c 79 62 b6 1f 80 d9 64 3b b1 Sep 21 07:16:31.067976: | 68 bd 7a d0 f2 97 e3 97 2e d7 5a 6f ba f6 2d fd Sep 21 07:16:31.067979: | 8f f1 51 bf 85 4e c5 62 96 fb ee 48 8b f1 e7 c0 Sep 21 07:16:31.067981: | c1 98 c7 9a a4 8b 08 ee 93 5c 88 52 75 f8 2a bb Sep 21 07:16:31.067984: | 61 fc 9b 39 52 b7 3c ed 99 62 80 29 3f 47 73 72 Sep 21 07:16:31.067986: | e4 7a 3f 43 1c af a3 56 e1 52 a8 b5 21 73 ee a0 Sep 21 07:16:31.067988: | 9b 8d 66 63 4b 34 60 9d 4e 83 31 74 d6 7f 0b 19 Sep 21 07:16:31.067991: | 04 3d ad 89 f7 d6 db fb eb f1 02 f5 21 92 53 a6 Sep 21 07:16:31.067993: | e8 5f f8 2e 29 00 00 24 34 21 18 f3 82 64 71 6c Sep 21 07:16:31.067996: | a7 52 32 08 b1 c8 53 fa 2a 69 90 cf 2c ce ed 12 Sep 21 07:16:31.067998: | 38 93 fe 6f f1 ce b9 3f 29 00 00 08 00 00 40 2e Sep 21 07:16:31.068000: | 29 00 00 1c 00 00 40 04 7e 14 1e 8c 25 8c ba 97 Sep 21 07:16:31.068003: | b5 11 ca ea f9 40 88 6d 23 8c a0 25 00 00 00 1c Sep 21 07:16:31.068005: | 00 00 40 05 44 69 b3 1f b6 fe e3 8d e3 28 91 5a Sep 21 07:16:31.068007: | 97 f1 be f3 19 73 f7 76 Sep 21 07:16:31.068056: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.068061: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:31.068065: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a56a0 Sep 21 07:16:31.068068: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:31.068072: | event_schedule: new EVENT_RETRANSMIT-pe@0x5621a13a56a0 Sep 21 07:16:31.068076: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Sep 21 07:16:31.068081: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:31.068086: | #1 STATE_PARENT_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48837.436336 Sep 21 07:16:31.068091: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:31.068097: | #1 spent 0.569 milliseconds in resume sending helper answer Sep 21 07:16:31.068102: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.068106: | libevent_free: release ptr-libevent@0x7f08c8006900 Sep 21 07:16:31.070342: | spent 0.00227 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.070362: | *received 440 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.070366: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070370: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.070372: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.070374: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.070377: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.070379: | 00 0e 00 00 12 ac 36 9c 12 46 bd 47 34 8f 0e 1a Sep 21 07:16:31.070382: | 57 b8 81 2a 89 0d f3 a5 bd 87 88 4f 8f e0 4a ac Sep 21 07:16:31.070384: | 4d 45 3f a4 b6 4f 56 80 25 a1 d6 f4 b0 23 80 80 Sep 21 07:16:31.070386: | cf e3 dd c3 78 69 2d d0 e6 9a fc 11 c7 a8 20 5e Sep 21 07:16:31.070389: | e0 22 cb 33 ab 4f 7f 7c a1 f7 1d 59 91 eb 0d 78 Sep 21 07:16:31.070392: | 2f 42 63 ae d6 58 8f 37 8f 07 e2 3a e7 04 95 a6 Sep 21 07:16:31.070395: | 0b 3f 69 03 23 09 a3 b9 51 7b 2f 42 92 ba cd 39 Sep 21 07:16:31.070397: | c4 e4 bc bd aa c5 09 3d 3a a1 dc 5a 8a ac e8 63 Sep 21 07:16:31.070399: | ba 2c f9 2f 52 30 76 04 61 70 2f 47 ba 33 59 1a Sep 21 07:16:31.070402: | 2f 3c d8 f2 db 89 06 0a e9 f3 59 ac fb 17 58 18 Sep 21 07:16:31.070404: | f8 61 51 de 20 92 c5 a5 2b 46 6f 5b 35 72 c3 72 Sep 21 07:16:31.070407: | 6b 77 ac 87 dc 2c 27 55 89 62 7e e6 ed 2d cf 3e Sep 21 07:16:31.070409: | 35 cd e2 c5 65 0f 81 c7 a5 32 b0 16 4c cd 22 e8 Sep 21 07:16:31.070411: | 4d fe d3 fe bd 7b ea 0a 2b f3 36 c1 78 2e d4 97 Sep 21 07:16:31.070413: | 3a 59 37 05 22 50 91 24 75 ab aa 99 00 47 6c f0 Sep 21 07:16:31.070415: | 8d 58 d9 60 c6 2e 06 0a 09 33 38 cf 07 8c 3e e3 Sep 21 07:16:31.070417: | 6b 07 a9 1b 29 00 00 24 be e6 7d e9 48 d2 bd b9 Sep 21 07:16:31.070419: | 7c 37 2b d1 43 29 92 3f bc 10 f4 a6 5d 09 01 ad Sep 21 07:16:31.070422: | 5f 31 a8 9f e4 39 82 74 29 00 00 08 00 00 40 2e Sep 21 07:16:31.070424: | 29 00 00 1c 00 00 40 04 d0 49 b5 5a 43 0b 85 8b Sep 21 07:16:31.070426: | 2e 1a a0 db 57 9b 32 d8 ff f3 75 bb 00 00 00 1c Sep 21 07:16:31.070428: | 00 00 40 05 fd 6c bc 23 b8 cc 38 42 87 d5 90 ff Sep 21 07:16:31.070431: | c2 03 81 a1 cd 80 b7 be Sep 21 07:16:31.070436: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.070439: | **parse ISAKMP Message: Sep 21 07:16:31.070442: | initiator cookie: Sep 21 07:16:31.070444: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.070447: | responder cookie: Sep 21 07:16:31.070448: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070451: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.070454: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.070457: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.070460: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.070462: | Message ID: 0 (0x0) Sep 21 07:16:31.070465: | length: 440 (0x1b8) Sep 21 07:16:31.070468: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:31.070471: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response Sep 21 07:16:31.070475: | State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:31.070484: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.070490: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.070493: | #1 is idle Sep 21 07:16:31.070495: | #1 idle Sep 21 07:16:31.070497: | unpacking clear payload Sep 21 07:16:31.070500: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.070503: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:31.070505: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.070508: | flags: none (0x0) Sep 21 07:16:31.070510: | length: 48 (0x30) Sep 21 07:16:31.070513: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:16:31.070515: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.070518: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.070521: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.070523: | flags: none (0x0) Sep 21 07:16:31.070525: | length: 264 (0x108) Sep 21 07:16:31.070528: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.070530: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:31.070533: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.070535: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:31.070537: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.070540: | flags: none (0x0) Sep 21 07:16:31.070542: | length: 36 (0x24) Sep 21 07:16:31.070544: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.070546: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.070549: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.070552: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.070554: | flags: none (0x0) Sep 21 07:16:31.070556: | length: 8 (0x8) Sep 21 07:16:31.070559: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070561: | SPI size: 0 (0x0) Sep 21 07:16:31.070564: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.070566: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:31.070569: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.070571: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.070573: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.070576: | flags: none (0x0) Sep 21 07:16:31.070578: | length: 28 (0x1c) Sep 21 07:16:31.070580: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070583: | SPI size: 0 (0x0) Sep 21 07:16:31.070585: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.070588: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.070591: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.070594: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.070597: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.070599: | flags: none (0x0) Sep 21 07:16:31.070602: | length: 28 (0x1c) Sep 21 07:16:31.070605: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070607: | SPI size: 0 (0x0) Sep 21 07:16:31.070610: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.070612: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.070615: | State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir] Sep 21 07:16:31.070620: | #1 in state PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:31.070623: | selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Sep 21 07:16:31.070626: | Now let's proceed with state specific processing Sep 21 07:16:31.070628: | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Sep 21 07:16:31.070632: | ikev2 parent inR1: calculating g^{xy} in order to send I2 Sep 21 07:16:31.070638: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.070643: | Comparing remote proposals against IKE initiator (accepting) 1 local proposals Sep 21 07:16:31.070647: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.070649: | local proposal 1 type PRF has 1 transforms Sep 21 07:16:31.070652: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.070654: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.070656: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:31.070660: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:31.070663: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.070666: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.070668: | length: 44 (0x2c) Sep 21 07:16:31.070671: | prop #: 1 (0x1) Sep 21 07:16:31.070673: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.070676: | spi size: 0 (0x0) Sep 21 07:16:31.070678: | # transforms: 4 (0x4) Sep 21 07:16:31.070682: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.070685: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.070688: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.070690: | length: 12 (0xc) Sep 21 07:16:31.070693: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.070695: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.070698: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.070701: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.070703: | length/value: 256 (0x100) Sep 21 07:16:31.070707: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.070710: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.070713: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.070715: | length: 8 (0x8) Sep 21 07:16:31.070718: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.070721: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.070725: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:31.070728: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.070730: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.070733: | length: 8 (0x8) Sep 21 07:16:31.070735: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.070738: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.070741: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.070744: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.070746: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.070748: | length: 8 (0x8) Sep 21 07:16:31.070751: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.070753: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.070757: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.070761: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Sep 21 07:16:31.070765: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Sep 21 07:16:31.070767: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.070770: | remote accepted the proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Sep 21 07:16:31.070773: | converting proposal to internal trans attrs Sep 21 07:16:31.070802: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.070807: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.070810: | natd_hash: rcookie= 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070812: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.070814: | natd_hash: port= 01 f4 Sep 21 07:16:31.070817: | natd_hash: hash= fd 6c bc 23 b8 cc 38 42 87 d5 90 ff c2 03 81 a1 Sep 21 07:16:31.070823: | natd_hash: hash= cd 80 b7 be Sep 21 07:16:31.070831: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.070833: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.070836: | natd_hash: rcookie= 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070838: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.070840: | natd_hash: port= 01 f4 Sep 21 07:16:31.070842: | natd_hash: hash= d0 49 b5 5a 43 0b 85 8b 2e 1a a0 db 57 9b 32 d8 Sep 21 07:16:31.070844: | natd_hash: hash= ff f3 75 bb Sep 21 07:16:31.070847: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:31.070849: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:31.070851: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:31.070855: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Sep 21 07:16:31.070858: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Sep 21 07:16:31.070862: | adding ikev2_inR1outI2 KE work-order 2 for state #1 Sep 21 07:16:31.070865: | state #1 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.070867: | #1 STATE_PARENT_I1: retransmits: cleared Sep 21 07:16:31.070871: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:31.070874: | free_event_entry: release EVENT_RETRANSMIT-pe@0x5621a13a56a0 Sep 21 07:16:31.070876: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a56a0 Sep 21 07:16:31.070880: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:31.070883: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:31.070894: | #1 spent 0.245 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet() Sep 21 07:16:31.070898: | crypto helper 0 resuming Sep 21 07:16:31.070900: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.070908: | crypto helper 0 starting work-order 2 for state #1 Sep 21 07:16:31.070917: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND Sep 21 07:16:31.070920: | crypto helper 0 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 Sep 21 07:16:31.070921: | suspending state #1 and saving MD Sep 21 07:16:31.070932: | #1 is busy; has a suspended MD Sep 21 07:16:31.070937: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.070941: | "north-eastnets/0x2" #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.070946: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.070952: | #1 spent 0.576 milliseconds in ikev2_process_packet() Sep 21 07:16:31.070956: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:31.070959: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.070962: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.070967: | spent 0.592 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.071887: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Sep 21 07:16:31.072398: | crypto helper 0 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 time elapsed 0.001478 seconds Sep 21 07:16:31.072405: | (#1) spent 1.47 milliseconds in crypto helper computing work-order 2: ikev2_inR1outI2 KE (pcr) Sep 21 07:16:31.072409: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Sep 21 07:16:31.072411: | scheduling resume sending helper answer for #1 Sep 21 07:16:31.072415: | libevent_malloc: new ptr-libevent@0x7f08c0003060 size 128 Sep 21 07:16:31.072422: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:31.072431: | processing resume sending helper answer for #1 Sep 21 07:16:31.072442: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.072450: | crypto helper 0 replies to request ID 2 Sep 21 07:16:31.072452: | calling continuation function 0x56219f926630 Sep 21 07:16:31.072455: | ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2 Sep 21 07:16:31.072462: | creating state object #2 at 0x5621a13a9d30 Sep 21 07:16:31.072465: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:16:31.072469: | pstats #2 ikev2.child started Sep 21 07:16:31.072472: | duplicating state object #1 "north-eastnets/0x2" as #2 for IPSEC SA Sep 21 07:16:31.072477: | #2 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.072483: | Message ID: init_child #1.#2; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.072487: | Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1 Sep 21 07:16:31.072492: | Message ID: switch-to #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:31.072495: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.072499: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:31.072501: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a56a0 Sep 21 07:16:31.072504: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13a56a0 Sep 21 07:16:31.072508: | inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1 Sep 21 07:16:31.072510: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:31.072514: | parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) Sep 21 07:16:31.072523: | **emit ISAKMP Message: Sep 21 07:16:31.072526: | initiator cookie: Sep 21 07:16:31.072528: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.072530: | responder cookie: Sep 21 07:16:31.072533: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.072535: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.072538: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.072541: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.072543: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.072546: | Message ID: 1 (0x1) Sep 21 07:16:31.072549: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.072552: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.072555: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.072557: | flags: none (0x0) Sep 21 07:16:31.072560: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.072563: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.072567: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.072575: | IKEv2 CERT: send a certificate? Sep 21 07:16:31.072577: | IKEv2 CERT: no certificate to send Sep 21 07:16:31.072580: | IDr payload will be sent Sep 21 07:16:31.072594: | ****emit IKEv2 Identification - Initiator - Payload: Sep 21 07:16:31.072597: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.072599: | flags: none (0x0) Sep 21 07:16:31.072602: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.072605: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) Sep 21 07:16:31.072608: | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.072611: | emitting 5 raw bytes of my identity into IKEv2 Identification - Initiator - Payload Sep 21 07:16:31.072614: | my identity 6e 6f 72 74 68 Sep 21 07:16:31.072618: | emitting length of IKEv2 Identification - Initiator - Payload: 13 Sep 21 07:16:31.072626: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.072629: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.072631: | flags: none (0x0) Sep 21 07:16:31.072634: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.072637: | next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH Sep 21 07:16:31.072640: | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.072643: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.072646: | emitting 4 raw bytes of IDr into IKEv2 Identification - Responder - Payload Sep 21 07:16:31.072648: | IDr 65 61 73 74 Sep 21 07:16:31.072651: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:16:31.072653: | not sending INITIAL_CONTACT Sep 21 07:16:31.072657: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:31.072659: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.072661: | flags: none (0x0) Sep 21 07:16:31.072664: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.072667: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.072670: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.072676: | started looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.072679: | actually looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.072682: | line 1: key type PKK_RSA(@north) to type PKK_RSA Sep 21 07:16:31.072686: | 1: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.072689: | 2: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.072691: | line 1: match=002 Sep 21 07:16:31.072694: | match 002 beats previous best_match 000 match=0x5621a13990a0 (line=1) Sep 21 07:16:31.072697: | concluding with best_match=002 best=0x5621a13990a0 (lineno=1) Sep 21 07:16:31.077808: | #1 spent 5.04 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:16:31.077818: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:16:31.077821: | rsa signature 73 c2 cf f7 9b 52 2e 68 80 71 e7 76 08 4d 4c 1b Sep 21 07:16:31.077823: | rsa signature 24 b0 0b 38 0f 95 57 b8 5f bf 09 1b d2 2b 7d 46 Sep 21 07:16:31.077826: | rsa signature c8 e6 fe 59 61 cd fd 89 ae 66 c3 98 6c 8c 22 89 Sep 21 07:16:31.077828: | rsa signature 8e ca cd 86 b4 94 fd 9c c8 d3 a6 e7 73 62 60 02 Sep 21 07:16:31.077830: | rsa signature 34 2b 50 ef d3 3d eb 1a 0b db de 0c 52 f3 37 5b Sep 21 07:16:31.077833: | rsa signature c0 24 17 c7 3f 03 4e b0 52 b3 8f 59 fa f4 6e 62 Sep 21 07:16:31.077835: | rsa signature 81 33 84 89 15 16 66 5c fc 25 57 19 30 a2 4b 57 Sep 21 07:16:31.077838: | rsa signature ec ab d3 ca fe ef e6 e1 d1 ce 0a 73 6a c0 ea 7b Sep 21 07:16:31.077840: | rsa signature 1c 7a 8b 0f 37 a0 cf af 1d 24 fc 53 ad 9a d0 94 Sep 21 07:16:31.077842: | rsa signature 46 f1 fe d0 09 c9 03 9f 4f f5 e8 0d 18 89 50 3a Sep 21 07:16:31.077845: | rsa signature 80 6c 7c 5c 75 7e bd a2 e8 cc e9 eb d6 51 86 6c Sep 21 07:16:31.077847: | rsa signature 88 82 39 8e 94 54 ef bd 6e 2e 02 25 34 d9 63 49 Sep 21 07:16:31.077849: | rsa signature c7 d0 51 99 68 19 f3 75 88 65 ef 59 0a f5 75 10 Sep 21 07:16:31.077852: | rsa signature 1b 5b a5 1b 46 9b 3e 25 ee 3e 4a 86 85 87 c0 9f Sep 21 07:16:31.077854: | rsa signature ad f5 fd 8e 4b ac 3d 66 a2 60 38 1d a5 81 db ac Sep 21 07:16:31.077857: | rsa signature 7c 4c 6e 62 76 0a 64 7c 0c 21 dd 1a 1d fc 3c 7d Sep 21 07:16:31.077859: | rsa signature 76 0c 65 40 d2 fb 70 02 2b 3f 64 cd fc 39 09 bb Sep 21 07:16:31.077864: | rsa signature 32 75 Sep 21 07:16:31.077868: | #1 spent 5.14 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:16:31.077871: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:16:31.077874: | getting first pending from state #1 Sep 21 07:16:31.077877: | Switching Child connection for #2 to "north-eastnets/0x1" from "north-eastnets/0x2" Sep 21 07:16:31.077880: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:31.077898: | netlink_get_spi: allocated 0x2d973bf0 for esp.0@192.1.3.33 Sep 21 07:16:31.077902: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals) Sep 21 07:16:31.077907: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:31.077913: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.077917: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.077927: | Emitting ikev2_proposals ... Sep 21 07:16:31.077930: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.077933: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.077936: | flags: none (0x0) Sep 21 07:16:31.077939: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.077942: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.077945: | discarding DH=NONE Sep 21 07:16:31.077947: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.077950: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.077952: | prop #: 1 (0x1) Sep 21 07:16:31.077955: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.077957: | spi size: 4 (0x4) Sep 21 07:16:31.077960: | # transforms: 3 (0x3) Sep 21 07:16:31.077963: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.077966: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.077968: | our spi 2d 97 3b f0 Sep 21 07:16:31.077970: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.077973: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.077976: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.077978: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.077981: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.077984: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.077987: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.077989: | length/value: 128 (0x80) Sep 21 07:16:31.077992: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.077994: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.077997: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.077999: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.078002: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.078005: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.078008: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.078010: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.078013: | discarding DH=NONE Sep 21 07:16:31.078015: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.078017: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.078020: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.078024: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.078027: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.078030: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.078032: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.078035: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:16:31.078038: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.078040: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:16:31.078043: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.078047: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.078049: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.078052: | flags: none (0x0) Sep 21 07:16:31.078054: | number of TS: 1 (0x1) Sep 21 07:16:31.078057: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.078060: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.078063: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.078065: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.078068: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.078070: | start port: 0 (0x0) Sep 21 07:16:31.078073: | end port: 65535 (0xffff) Sep 21 07:16:31.078076: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.078078: | IP start c0 00 03 00 Sep 21 07:16:31.078081: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.078083: | IP end c0 00 03 ff Sep 21 07:16:31.078085: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.078088: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.078091: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.078093: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.078095: | flags: none (0x0) Sep 21 07:16:31.078098: | number of TS: 1 (0x1) Sep 21 07:16:31.078101: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.078104: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.078106: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.078108: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.078111: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.078113: | start port: 0 (0x0) Sep 21 07:16:31.078115: | end port: 65535 (0xffff) Sep 21 07:16:31.078119: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.078121: | IP start c0 00 02 00 Sep 21 07:16:31.078124: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.078126: | IP end c0 00 02 ff Sep 21 07:16:31.078128: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.078131: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.078133: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Sep 21 07:16:31.078136: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.078139: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.078142: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.078145: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.078149: | emitting length of IKEv2 Encryption Payload: 436 Sep 21 07:16:31.078151: | emitting length of ISAKMP Message: 464 Sep 21 07:16:31.078186: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.078189: | data being hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.078191: | data being hmac: e6 62 17 a7 e9 35 72 42 59 3e 76 b5 44 b5 1f a4 Sep 21 07:16:31.078194: | data being hmac: 42 36 20 b6 e7 56 2f c4 07 c3 ae d7 22 94 00 97 Sep 21 07:16:31.078196: | data being hmac: cd c3 6c ed e0 6c 9e 98 1b 27 1f 80 ab ec 98 82 Sep 21 07:16:31.078199: | data being hmac: 18 da 2f 5b d5 7d 50 0f a4 9f aa f3 ff ff 41 d5 Sep 21 07:16:31.078201: | data being hmac: 98 e5 bd 27 63 00 2e c1 3b 89 d4 ee e5 d4 03 d2 Sep 21 07:16:31.078203: | data being hmac: 28 d4 ea 5c bf fe 57 cc 40 57 a9 fb fd 3d 58 0b Sep 21 07:16:31.078206: | data being hmac: 0b e9 cb 98 83 50 7c 75 f5 9b 7d 41 b5 6c d8 b7 Sep 21 07:16:31.078208: | data being hmac: a5 c0 cc 66 43 d6 6f 71 b8 d1 ce f6 88 39 e6 ef Sep 21 07:16:31.078211: | data being hmac: 78 de 09 3f 78 dd 40 1e 43 c1 0a 17 e4 1b 09 10 Sep 21 07:16:31.078213: | data being hmac: 61 7c 60 bb 31 25 a0 34 7b a8 09 1e 09 7e 5f c8 Sep 21 07:16:31.078215: | data being hmac: 60 75 28 25 13 8f 62 50 48 e1 4e 63 20 19 2b 9c Sep 21 07:16:31.078218: | data being hmac: e4 cb 0f 7f 6a d5 44 ad 07 66 1e 71 a3 87 90 68 Sep 21 07:16:31.078220: | data being hmac: d4 f8 ff 5a 01 d0 3c 7b f6 bb 7d cc cd f6 a7 8e Sep 21 07:16:31.078223: | data being hmac: a0 91 63 78 dd ff d9 86 af 7c 14 e5 ae 28 08 bb Sep 21 07:16:31.078225: | data being hmac: 5b 22 2d 12 bf c7 96 3d c9 3f de e8 86 93 f2 51 Sep 21 07:16:31.078227: | data being hmac: 85 ea b3 b1 1e c3 fa 0c c0 cb 1f d1 10 b2 ee c9 Sep 21 07:16:31.078230: | data being hmac: b3 e1 e9 8b 7c b8 cd fe c1 7d 72 13 f2 ab 47 77 Sep 21 07:16:31.078232: | data being hmac: 86 86 b4 3f 58 13 85 52 2a 17 1d b3 50 10 39 db Sep 21 07:16:31.078234: | data being hmac: 86 d8 08 56 46 78 14 b3 ac 7c 66 83 bc e2 89 ec Sep 21 07:16:31.078237: | data being hmac: 45 6c 02 d3 02 f9 eb 62 46 7d 27 b2 e4 39 f5 a4 Sep 21 07:16:31.078239: | data being hmac: 40 95 5a 1b dc b1 31 85 8b 6c 4c 1f 42 6d ae e4 Sep 21 07:16:31.078242: | data being hmac: 87 5b 38 92 f7 60 2f b4 96 1c d2 52 9a 29 fd f1 Sep 21 07:16:31.078244: | data being hmac: e5 22 59 43 51 9f 06 df 18 12 cb 6c a9 9e 11 40 Sep 21 07:16:31.078246: | data being hmac: 44 b2 cb a3 12 2a da b5 45 d8 dd 50 26 70 49 0e Sep 21 07:16:31.078249: | data being hmac: a6 60 ea f9 5e 03 b1 14 20 ee 30 ef fb c8 6c aa Sep 21 07:16:31.078251: | data being hmac: d7 8d d3 88 b5 f5 cb ec 42 0a 9f 7f ec a1 1b e7 Sep 21 07:16:31.078253: | out calculated auth: Sep 21 07:16:31.078256: | 1b 47 a9 88 d9 e5 94 1f 45 27 0e e3 53 4c 01 ad Sep 21 07:16:31.078263: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.078267: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.078272: | #2 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK Sep 21 07:16:31.078275: | IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 Sep 21 07:16:31.078278: | child state #2: UNDEFINED(ignore) => PARENT_I2(open IKE SA) Sep 21 07:16:31.078281: | Message ID: updating counters for #2 to 0 after switching state Sep 21 07:16:31.078286: | Message ID: recv #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1 Sep 21 07:16:31.078291: | Message ID: sent #1.#2 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1 Sep 21 07:16:31.078295: "north-eastnets/0x1" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Sep 21 07:16:31.078306: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.078312: | sending 464 bytes for STATE_PARENT_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Sep 21 07:16:31.078314: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.078317: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.078319: | e6 62 17 a7 e9 35 72 42 59 3e 76 b5 44 b5 1f a4 Sep 21 07:16:31.078321: | 42 36 20 b6 e7 56 2f c4 07 c3 ae d7 22 94 00 97 Sep 21 07:16:31.078324: | cd c3 6c ed e0 6c 9e 98 1b 27 1f 80 ab ec 98 82 Sep 21 07:16:31.078326: | 18 da 2f 5b d5 7d 50 0f a4 9f aa f3 ff ff 41 d5 Sep 21 07:16:31.078329: | 98 e5 bd 27 63 00 2e c1 3b 89 d4 ee e5 d4 03 d2 Sep 21 07:16:31.078331: | 28 d4 ea 5c bf fe 57 cc 40 57 a9 fb fd 3d 58 0b Sep 21 07:16:31.078333: | 0b e9 cb 98 83 50 7c 75 f5 9b 7d 41 b5 6c d8 b7 Sep 21 07:16:31.078335: | a5 c0 cc 66 43 d6 6f 71 b8 d1 ce f6 88 39 e6 ef Sep 21 07:16:31.078338: | 78 de 09 3f 78 dd 40 1e 43 c1 0a 17 e4 1b 09 10 Sep 21 07:16:31.078340: | 61 7c 60 bb 31 25 a0 34 7b a8 09 1e 09 7e 5f c8 Sep 21 07:16:31.078342: | 60 75 28 25 13 8f 62 50 48 e1 4e 63 20 19 2b 9c Sep 21 07:16:31.078345: | e4 cb 0f 7f 6a d5 44 ad 07 66 1e 71 a3 87 90 68 Sep 21 07:16:31.078347: | d4 f8 ff 5a 01 d0 3c 7b f6 bb 7d cc cd f6 a7 8e Sep 21 07:16:31.078349: | a0 91 63 78 dd ff d9 86 af 7c 14 e5 ae 28 08 bb Sep 21 07:16:31.078351: | 5b 22 2d 12 bf c7 96 3d c9 3f de e8 86 93 f2 51 Sep 21 07:16:31.078354: | 85 ea b3 b1 1e c3 fa 0c c0 cb 1f d1 10 b2 ee c9 Sep 21 07:16:31.078356: | b3 e1 e9 8b 7c b8 cd fe c1 7d 72 13 f2 ab 47 77 Sep 21 07:16:31.078358: | 86 86 b4 3f 58 13 85 52 2a 17 1d b3 50 10 39 db Sep 21 07:16:31.078361: | 86 d8 08 56 46 78 14 b3 ac 7c 66 83 bc e2 89 ec Sep 21 07:16:31.078363: | 45 6c 02 d3 02 f9 eb 62 46 7d 27 b2 e4 39 f5 a4 Sep 21 07:16:31.078365: | 40 95 5a 1b dc b1 31 85 8b 6c 4c 1f 42 6d ae e4 Sep 21 07:16:31.078368: | 87 5b 38 92 f7 60 2f b4 96 1c d2 52 9a 29 fd f1 Sep 21 07:16:31.078370: | e5 22 59 43 51 9f 06 df 18 12 cb 6c a9 9e 11 40 Sep 21 07:16:31.078372: | 44 b2 cb a3 12 2a da b5 45 d8 dd 50 26 70 49 0e Sep 21 07:16:31.078375: | a6 60 ea f9 5e 03 b1 14 20 ee 30 ef fb c8 6c aa Sep 21 07:16:31.078377: | d7 8d d3 88 b5 f5 cb ec 42 0a 9f 7f ec a1 1b e7 Sep 21 07:16:31.078380: | 1b 47 a9 88 d9 e5 94 1f 45 27 0e e3 53 4c 01 ad Sep 21 07:16:31.078423: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:31.078428: | event_schedule: new EVENT_RETRANSMIT-pe@0x5621a13acfd0 Sep 21 07:16:31.078431: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 Sep 21 07:16:31.078435: | libevent_malloc: new ptr-libevent@0x7f08c8006900 size 128 Sep 21 07:16:31.078441: | #2 STATE_PARENT_I2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48837.446691 Sep 21 07:16:31.078445: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:31.078450: | #1 spent 5.92 milliseconds in resume sending helper answer Sep 21 07:16:31.078455: | stop processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.078458: | libevent_free: release ptr-libevent@0x7f08c0003060 Sep 21 07:16:31.387699: | spent 0.00287 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.387716: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.387719: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.387720: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.387722: | b8 97 03 e9 3f 74 95 85 b0 0a a1 e8 9d 98 78 75 Sep 21 07:16:31.387723: | 87 a3 5e 53 ef 81 35 fa 48 f0 02 e7 a9 67 5a c2 Sep 21 07:16:31.387725: | a1 7a 4b b3 0a 51 24 5d 38 f8 b0 11 41 d8 7a 5d Sep 21 07:16:31.387728: | c6 d2 fd 4b c3 16 0d 4b 98 b3 09 d4 5a 12 7b 52 Sep 21 07:16:31.387730: | 69 3a 31 98 26 f3 eb 2a 81 a3 6c 49 00 e2 0d b3 Sep 21 07:16:31.387731: | 87 e3 8d 97 29 f1 3e 4d 1c 28 16 2b ef bc c1 1b Sep 21 07:16:31.387733: | f7 c5 98 f0 90 bf 79 e5 c2 d4 dc 97 d9 54 88 94 Sep 21 07:16:31.387734: | d8 d7 6b 13 39 d4 e7 59 ab ba 9f 01 94 67 ad 59 Sep 21 07:16:31.387735: | 89 65 74 54 74 7b b7 c6 9c 06 81 06 69 57 1d 1c Sep 21 07:16:31.387737: | 00 80 d1 29 2c 86 01 43 3c ec 70 dc 21 ed 12 c6 Sep 21 07:16:31.387738: | 16 7a fd 58 21 9d 4b e4 57 1e af fc 0c b7 6c d2 Sep 21 07:16:31.387740: | 71 08 4d c6 6f 37 f2 8d a0 f3 15 be b8 87 a8 fe Sep 21 07:16:31.387741: | 62 60 ef 95 af 84 38 c3 5c 9a 4f 21 c0 a9 46 97 Sep 21 07:16:31.387743: | b9 bb 10 8e d1 70 72 41 ac e7 af dc 57 89 7d fb Sep 21 07:16:31.387744: | 49 b3 dc 42 b8 07 02 3e 1e f2 be cd 7c 62 51 38 Sep 21 07:16:31.387745: | d4 b1 11 1a ef f3 00 7b d3 0e a9 4e 5d e5 ca 3b Sep 21 07:16:31.387747: | a0 16 a1 4b 16 5e 48 fc ad 7e e7 e4 9d b9 08 c9 Sep 21 07:16:31.387748: | d4 94 c2 20 7f db 41 60 43 82 3a 13 14 5c e2 8a Sep 21 07:16:31.387750: | d6 58 39 79 59 c3 18 30 a9 26 a6 22 a2 04 bb 37 Sep 21 07:16:31.387751: | d2 4d e7 63 9a 91 1f bc c5 d1 72 be 74 0c 22 cb Sep 21 07:16:31.387752: | 4d e6 4d 1c 6c 0e ee 23 18 5b fe 8b a7 ad 46 02 Sep 21 07:16:31.387754: | f9 3f e7 5f 6c f5 48 c6 f0 f6 00 54 b9 5a a8 e5 Sep 21 07:16:31.387755: | d2 ed 62 4b 80 a2 1a 18 9b cd 4e 3e e8 14 22 25 Sep 21 07:16:31.387757: | 69 c8 ea 74 ba 94 64 d9 be 78 ff 86 bf 23 f3 93 Sep 21 07:16:31.387758: | 8a 98 3d 90 a5 db 50 e3 a5 7a 94 5e 9f 0c 31 0b Sep 21 07:16:31.387759: | e1 a9 78 8c 94 0f 97 21 55 7b 33 a7 e8 4a c1 15 Sep 21 07:16:31.387761: | 3b 5e 1d 5d 21 72 68 e6 1e 70 28 72 47 dc e0 9c Sep 21 07:16:31.387764: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.387766: | **parse ISAKMP Message: Sep 21 07:16:31.387768: | initiator cookie: Sep 21 07:16:31.387769: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.387771: | responder cookie: Sep 21 07:16:31.387772: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.387774: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.387776: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.387778: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.387779: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.387781: | Message ID: 1 (0x1) Sep 21 07:16:31.387787: | length: 464 (0x1d0) Sep 21 07:16:31.387791: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:31.387793: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Sep 21 07:16:31.387796: | State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa) Sep 21 07:16:31.387800: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.387802: | State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_sa_by_initiator_wip) Sep 21 07:16:31.387805: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.387807: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.387809: | #2 is idle Sep 21 07:16:31.387811: | #2 idle Sep 21 07:16:31.387812: | unpacking clear payload Sep 21 07:16:31.387814: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.387816: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.387817: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:31.387819: | flags: none (0x0) Sep 21 07:16:31.387820: | length: 436 (0x1b4) Sep 21 07:16:31.387822: | processing payload: ISAKMP_NEXT_v2SK (len=432) Sep 21 07:16:31.387824: | #2 in state PARENT_I2: sent v2I2, expected v2R2 Sep 21 07:16:31.387847: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.387849: | data for hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.387851: | data for hmac: b8 97 03 e9 3f 74 95 85 b0 0a a1 e8 9d 98 78 75 Sep 21 07:16:31.387852: | data for hmac: 87 a3 5e 53 ef 81 35 fa 48 f0 02 e7 a9 67 5a c2 Sep 21 07:16:31.387866: | data for hmac: a1 7a 4b b3 0a 51 24 5d 38 f8 b0 11 41 d8 7a 5d Sep 21 07:16:31.387868: | data for hmac: c6 d2 fd 4b c3 16 0d 4b 98 b3 09 d4 5a 12 7b 52 Sep 21 07:16:31.387869: | data for hmac: 69 3a 31 98 26 f3 eb 2a 81 a3 6c 49 00 e2 0d b3 Sep 21 07:16:31.387871: | data for hmac: 87 e3 8d 97 29 f1 3e 4d 1c 28 16 2b ef bc c1 1b Sep 21 07:16:31.387872: | data for hmac: f7 c5 98 f0 90 bf 79 e5 c2 d4 dc 97 d9 54 88 94 Sep 21 07:16:31.387874: | data for hmac: d8 d7 6b 13 39 d4 e7 59 ab ba 9f 01 94 67 ad 59 Sep 21 07:16:31.387875: | data for hmac: 89 65 74 54 74 7b b7 c6 9c 06 81 06 69 57 1d 1c Sep 21 07:16:31.387877: | data for hmac: 00 80 d1 29 2c 86 01 43 3c ec 70 dc 21 ed 12 c6 Sep 21 07:16:31.387878: | data for hmac: 16 7a fd 58 21 9d 4b e4 57 1e af fc 0c b7 6c d2 Sep 21 07:16:31.387879: | data for hmac: 71 08 4d c6 6f 37 f2 8d a0 f3 15 be b8 87 a8 fe Sep 21 07:16:31.387881: | data for hmac: 62 60 ef 95 af 84 38 c3 5c 9a 4f 21 c0 a9 46 97 Sep 21 07:16:31.387882: | data for hmac: b9 bb 10 8e d1 70 72 41 ac e7 af dc 57 89 7d fb Sep 21 07:16:31.387884: | data for hmac: 49 b3 dc 42 b8 07 02 3e 1e f2 be cd 7c 62 51 38 Sep 21 07:16:31.387885: | data for hmac: d4 b1 11 1a ef f3 00 7b d3 0e a9 4e 5d e5 ca 3b Sep 21 07:16:31.387887: | data for hmac: a0 16 a1 4b 16 5e 48 fc ad 7e e7 e4 9d b9 08 c9 Sep 21 07:16:31.387888: | data for hmac: d4 94 c2 20 7f db 41 60 43 82 3a 13 14 5c e2 8a Sep 21 07:16:31.387889: | data for hmac: d6 58 39 79 59 c3 18 30 a9 26 a6 22 a2 04 bb 37 Sep 21 07:16:31.387891: | data for hmac: d2 4d e7 63 9a 91 1f bc c5 d1 72 be 74 0c 22 cb Sep 21 07:16:31.387892: | data for hmac: 4d e6 4d 1c 6c 0e ee 23 18 5b fe 8b a7 ad 46 02 Sep 21 07:16:31.387894: | data for hmac: f9 3f e7 5f 6c f5 48 c6 f0 f6 00 54 b9 5a a8 e5 Sep 21 07:16:31.387895: | data for hmac: d2 ed 62 4b 80 a2 1a 18 9b cd 4e 3e e8 14 22 25 Sep 21 07:16:31.387897: | data for hmac: 69 c8 ea 74 ba 94 64 d9 be 78 ff 86 bf 23 f3 93 Sep 21 07:16:31.387898: | data for hmac: 8a 98 3d 90 a5 db 50 e3 a5 7a 94 5e 9f 0c 31 0b Sep 21 07:16:31.387899: | data for hmac: e1 a9 78 8c 94 0f 97 21 55 7b 33 a7 e8 4a c1 15 Sep 21 07:16:31.387901: | calculated auth: 3b 5e 1d 5d 21 72 68 e6 1e 70 28 72 47 dc e0 9c Sep 21 07:16:31.387902: | provided auth: 3b 5e 1d 5d 21 72 68 e6 1e 70 28 72 47 dc e0 9c Sep 21 07:16:31.387904: | authenticator matched Sep 21 07:16:31.387910: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:31.387912: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.387914: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.387916: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.387917: | flags: none (0x0) Sep 21 07:16:31.387919: | length: 12 (0xc) Sep 21 07:16:31.387920: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.387922: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:16:31.387923: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.387925: | **parse IKEv2 Authentication Payload: Sep 21 07:16:31.387926: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.387928: | flags: none (0x0) Sep 21 07:16:31.387929: | length: 282 (0x11a) Sep 21 07:16:31.387931: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.387932: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:16:31.387934: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.387935: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.387937: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.387938: | flags: none (0x0) Sep 21 07:16:31.387941: | length: 44 (0x2c) Sep 21 07:16:31.387942: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:16:31.387944: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.387946: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.387947: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.387948: | flags: none (0x0) Sep 21 07:16:31.387950: | length: 24 (0x18) Sep 21 07:16:31.387951: | number of TS: 1 (0x1) Sep 21 07:16:31.387953: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.387954: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.387956: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.387957: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.387959: | flags: none (0x0) Sep 21 07:16:31.387960: | length: 24 (0x18) Sep 21 07:16:31.387961: | number of TS: 1 (0x1) Sep 21 07:16:31.387963: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.387964: | selected state microcode Initiator: process IKE_AUTH response Sep 21 07:16:31.387966: | Now let's proceed with state specific processing Sep 21 07:16:31.387967: | calling processor Initiator: process IKE_AUTH response Sep 21 07:16:31.387971: | offered CA: '%none' Sep 21 07:16:31.387974: "north-eastnets/0x1" #2: IKEv2 mode peer ID is ID_FQDN: '@east' Sep 21 07:16:31.388006: | verifying AUTH payload Sep 21 07:16:31.388017: | required RSA CA is '%any' Sep 21 07:16:31.388021: | checking RSA keyid '@east' for match with '@east' Sep 21 07:16:31.388024: | RSA key issuer CA is '%any' Sep 21 07:16:31.388069: | an RSA Sig check passed with *AQO9bJbr3 [preloaded keys] Sep 21 07:16:31.388073: | #1 spent 0.0449 milliseconds in try_all_keys() trying a pubkey Sep 21 07:16:31.388075: "north-eastnets/0x1" #2: Authenticated using RSA Sep 21 07:16:31.388081: | #1 spent 0.0711 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:16:31.388084: | parent state #1: PARENT_I2(open IKE SA) => PARENT_I3(established IKE SA) Sep 21 07:16:31.388088: | #1 will start re-keying in 2607 seconds with margin of 993 seconds (attempting re-key) Sep 21 07:16:31.388090: | state #1 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:31.388093: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:31.388095: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13a56a0 Sep 21 07:16:31.388097: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13a56a0 Sep 21 07:16:31.388099: | inserting event EVENT_SA_REKEY, timeout in 2607 seconds for #1 Sep 21 07:16:31.388101: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:31.388177: | pstats #1 ikev2.ike established Sep 21 07:16:31.388183: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.388187: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.388190: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.388193: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.388195: | length: 16 (0x10) Sep 21 07:16:31.388198: | start port: 0 (0x0) Sep 21 07:16:31.388201: | end port: 65535 (0xffff) Sep 21 07:16:31.388204: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.388207: | TS low c0 00 03 00 Sep 21 07:16:31.388210: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.388213: | TS high c0 00 03 ff Sep 21 07:16:31.388216: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.388218: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.388221: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.388224: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.388227: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.388230: | length: 16 (0x10) Sep 21 07:16:31.388232: | start port: 0 (0x0) Sep 21 07:16:31.388235: | end port: 65535 (0xffff) Sep 21 07:16:31.388238: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.388241: | TS low c0 00 02 00 Sep 21 07:16:31.388244: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.388246: | TS high c0 00 02 ff Sep 21 07:16:31.388249: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.388258: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:31.388264: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.388271: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.388275: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.388278: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.388281: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.388285: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.388290: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.388296: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.388299: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.388301: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.388303: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.388305: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.388306: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.388308: | found an acceptable TSi/TSr Traffic Selector Sep 21 07:16:31.388309: | printing contents struct traffic_selector Sep 21 07:16:31.388311: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.388312: | ipprotoid: 0 Sep 21 07:16:31.388314: | port range: 0-65535 Sep 21 07:16:31.388316: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.388317: | printing contents struct traffic_selector Sep 21 07:16:31.388319: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.388320: | ipprotoid: 0 Sep 21 07:16:31.388321: | port range: 0-65535 Sep 21 07:16:31.388324: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:31.388329: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.388331: | Comparing remote proposals against IKE_AUTH initiator accepting remote ESP/AH proposal 1 local proposals Sep 21 07:16:31.388334: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.388336: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.388337: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.388339: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.388340: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.388343: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.388345: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.388346: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.388348: | length: 40 (0x28) Sep 21 07:16:31.388349: | prop #: 1 (0x1) Sep 21 07:16:31.388351: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.388352: | spi size: 4 (0x4) Sep 21 07:16:31.388354: | # transforms: 3 (0x3) Sep 21 07:16:31.388356: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.388358: | remote SPI 0e cb d6 18 Sep 21 07:16:31.388359: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.388361: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.388363: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.388364: | length: 12 (0xc) Sep 21 07:16:31.388366: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.388368: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.388369: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.388371: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.388373: | length/value: 128 (0x80) Sep 21 07:16:31.388375: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.388377: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.388380: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.388381: | length: 8 (0x8) Sep 21 07:16:31.388383: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.388385: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.388387: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.388388: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.388390: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.388391: | length: 8 (0x8) Sep 21 07:16:31.388393: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.388394: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.388397: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.388399: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:16:31.388402: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:16:31.388403: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.388405: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Sep 21 07:16:31.388409: | IKE_AUTH initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=0ecbd618;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Sep 21 07:16:31.388410: | converting proposal to internal trans attrs Sep 21 07:16:31.388414: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.388617: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:16:31.388620: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:31.388622: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.388624: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.388626: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.388627: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.388629: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.388632: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.388635: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.388637: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.388639: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.388642: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.388643: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.388646: | netlink: enabling tunnel mode Sep 21 07:16:31.388648: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.388649: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.388734: | netlink response for Add SA esp.ecbd618@192.1.2.23 included non-error error Sep 21 07:16:31.388739: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.388743: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.388747: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.388750: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.388754: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.388757: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.388760: | netlink: enabling tunnel mode Sep 21 07:16:31.388764: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.388767: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.388843: | netlink response for Add SA esp.2d973bf0@192.1.3.33 included non-error error Sep 21 07:16:31.388849: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.388859: | add inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:31.388863: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.388937: | raw_eroute result=success Sep 21 07:16:31.388940: | set up incoming SA, ref=0/0 Sep 21 07:16:31.388942: | sr for #2: unrouted Sep 21 07:16:31.388945: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.388948: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.388952: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.388955: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.388959: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.388962: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.388966: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.388970: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:16:31.388974: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.388982: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23 (raw_eroute) Sep 21 07:16:31.388986: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.389011: | raw_eroute result=success Sep 21 07:16:31.389016: | running updown command "ipsec _updown" for verb up Sep 21 07:16:31.389019: | command executing up-client Sep 21 07:16:31.389054: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xe Sep 21 07:16:31.389059: | popen cmd is 1040 chars long Sep 21 07:16:31.389062: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Sep 21 07:16:31.389066: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_: Sep 21 07:16:31.389069: | cmd( 160):MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PL: Sep 21 07:16:31.389072: | cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO: Sep 21 07:16:31.389074: | cmd( 320):_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@ea: Sep 21 07:16:31.389076: | cmd( 400):st' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEE: Sep 21 07:16:31.389077: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:16:31.389079: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCR: Sep 21 07:16:31.389080: | cmd( 640):YPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Sep 21 07:16:31.389082: | cmd( 720):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=: Sep 21 07:16:31.389084: | cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: Sep 21 07:16:31.389085: | cmd( 880):CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: Sep 21 07:16:31.389087: | cmd( 960):TING='no' VTI_SHARED='no' SPI_IN=0xecbd618 SPI_OUT=0x2d973bf0 ipsec _updown 2>&1: Sep 21 07:16:31.396305: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.396317: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:31.396320: | command executing prepare-client Sep 21 07:16:31.396340: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:16:31.396343: | popen cmd is 1045 chars long Sep 21 07:16:31.396345: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:31.396347: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Sep 21 07:16:31.396348: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Sep 21 07:16:31.396350: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:16:31.396351: | cmd( 320):PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID: Sep 21 07:16:31.396353: | cmd( 400):='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUT: Sep 21 07:16:31.396355: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Sep 21 07:16:31.396356: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Sep 21 07:16:31.396358: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:16:31.396359: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Sep 21 07:16:31.396361: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Sep 21 07:16:31.396362: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Sep 21 07:16:31.396364: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0xecbd618 SPI_OUT=0x2d973bf0 ipsec _updown: Sep 21 07:16:31.396365: | cmd(1040): 2>&1: Sep 21 07:16:31.403408: | running updown command "ipsec _updown" for verb route Sep 21 07:16:31.403418: | command executing route-client Sep 21 07:16:31.403438: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:16:31.403443: | popen cmd is 1043 chars long Sep 21 07:16:31.403445: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Sep 21 07:16:31.403447: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLU: Sep 21 07:16:31.403449: | cmd( 160):TO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0': Sep 21 07:16:31.403450: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Sep 21 07:16:31.403452: | cmd( 320):UTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=': Sep 21 07:16:31.403454: | cmd( 400):@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_: Sep 21 07:16:31.403455: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Sep 21 07:16:31.403457: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: Sep 21 07:16:31.403458: | cmd( 640):NCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: Sep 21 07:16:31.403460: | cmd( 720):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Sep 21 07:16:31.403461: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Sep 21 07:16:31.403463: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Sep 21 07:16:31.403464: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0xecbd618 SPI_OUT=0x2d973bf0 ipsec _updown 2: Sep 21 07:16:31.403466: | cmd(1040):>&1: Sep 21 07:16:31.432188: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x5621a13a4a30,sr=0x5621a13a4a30} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:31.432276: | #1 spent 0.886 milliseconds in install_ipsec_sa() Sep 21 07:16:31.432283: | inR2: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:16:31.432287: | state #2 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.432290: | #2 STATE_PARENT_I2: retransmits: cleared Sep 21 07:16:31.432296: | libevent_free: release ptr-libevent@0x7f08c8006900 Sep 21 07:16:31.432299: | free_event_entry: release EVENT_RETRANSMIT-pe@0x5621a13acfd0 Sep 21 07:16:31.432304: | #2 spent 1.56 milliseconds in processing: Initiator: process IKE_AUTH response in ikev2_process_state_packet() Sep 21 07:16:31.432312: | [RE]START processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.432316: | #2 complete_v2_state_transition() PARENT_I2->V2_IPSEC_I with status STF_OK Sep 21 07:16:31.432319: | IKEv2: transition from state STATE_PARENT_I2 to state STATE_V2_IPSEC_I Sep 21 07:16:31.432323: | child state #2: PARENT_I2(open IKE SA) => V2_IPSEC_I(established CHILD SA) Sep 21 07:16:31.432326: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:16:31.432332: | Message ID: recv #1.#2 response 1; ike: initiator.sent=1 initiator.recv=0->1 responder.sent=-1 responder.recv=-1; child: wip.initiator=1->-1 wip.responder=-1 Sep 21 07:16:31.432337: | Message ID: #1.#2 skipping update_send as nothing to send; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.432339: | pstats #2 ikev2.child established Sep 21 07:16:31.432348: "north-eastnets/0x1" #2: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Sep 21 07:16:31.432358: | NAT-T: encaps is 'auto' Sep 21 07:16:31.432363: "north-eastnets/0x1" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x0ecbd618 <0x2d973bf0 xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.432368: | releasing whack for #2 (sock=fd@26) Sep 21 07:16:31.432372: | close_any(fd@26) (in release_whack() at state.c:654) Sep 21 07:16:31.432374: | releasing whack and unpending for parent #1 Sep 21 07:16:31.432377: | unpending state #1 connection "north-eastnets/0x1" Sep 21 07:16:31.432385: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x1" Sep 21 07:16:31.432388: | removing pending policy for no connection {0x5621a132ea30} Sep 21 07:16:31.432392: | FOR_EACH_STATE_... in find_pending_phase2 Sep 21 07:16:31.432396: | creating state object #3 at 0x5621a13a9180 Sep 21 07:16:31.432399: | State DB: adding IKEv2 state #3 in UNDEFINED Sep 21 07:16:31.432405: | pstats #3 ikev2.child started Sep 21 07:16:31.432408: | duplicating state object #1 "north-eastnets/0x2" as #3 for IPSEC SA Sep 21 07:16:31.432413: | #3 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.432419: | Message ID: init_child #1.#3; ike: initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.432424: | suspend processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:31.432429: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:31.432433: | child state #3: UNDEFINED(ignore) => V2_CREATE_I0(established IKE SA) Sep 21 07:16:31.432436: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:16:31.432439: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (ESP/AH initiator emitting proposals) Sep 21 07:16:31.432443: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:31.432450: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.432454: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.432462: | #3 schedule initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO using IKE# 1 pfs=MODP3072 Sep 21 07:16:31.432466: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x5621a13acfd0 Sep 21 07:16:31.432470: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #3 Sep 21 07:16:31.432473: | libevent_malloc: new ptr-libevent@0x7f08c8006900 size 128 Sep 21 07:16:31.432479: | RESET processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:31.432483: | RESET processing: from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:31.432487: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x2" Sep 21 07:16:31.432489: | removing pending policy for no connection {0x5621a13777c0} Sep 21 07:16:31.432493: | close_any(fd@24) (in release_whack() at state.c:654) Sep 21 07:16:31.432497: | #2 will start re-keying in 28048 seconds with margin of 752 seconds (attempting re-key) Sep 21 07:16:31.432500: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13ada60 Sep 21 07:16:31.432503: | inserting event EVENT_SA_REKEY, timeout in 28048 seconds for #2 Sep 21 07:16:31.432506: | libevent_malloc: new ptr-libevent@0x5621a13acb40 size 128 Sep 21 07:16:31.432509: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.432513: | #1 spent 2.03 milliseconds in ikev2_process_packet() Sep 21 07:16:31.432517: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.432520: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.432524: | spent 2.04 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.432535: | spent 0.00207 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.432546: | *received 440 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.432549: | cc 16 75 8d 92 e6 25 81 00 00 00 00 00 00 00 00 Sep 21 07:16:31.432552: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.432556: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.432558: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.432561: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.432563: | 00 0e 00 00 1b 54 4d 6f a8 d8 15 14 b4 92 26 83 Sep 21 07:16:31.432565: | 98 88 55 38 0a de 59 05 1c 30 e8 1e 9d a3 2b 78 Sep 21 07:16:31.432568: | 21 3a 02 cb 0f f8 ba 80 c1 93 6c 3d bb 7b 4c b1 Sep 21 07:16:31.432570: | 52 e2 80 d8 cf 34 65 bc 9d ee c6 6c 02 5c db 7a Sep 21 07:16:31.432572: | 76 ac ca 71 9d f9 40 d0 11 8d b4 e4 2a 87 b9 f5 Sep 21 07:16:31.432574: | 24 ec 02 f3 b9 d1 06 80 2d 06 63 05 39 2e 94 df Sep 21 07:16:31.432577: | 11 13 22 6f 86 fc af 71 c1 e5 2f 2e ef 35 96 6a Sep 21 07:16:31.432579: | 96 b0 7b 29 d0 93 dc 6e a6 c5 4f cd f9 87 58 a8 Sep 21 07:16:31.432581: | fe 02 a7 02 69 93 39 a8 27 60 af f1 8e f5 d2 6c Sep 21 07:16:31.432583: | 17 64 71 2b 29 a5 c3 55 5a a1 3f 8f b7 47 7d d9 Sep 21 07:16:31.432586: | 8a 85 f5 ef 50 24 0d 39 ae 14 98 2a c7 c5 08 2d Sep 21 07:16:31.432588: | 03 6a 01 d0 bc 94 35 b5 b3 60 4b 5d cc c4 08 e7 Sep 21 07:16:31.432590: | e4 b0 ed 27 01 8d dd 35 6f c9 6a cf e2 ab 0d dc Sep 21 07:16:31.432592: | c6 e8 ad eb 8f f6 47 d2 9e 27 10 d1 29 b2 ff ce Sep 21 07:16:31.432595: | ef 88 e0 a0 81 dd 16 cb 70 db 37 b8 91 a4 1a 06 Sep 21 07:16:31.432597: | 64 e0 3d ca 40 1a 6f 6a 87 0d 89 38 51 89 8e 12 Sep 21 07:16:31.432599: | da ea 7c 1e 29 00 00 24 19 d9 84 91 69 ce 64 18 Sep 21 07:16:31.432602: | a2 eb 2b 70 4e 38 52 e9 9c c9 d6 91 ee 9b 32 f6 Sep 21 07:16:31.432604: | de a9 50 7e ce cd 3d 24 29 00 00 08 00 00 40 2e Sep 21 07:16:31.432606: | 29 00 00 1c 00 00 40 04 4b 9a 43 9c 55 f8 84 08 Sep 21 07:16:31.432608: | 22 78 46 fe 29 b8 63 5e e9 73 15 66 00 00 00 1c Sep 21 07:16:31.432611: | 00 00 40 05 cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 Sep 21 07:16:31.432613: | ce 45 2d 4d 11 dd e0 94 Sep 21 07:16:31.432617: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.432621: | **parse ISAKMP Message: Sep 21 07:16:31.432623: | initiator cookie: Sep 21 07:16:31.432625: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.432628: | responder cookie: Sep 21 07:16:31.432630: | 00 00 00 00 00 00 00 00 Sep 21 07:16:31.432633: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.432635: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.432638: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.432640: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.432643: | Message ID: 0 (0x0) Sep 21 07:16:31.432645: | length: 440 (0x1b8) Sep 21 07:16:31.432648: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:31.432651: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:16:31.432654: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:31.432657: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.432660: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:31.432663: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.432665: | flags: none (0x0) Sep 21 07:16:31.432667: | length: 48 (0x30) Sep 21 07:16:31.432670: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:16:31.432672: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.432675: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.432677: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.432680: | flags: none (0x0) Sep 21 07:16:31.432682: | length: 264 (0x108) Sep 21 07:16:31.432684: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.432687: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:31.432689: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.432691: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:31.432694: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.432698: | flags: none (0x0) Sep 21 07:16:31.432700: | length: 36 (0x24) Sep 21 07:16:31.432702: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.432705: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.432707: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.432710: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.432712: | flags: none (0x0) Sep 21 07:16:31.432714: | length: 8 (0x8) Sep 21 07:16:31.432717: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.432719: | SPI size: 0 (0x0) Sep 21 07:16:31.432722: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.432724: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:31.432726: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.432729: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.432731: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.432734: | flags: none (0x0) Sep 21 07:16:31.432736: | length: 28 (0x1c) Sep 21 07:16:31.432738: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.432741: | SPI size: 0 (0x0) Sep 21 07:16:31.432743: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.432745: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.432748: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.432750: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.432752: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.432755: | flags: none (0x0) Sep 21 07:16:31.432757: | length: 28 (0x1c) Sep 21 07:16:31.432759: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.432762: | SPI size: 0 (0x0) Sep 21 07:16:31.432764: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.432766: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.432769: | DDOS disabled and no cookie sent, continuing Sep 21 07:16:31.432774: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.432779: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Sep 21 07:16:31.432786: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:31.432792: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:31.432795: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Sep 21 07:16:31.432797: | find_next_host_connection returns empty Sep 21 07:16:31.432801: | find_host_connection local=192.1.3.33:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.432804: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:31.432807: | find_next_host_connection returns empty Sep 21 07:16:31.432810: | initial parent SA message received on 192.1.3.33:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:16:31.432815: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.432820: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Sep 21 07:16:31.432822: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:31.432825: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:31.432828: | find_next_host_connection returns north-eastnets/0x2 Sep 21 07:16:31.432830: | found connection: north-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Sep 21 07:16:31.432854: | creating state object #4 at 0x5621a13b5220 Sep 21 07:16:31.432857: | State DB: adding IKEv2 state #4 in UNDEFINED Sep 21 07:16:31.432862: | pstats #4 ikev2.ike started Sep 21 07:16:31.432865: | Message ID: init #4: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:31.432868: | parent state #4: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:16:31.432873: | Message ID: init_ike #4; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.432881: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.432885: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.432889: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.432892: | #4 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:31.432896: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:16:31.432900: | Message ID: start-responder #4 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:31.432903: | #4 in state PARENT_R0: processing SA_INIT request Sep 21 07:16:31.432906: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:16:31.432908: | Now let's proceed with state specific processing Sep 21 07:16:31.432911: | calling processor Respond to IKE_SA_INIT Sep 21 07:16:31.432917: | #4 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.432922: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.432925: | Comparing remote proposals against IKE responder 1 local proposals Sep 21 07:16:31.432928: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.432931: | local proposal 1 type PRF has 1 transforms Sep 21 07:16:31.432946: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.432948: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.432951: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:31.432954: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:31.432957: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.432959: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.432961: | length: 44 (0x2c) Sep 21 07:16:31.432964: | prop #: 1 (0x1) Sep 21 07:16:31.432966: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.432968: | spi size: 0 (0x0) Sep 21 07:16:31.432971: | # transforms: 4 (0x4) Sep 21 07:16:31.432974: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.432977: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.432979: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.432981: | length: 12 (0xc) Sep 21 07:16:31.432984: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.432986: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.432989: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.432992: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.432994: | length/value: 256 (0x100) Sep 21 07:16:31.432998: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.433001: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.433003: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.433005: | length: 8 (0x8) Sep 21 07:16:31.433008: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.433010: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.433013: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:31.433016: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.433018: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.433020: | length: 8 (0x8) Sep 21 07:16:31.433023: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.433025: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.433030: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.433032: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.433035: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.433037: | length: 8 (0x8) Sep 21 07:16:31.433039: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.433041: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.433045: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.433049: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Sep 21 07:16:31.433053: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Sep 21 07:16:31.433056: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.433060: "north-eastnets/0x2" #4: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Sep 21 07:16:31.433064: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.433067: | converting proposal to internal trans attrs Sep 21 07:16:31.433071: | natd_hash: rcookie is zero Sep 21 07:16:31.433079: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.433081: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.433084: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.433086: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.433088: | natd_hash: port= 01 f4 Sep 21 07:16:31.433090: | natd_hash: hash= cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 ce 45 2d 4d Sep 21 07:16:31.433093: | natd_hash: hash= 11 dd e0 94 Sep 21 07:16:31.433095: | natd_hash: rcookie is zero Sep 21 07:16:31.433100: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.433102: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.433105: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.433107: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.433109: | natd_hash: port= 01 f4 Sep 21 07:16:31.433111: | natd_hash: hash= 4b 9a 43 9c 55 f8 84 08 22 78 46 fe 29 b8 63 5e Sep 21 07:16:31.433113: | natd_hash: hash= e9 73 15 66 Sep 21 07:16:31.433116: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:31.433118: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:31.433120: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:31.433123: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Sep 21 07:16:31.433129: | adding ikev2_inI1outR1 KE work-order 3 for state #4 Sep 21 07:16:31.433132: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13adf50 Sep 21 07:16:31.433135: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:31.433138: | libevent_malloc: new ptr-libevent@0x5621a13afd70 size 128 Sep 21 07:16:31.433147: | #4 spent 0.232 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:16:31.433167: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.433170: | #4 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:31.433172: | suspending state #4 and saving MD Sep 21 07:16:31.433173: | crypto helper 2 resuming Sep 21 07:16:31.433175: | #4 is busy; has a suspended MD Sep 21 07:16:31.433184: | crypto helper 2 starting work-order 3 for state #4 Sep 21 07:16:31.433192: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.433196: | crypto helper 2 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 3 Sep 21 07:16:31.433197: | "north-eastnets/0x2" #4 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.433204: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.433209: | #4 spent 0.662 milliseconds in ikev2_process_packet() Sep 21 07:16:31.433213: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:31.433215: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.433218: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.433222: | spent 0.675 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.433229: | timer_event_cb: processing event@0x5621a13acfd0 Sep 21 07:16:31.433232: | handling event EVENT_v2_INITIATE_CHILD for child state #3 Sep 21 07:16:31.433237: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:31.433243: | adding Child Initiator KE and nonce ni work-order 4 for state #3 Sep 21 07:16:31.433246: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13aeaa0 Sep 21 07:16:31.433250: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:16:31.433253: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:31.433255: | libevent_realloc: release ptr-libevent@0x5621a1387710 Sep 21 07:16:31.433259: | libevent_realloc: new ptr-libevent@0x5621a13a4310 size 128 Sep 21 07:16:31.433265: | libevent_free: release ptr-libevent@0x7f08c8006900 Sep 21 07:16:31.433268: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x5621a13acfd0 Sep 21 07:16:31.433272: | #3 spent 0.0415 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Sep 21 07:16:31.433272: | crypto helper 3 resuming Sep 21 07:16:31.433277: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.433288: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.433283: | crypto helper 3 starting work-order 4 for state #3 Sep 21 07:16:31.433294: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.433300: | crypto helper 3 doing build KE and nonce (Child Initiator KE and nonce ni); request ID 4 Sep 21 07:16:31.433304: | spent 0.00839 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.433306: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.433310: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.433313: | spent 0.00344 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.433315: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.433319: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.433322: | spent 0.00327 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.435103: | crypto helper 3 finished build KE and nonce (Child Initiator KE and nonce ni); request ID 4 time elapsed 0.001802 seconds Sep 21 07:16:31.435105: | crypto helper 2 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 3 time elapsed 0.001909 seconds Sep 21 07:16:31.435116: | (#3) spent 1.36 milliseconds in crypto helper computing work-order 4: Child Initiator KE and nonce ni (pcr) Sep 21 07:16:31.435123: | (#4) spent 0.607 milliseconds in crypto helper computing work-order 3: ikev2_inI1outR1 KE (pcr) Sep 21 07:16:31.435123: | crypto helper 3 sending results from work-order 4 for state #3 to event queue Sep 21 07:16:31.435127: | crypto helper 2 sending results from work-order 3 for state #4 to event queue Sep 21 07:16:31.435131: | scheduling resume sending helper answer for #3 Sep 21 07:16:31.435134: | scheduling resume sending helper answer for #4 Sep 21 07:16:31.435139: | libevent_malloc: new ptr-libevent@0x7f08b8005780 size 128 Sep 21 07:16:31.435144: | libevent_malloc: new ptr-libevent@0x7f08c4006900 size 128 Sep 21 07:16:31.435151: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:31.435156: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:31.435160: | processing resume sending helper answer for #3 Sep 21 07:16:31.435171: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.435175: | crypto helper 3 replies to request ID 4 Sep 21 07:16:31.435178: | calling continuation function 0x56219f926630 Sep 21 07:16:31.435185: | ikev2_child_outI_continue for #3 STATE_V2_CREATE_I0 Sep 21 07:16:31.435188: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.435191: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:31.435194: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13aeaa0 Sep 21 07:16:31.435197: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13aeaa0 Sep 21 07:16:31.435200: | inserting event EVENT_SA_REPLACE, timeout in 200 seconds for #3 Sep 21 07:16:31.435203: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:31.435208: | Message ID: #1 wakeing IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.435211: | scheduling callback v2_msgid_schedule_next_initiator (#1) Sep 21 07:16:31.435214: | libevent_malloc: new ptr-libevent@0x7f08c8006900 size 128 Sep 21 07:16:31.435219: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.435223: | #3 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_SUSPEND Sep 21 07:16:31.435225: | suspending state #3 and saving MD Sep 21 07:16:31.435227: | #3 is busy; has a suspended MD Sep 21 07:16:31.435232: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.435235: | "north-eastnets/0x2" #3 complete v2 state STATE_V2_CREATE_I0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.435238: | resume sending helper answer for #3 suppresed complete_v2_state_transition() Sep 21 07:16:31.435243: | #3 spent 0.0668 milliseconds in resume sending helper answer Sep 21 07:16:31.435260: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.435263: | libevent_free: release ptr-libevent@0x7f08b8005780 Sep 21 07:16:31.435266: | processing resume sending helper answer for #4 Sep 21 07:16:31.435270: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.435273: | crypto helper 2 replies to request ID 3 Sep 21 07:16:31.435275: | calling continuation function 0x56219f926630 Sep 21 07:16:31.435278: | ikev2_parent_inI1outR1_continue for #4: calculated ke+nonce, sending R1 Sep 21 07:16:31.435284: | **emit ISAKMP Message: Sep 21 07:16:31.435286: | initiator cookie: Sep 21 07:16:31.435288: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.435291: | responder cookie: Sep 21 07:16:31.435293: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435296: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.435298: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.435301: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.435304: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.435306: | Message ID: 0 (0x0) Sep 21 07:16:31.435309: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.435312: | Emitting ikev2_proposal ... Sep 21 07:16:31.435314: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:31.435317: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435319: | flags: none (0x0) Sep 21 07:16:31.435322: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.435325: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435328: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.435330: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.435334: | prop #: 1 (0x1) Sep 21 07:16:31.435337: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.435339: | spi size: 0 (0x0) Sep 21 07:16:31.435341: | # transforms: 4 (0x4) Sep 21 07:16:31.435344: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.435347: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.435349: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435352: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.435354: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.435357: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.435360: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.435362: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.435364: | length/value: 256 (0x100) Sep 21 07:16:31.435367: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.435369: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.435372: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435374: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.435377: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.435379: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435382: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.435385: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.435387: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.435389: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435392: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.435394: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.435397: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435399: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.435402: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.435405: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.435407: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.435409: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.435412: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.435414: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.435417: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.435420: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.435422: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:31.435425: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.435427: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:31.435430: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.435432: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.435435: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435437: | flags: none (0x0) Sep 21 07:16:31.435440: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.435443: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.435447: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435450: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.435452: | ikev2 g^x 0b cf 60 25 17 12 e5 90 7c d5 d4 ff 6c 01 50 98 Sep 21 07:16:31.435455: | ikev2 g^x 26 58 74 67 cb 24 a5 d3 fd 95 24 80 75 96 82 d9 Sep 21 07:16:31.435457: | ikev2 g^x 32 86 df ff 24 5a 02 fa d7 ec 0c 66 ea 24 c3 b1 Sep 21 07:16:31.435459: | ikev2 g^x 13 a9 ca aa 4b c5 60 25 d5 5c b0 4c 50 e5 d0 cd Sep 21 07:16:31.435462: | ikev2 g^x 7a 2c bf 23 54 87 fb e9 42 c2 b7 1c b1 8b e1 cb Sep 21 07:16:31.435464: | ikev2 g^x 7f 1b 60 fb 03 9a 36 18 cc 04 92 5d ef 94 ff a4 Sep 21 07:16:31.435466: | ikev2 g^x f4 f0 b5 d2 ad 60 be ef 52 df 76 77 2e 31 d7 44 Sep 21 07:16:31.435468: | ikev2 g^x 65 b7 36 a3 8a 79 54 52 c0 fa 36 39 94 73 66 4e Sep 21 07:16:31.435471: | ikev2 g^x 29 c1 5c cb 4e d2 6f dd c5 4d 60 fb dd c1 ac d6 Sep 21 07:16:31.435473: | ikev2 g^x 1e e3 2c 67 15 86 ba ff 32 a0 bd 61 b4 a9 90 5a Sep 21 07:16:31.435475: | ikev2 g^x c2 aa 6f 16 63 9f 65 c3 2c 3d 15 46 a9 0d e0 b8 Sep 21 07:16:31.435478: | ikev2 g^x 6f 77 70 50 44 25 76 2e 68 4e f6 3c 9a d2 79 48 Sep 21 07:16:31.435480: | ikev2 g^x 46 a8 f6 de e7 af 16 08 a5 6c 11 10 91 2f f7 60 Sep 21 07:16:31.435482: | ikev2 g^x 67 5a ab 03 2c 2c 81 f5 af 1a 29 45 23 7c d7 ee Sep 21 07:16:31.435485: | ikev2 g^x d5 fd e8 05 77 06 3f 31 60 54 f5 a3 5e 1b 49 0a Sep 21 07:16:31.435487: | ikev2 g^x b8 56 04 ee 2e 08 2e 60 e8 34 69 eb a4 61 46 53 Sep 21 07:16:31.435489: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:31.435492: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:31.435494: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.435496: | flags: none (0x0) Sep 21 07:16:31.435499: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:31.435502: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.435505: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435508: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.435510: | IKEv2 nonce 2f d3 77 3e e9 e5 6c a7 13 1f 5b 83 9e 85 08 83 Sep 21 07:16:31.435512: | IKEv2 nonce 4d 03 12 fc 99 e0 69 08 88 80 f2 fc a8 2c 38 cc Sep 21 07:16:31.435515: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.435518: | Adding a v2N Payload Sep 21 07:16:31.435520: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.435523: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435525: | flags: none (0x0) Sep 21 07:16:31.435527: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.435530: | SPI size: 0 (0x0) Sep 21 07:16:31.435533: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.435536: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.435538: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435541: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:31.435544: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:31.435552: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.435555: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.435557: | natd_hash: rcookie= 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435560: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.435562: | natd_hash: port= 01 f4 Sep 21 07:16:31.435564: | natd_hash: hash= 7a d0 7a cc f1 19 bb 1d 11 c9 7b 93 3f 92 d6 f4 Sep 21 07:16:31.435567: | natd_hash: hash= 96 e4 b3 db Sep 21 07:16:31.435569: | Adding a v2N Payload Sep 21 07:16:31.435571: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.435575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435577: | flags: none (0x0) Sep 21 07:16:31.435579: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.435582: | SPI size: 0 (0x0) Sep 21 07:16:31.435584: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.435587: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.435590: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435593: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.435595: | Notify data 7a d0 7a cc f1 19 bb 1d 11 c9 7b 93 3f 92 d6 f4 Sep 21 07:16:31.435598: | Notify data 96 e4 b3 db Sep 21 07:16:31.435600: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.435606: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:31.435608: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.435611: | natd_hash: rcookie= 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435613: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.435615: | natd_hash: port= 01 f4 Sep 21 07:16:31.435617: | natd_hash: hash= 58 6e 33 b5 37 63 77 ea 9a 70 23 69 9c ae 54 25 Sep 21 07:16:31.435619: | natd_hash: hash= 25 62 c9 4d Sep 21 07:16:31.435622: | Adding a v2N Payload Sep 21 07:16:31.435624: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.435626: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435628: | flags: none (0x0) Sep 21 07:16:31.435631: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.435633: | SPI size: 0 (0x0) Sep 21 07:16:31.435635: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.435638: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.435641: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435644: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.435646: | Notify data 58 6e 33 b5 37 63 77 ea 9a 70 23 69 9c ae 54 25 Sep 21 07:16:31.435648: | Notify data 25 62 c9 4d Sep 21 07:16:31.435651: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.435653: | emitting length of ISAKMP Message: 440 Sep 21 07:16:31.435659: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.435663: | #4 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:16:31.435665: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:16:31.435668: | parent state #4: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:16:31.435671: | Message ID: updating counters for #4 to 0 after switching state Sep 21 07:16:31.435676: | Message ID: recv #4 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:31.435680: | Message ID: sent #4 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.435684: "north-eastnets/0x2" #4: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Sep 21 07:16:31.435689: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.435694: | sending 440 bytes for STATE_PARENT_R0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:31.435696: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435699: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.435701: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.435703: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.435707: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.435709: | 00 0e 00 00 0b cf 60 25 17 12 e5 90 7c d5 d4 ff Sep 21 07:16:31.435712: | 6c 01 50 98 26 58 74 67 cb 24 a5 d3 fd 95 24 80 Sep 21 07:16:31.435714: | 75 96 82 d9 32 86 df ff 24 5a 02 fa d7 ec 0c 66 Sep 21 07:16:31.435716: | ea 24 c3 b1 13 a9 ca aa 4b c5 60 25 d5 5c b0 4c Sep 21 07:16:31.435718: | 50 e5 d0 cd 7a 2c bf 23 54 87 fb e9 42 c2 b7 1c Sep 21 07:16:31.435721: | b1 8b e1 cb 7f 1b 60 fb 03 9a 36 18 cc 04 92 5d Sep 21 07:16:31.435723: | ef 94 ff a4 f4 f0 b5 d2 ad 60 be ef 52 df 76 77 Sep 21 07:16:31.435725: | 2e 31 d7 44 65 b7 36 a3 8a 79 54 52 c0 fa 36 39 Sep 21 07:16:31.435727: | 94 73 66 4e 29 c1 5c cb 4e d2 6f dd c5 4d 60 fb Sep 21 07:16:31.435730: | dd c1 ac d6 1e e3 2c 67 15 86 ba ff 32 a0 bd 61 Sep 21 07:16:31.435732: | b4 a9 90 5a c2 aa 6f 16 63 9f 65 c3 2c 3d 15 46 Sep 21 07:16:31.435734: | a9 0d e0 b8 6f 77 70 50 44 25 76 2e 68 4e f6 3c Sep 21 07:16:31.435736: | 9a d2 79 48 46 a8 f6 de e7 af 16 08 a5 6c 11 10 Sep 21 07:16:31.435738: | 91 2f f7 60 67 5a ab 03 2c 2c 81 f5 af 1a 29 45 Sep 21 07:16:31.435741: | 23 7c d7 ee d5 fd e8 05 77 06 3f 31 60 54 f5 a3 Sep 21 07:16:31.435743: | 5e 1b 49 0a b8 56 04 ee 2e 08 2e 60 e8 34 69 eb Sep 21 07:16:31.435745: | a4 61 46 53 29 00 00 24 2f d3 77 3e e9 e5 6c a7 Sep 21 07:16:31.435747: | 13 1f 5b 83 9e 85 08 83 4d 03 12 fc 99 e0 69 08 Sep 21 07:16:31.435749: | 88 80 f2 fc a8 2c 38 cc 29 00 00 08 00 00 40 2e Sep 21 07:16:31.435752: | 29 00 00 1c 00 00 40 04 7a d0 7a cc f1 19 bb 1d Sep 21 07:16:31.435754: | 11 c9 7b 93 3f 92 d6 f4 96 e4 b3 db 00 00 00 1c Sep 21 07:16:31.435756: | 00 00 40 05 58 6e 33 b5 37 63 77 ea 9a 70 23 69 Sep 21 07:16:31.435758: | 9c ae 54 25 25 62 c9 4d Sep 21 07:16:31.435820: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.435840: | libevent_free: release ptr-libevent@0x5621a13afd70 Sep 21 07:16:31.435843: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13adf50 Sep 21 07:16:31.435845: | event_schedule: new EVENT_SO_DISCARD-pe@0x5621a13adf50 Sep 21 07:16:31.435849: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #4 Sep 21 07:16:31.435851: | libevent_malloc: new ptr-libevent@0x5621a13afd70 size 128 Sep 21 07:16:31.435855: | resume sending helper answer for #4 suppresed complete_v2_state_transition() Sep 21 07:16:31.435859: | #4 spent 0.541 milliseconds in resume sending helper answer Sep 21 07:16:31.435864: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.435867: | libevent_free: release ptr-libevent@0x7f08c4006900 Sep 21 07:16:31.435871: | processing callback v2_msgid_schedule_next_initiator for #1 Sep 21 07:16:31.435876: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:904) Sep 21 07:16:31.435881: | Message ID: #1.#3 resuming SA using IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.435886: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:31.435890: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:31.435894: | **emit ISAKMP Message: Sep 21 07:16:31.435897: | initiator cookie: Sep 21 07:16:31.435899: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.435901: | responder cookie: Sep 21 07:16:31.435903: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.435906: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.435908: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.435911: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.435914: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.435916: | Message ID: 2 (0x2) Sep 21 07:16:31.435924: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.435927: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.435929: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435932: | flags: none (0x0) Sep 21 07:16:31.435935: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.435937: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435940: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.435958: | netlink_get_spi: allocated 0xc8d0fe50 for esp.0@192.1.3.33 Sep 21 07:16:31.435961: | Emitting ikev2_proposals ... Sep 21 07:16:31.435964: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.435966: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.435969: | flags: none (0x0) Sep 21 07:16:31.435972: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.435974: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.435977: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.435980: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.435982: | prop #: 1 (0x1) Sep 21 07:16:31.435985: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.435987: | spi size: 4 (0x4) Sep 21 07:16:31.435989: | # transforms: 4 (0x4) Sep 21 07:16:31.435992: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.435995: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.435997: | our spi c8 d0 fe 50 Sep 21 07:16:31.436000: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436002: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436005: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.436007: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.436010: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.436012: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.436015: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.436017: | length/value: 128 (0x80) Sep 21 07:16:31.436020: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.436022: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436025: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436027: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.436030: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.436033: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436036: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.436038: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.436041: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436043: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436046: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.436048: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.436051: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436053: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.436056: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.436060: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436062: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.436065: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.436067: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.436070: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436072: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.436075: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.436077: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:31.436080: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.436083: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:31.436085: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.436088: | ****emit IKEv2 Nonce Payload: Sep 21 07:16:31.436090: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436093: | flags: none (0x0) Sep 21 07:16:31.436096: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.436098: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.436101: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.436104: | IKEv2 nonce 68 53 31 bd 6b 2d a1 bc af 7d 3a ba 46 f4 32 43 Sep 21 07:16:31.436106: | IKEv2 nonce e7 16 99 7f 1c 22 15 ef 6c 00 cf a7 2b 68 33 ca Sep 21 07:16:31.436108: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.436111: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.436113: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436115: | flags: none (0x0) Sep 21 07:16:31.436118: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.436121: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.436123: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.436126: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.436129: | ikev2 g^x e5 94 18 fb f7 7b 6c ed 00 a0 3a 46 34 68 6c d2 Sep 21 07:16:31.436131: | ikev2 g^x 19 45 39 df 61 ae ae ea d5 ae b3 88 17 6d b7 70 Sep 21 07:16:31.436133: | ikev2 g^x 96 34 64 4c 30 9c 53 bd fb 44 cb a0 41 a0 35 2d Sep 21 07:16:31.436135: | ikev2 g^x 28 e4 73 b8 b6 25 0f 4d b2 fc b0 3c bd fb 16 1d Sep 21 07:16:31.436138: | ikev2 g^x 2a 5f d9 35 c9 4f 52 43 7c 6f 60 e2 bb ce de 87 Sep 21 07:16:31.436140: | ikev2 g^x 9f 52 be 0c 09 cd 58 5b d0 5c 4e 2a 46 cf a9 63 Sep 21 07:16:31.436142: | ikev2 g^x 75 25 b5 b5 45 53 c8 39 ae 96 fc 80 a3 96 05 85 Sep 21 07:16:31.436145: | ikev2 g^x 0f 8b b0 7d c1 f1 b0 a1 a7 7b c4 d8 71 c5 26 ee Sep 21 07:16:31.436147: | ikev2 g^x 1d 8f 7d 0b 59 69 68 6f cb 80 22 7c fd 4a b7 2f Sep 21 07:16:31.436149: | ikev2 g^x ad 19 55 1a 84 d7 ab cd e8 49 2c 62 80 e3 e9 6c Sep 21 07:16:31.436152: | ikev2 g^x 91 fc 09 65 a1 3a e7 ec 91 ea 7c b0 68 66 5f ca Sep 21 07:16:31.436154: | ikev2 g^x f2 2c 4f 7c 3d 43 e0 2f 67 90 9e 45 b5 24 5c 10 Sep 21 07:16:31.436157: | ikev2 g^x e4 b8 51 39 ff 92 bc bc e6 4a c1 4f 9a 18 bc 56 Sep 21 07:16:31.436159: | ikev2 g^x cd e2 ab b5 96 1c 9b b6 8e eb 93 86 40 3a e8 d9 Sep 21 07:16:31.436161: | ikev2 g^x 57 4c 44 af 5c 0a 5a 6d 1d 24 16 6a 6d 11 b4 38 Sep 21 07:16:31.436163: | ikev2 g^x fa 82 59 06 6f ce 9b 2b 6b 6b 8e 3c 2a bb a2 1a Sep 21 07:16:31.436166: | ikev2 g^x 61 ae d7 29 29 73 96 f9 4d 7f 51 9e 4d 69 b4 15 Sep 21 07:16:31.436169: | ikev2 g^x a1 c4 b8 5a 88 df df d3 89 a7 99 92 ca 69 96 55 Sep 21 07:16:31.436172: | ikev2 g^x 60 24 2a 48 8d 6d 3a cc c4 cc f2 cb a0 82 43 eb Sep 21 07:16:31.436174: | ikev2 g^x c9 35 c6 72 fe 80 4d 35 10 6f 45 a2 d3 72 37 b4 Sep 21 07:16:31.436176: | ikev2 g^x 6e 72 7a 88 67 69 63 83 97 87 b3 36 c7 76 27 f7 Sep 21 07:16:31.436179: | ikev2 g^x 94 b4 a4 87 9e 6d 29 82 c3 5b 5b a3 36 09 52 7a Sep 21 07:16:31.436181: | ikev2 g^x c2 af ca 0c f8 00 b4 91 37 b2 0c b0 bc 4e c1 6e Sep 21 07:16:31.436183: | ikev2 g^x 81 cd 29 d2 4c 6c 24 3e 2a c3 18 5b 12 ef 3d 69 Sep 21 07:16:31.436186: | emitting length of IKEv2 Key Exchange Payload: 392 Sep 21 07:16:31.436189: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.436191: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436193: | flags: none (0x0) Sep 21 07:16:31.436210: | number of TS: 1 (0x1) Sep 21 07:16:31.436213: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.436216: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.436219: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.436221: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.436224: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.436226: | start port: 0 (0x0) Sep 21 07:16:31.436228: | end port: 65535 (0xffff) Sep 21 07:16:31.436232: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.436234: | IP start c0 00 03 00 Sep 21 07:16:31.436237: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.436239: | IP end c0 00 03 ff Sep 21 07:16:31.436241: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.436244: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.436246: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.436249: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436251: | flags: none (0x0) Sep 21 07:16:31.436253: | number of TS: 1 (0x1) Sep 21 07:16:31.436256: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.436259: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.436262: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.436264: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.436266: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.436269: | start port: 0 (0x0) Sep 21 07:16:31.436271: | end port: 65535 (0xffff) Sep 21 07:16:31.436274: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.436276: | IP start c0 00 16 00 Sep 21 07:16:31.436279: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.436281: | IP end c0 00 16 ff Sep 21 07:16:31.436283: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.436286: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.436288: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Sep 21 07:16:31.436291: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.436295: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436298: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436300: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436303: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436306: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436309: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436312: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436315: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436318: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436321: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436323: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436326: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436329: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436332: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436334: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436337: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.436340: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.436342: | emitting length of IKEv2 Encryption Payload: 580 Sep 21 07:16:31.436345: | emitting length of ISAKMP Message: 608 Sep 21 07:16:31.436379: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.436382: | data being hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.436385: | data being hmac: a4 23 61 b2 d7 8e 35 82 a3 e2 27 79 cf 92 d4 66 Sep 21 07:16:31.436387: | data being hmac: d7 de 98 5d e4 1b 7e 3e b0 b2 82 d3 48 ea 45 a5 Sep 21 07:16:31.436389: | data being hmac: 63 19 72 46 b8 f9 c3 c5 37 55 5d 59 12 6d c5 ae Sep 21 07:16:31.436392: | data being hmac: 00 76 8c 1f ee 4f 85 ef 88 c8 bc 76 de f7 11 c2 Sep 21 07:16:31.436394: | data being hmac: de 5e 3d 68 07 74 b7 d8 17 30 c8 85 83 c4 b9 d1 Sep 21 07:16:31.436397: | data being hmac: eb be 0e 4f df 4a fd 52 65 09 3d 97 8b cc 3e 8b Sep 21 07:16:31.436399: | data being hmac: 3b 47 9b aa b4 eb 89 49 4d 30 30 30 c5 99 a1 11 Sep 21 07:16:31.436401: | data being hmac: 3e 0a 7a c5 44 f6 40 17 0d 80 7d 69 de 56 57 ef Sep 21 07:16:31.436404: | data being hmac: 5a 5c 3c bd ad 56 c3 ca 50 93 65 8d 88 18 d0 d4 Sep 21 07:16:31.436406: | data being hmac: 16 b9 ef 5e aa 23 c4 c1 99 ad b1 d8 2e 32 b4 a1 Sep 21 07:16:31.436409: | data being hmac: d6 91 b0 4e 4e a1 60 52 97 62 c9 ae 29 e7 2f f6 Sep 21 07:16:31.436411: | data being hmac: a4 3c 26 96 20 71 fa 72 f1 e4 cc d0 27 08 6a ec Sep 21 07:16:31.436413: | data being hmac: 89 b0 58 d1 cf 01 45 e0 1f db b6 67 ae a1 ed 2f Sep 21 07:16:31.436416: | data being hmac: c0 f4 8d dd d2 62 e9 48 15 9f bb fd 4c 91 37 87 Sep 21 07:16:31.436418: | data being hmac: 31 f3 41 78 2a 00 8b 8c 9d 63 06 6d c3 8f f5 46 Sep 21 07:16:31.436421: | data being hmac: 4b 65 67 0a 05 14 14 f7 ae a9 69 f6 0b 66 9a e2 Sep 21 07:16:31.436423: | data being hmac: ba c5 95 be 9d d7 1d 95 b2 e5 44 2f 74 a2 61 9a Sep 21 07:16:31.436426: | data being hmac: d1 d1 39 91 9a e6 88 e4 f8 26 37 4e 6c 83 ac 09 Sep 21 07:16:31.436428: | data being hmac: 7d ba 07 36 1f 8c 81 07 75 51 f0 1c 71 b3 eb b4 Sep 21 07:16:31.436430: | data being hmac: 74 b7 5d 41 6d 06 3a d0 1a 7e 53 62 48 e9 ba c1 Sep 21 07:16:31.436433: | data being hmac: 69 c5 6e 0d be 77 d0 eb 0d 39 12 e5 88 d2 29 9c Sep 21 07:16:31.436435: | data being hmac: 2b bb ee ef 1b c0 ca 54 33 14 62 8d 2f a0 e7 8d Sep 21 07:16:31.436437: | data being hmac: 6c 31 17 89 33 52 e6 60 43 88 b8 54 21 f9 54 30 Sep 21 07:16:31.436440: | data being hmac: 01 f9 c3 23 b1 e7 ad 9e 75 44 78 36 65 76 6d 26 Sep 21 07:16:31.436442: | data being hmac: 91 72 a6 46 e4 a8 43 ac 1f 57 d0 4f 60 5e b4 a4 Sep 21 07:16:31.436445: | data being hmac: f3 f1 72 1a 1b 60 a8 42 76 40 18 31 29 98 ed 3f Sep 21 07:16:31.436448: | data being hmac: 75 2e 66 31 05 05 83 1a 01 92 04 47 b0 78 65 84 Sep 21 07:16:31.436451: | data being hmac: 41 b1 f1 97 59 c4 8a 7d c4 0f 92 b9 bb ea 69 3d Sep 21 07:16:31.436453: | data being hmac: 1b 86 39 d0 b6 2b 29 37 94 6f 18 7f 86 cc 30 5e Sep 21 07:16:31.436455: | data being hmac: 3f 28 b8 95 44 7a b7 fa 76 da 64 e2 e6 ee 02 11 Sep 21 07:16:31.436458: | data being hmac: 43 f6 25 ad 94 c8 6a 98 fb 6e b5 05 40 06 4f f4 Sep 21 07:16:31.436460: | data being hmac: a9 b0 6f fd 38 fa 89 40 79 60 e4 0f b7 8c 82 dc Sep 21 07:16:31.436463: | data being hmac: 78 4a 3e 39 22 6e ef 81 f4 59 cd 4a 09 a6 ab a7 Sep 21 07:16:31.436465: | data being hmac: 39 90 5f 88 19 f6 56 b3 35 5a d6 f2 03 cb 68 0b Sep 21 07:16:31.436467: | data being hmac: c8 2a 9e 96 35 01 81 b4 89 5f f4 fb b8 80 40 5c Sep 21 07:16:31.436470: | out calculated auth: Sep 21 07:16:31.436472: | 42 5a 1d 94 22 97 61 a5 3e 9a 81 07 53 71 fe b6 Sep 21 07:16:31.436478: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.436482: | #3 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_OK Sep 21 07:16:31.436485: | IKEv2: transition from state STATE_V2_CREATE_I0 to state STATE_V2_CREATE_I Sep 21 07:16:31.436488: | child state #3: V2_CREATE_I0(established IKE SA) => V2_CREATE_I(established IKE SA) Sep 21 07:16:31.436491: | Message ID: updating counters for #3 to 4294967295 after switching state Sep 21 07:16:31.436493: | Message ID: IKE #1 skipping update_recv as MD is fake Sep 21 07:16:31.436498: | Message ID: sent #1.#3 request 2; ike: initiator.sent=1->2 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->2 wip.responder=-1 Sep 21 07:16:31.436501: "north-eastnets/0x2" #3: STATE_V2_CREATE_I: sent IPsec Child req wait response Sep 21 07:16:31.436511: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.436516: | sending 608 bytes for STATE_V2_CREATE_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Sep 21 07:16:31.436519: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.436521: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.436523: | a4 23 61 b2 d7 8e 35 82 a3 e2 27 79 cf 92 d4 66 Sep 21 07:16:31.436526: | d7 de 98 5d e4 1b 7e 3e b0 b2 82 d3 48 ea 45 a5 Sep 21 07:16:31.436528: | 63 19 72 46 b8 f9 c3 c5 37 55 5d 59 12 6d c5 ae Sep 21 07:16:31.436530: | 00 76 8c 1f ee 4f 85 ef 88 c8 bc 76 de f7 11 c2 Sep 21 07:16:31.436533: | de 5e 3d 68 07 74 b7 d8 17 30 c8 85 83 c4 b9 d1 Sep 21 07:16:31.436535: | eb be 0e 4f df 4a fd 52 65 09 3d 97 8b cc 3e 8b Sep 21 07:16:31.436537: | 3b 47 9b aa b4 eb 89 49 4d 30 30 30 c5 99 a1 11 Sep 21 07:16:31.436539: | 3e 0a 7a c5 44 f6 40 17 0d 80 7d 69 de 56 57 ef Sep 21 07:16:31.436542: | 5a 5c 3c bd ad 56 c3 ca 50 93 65 8d 88 18 d0 d4 Sep 21 07:16:31.436544: | 16 b9 ef 5e aa 23 c4 c1 99 ad b1 d8 2e 32 b4 a1 Sep 21 07:16:31.436546: | d6 91 b0 4e 4e a1 60 52 97 62 c9 ae 29 e7 2f f6 Sep 21 07:16:31.436549: | a4 3c 26 96 20 71 fa 72 f1 e4 cc d0 27 08 6a ec Sep 21 07:16:31.436551: | 89 b0 58 d1 cf 01 45 e0 1f db b6 67 ae a1 ed 2f Sep 21 07:16:31.436553: | c0 f4 8d dd d2 62 e9 48 15 9f bb fd 4c 91 37 87 Sep 21 07:16:31.436556: | 31 f3 41 78 2a 00 8b 8c 9d 63 06 6d c3 8f f5 46 Sep 21 07:16:31.436558: | 4b 65 67 0a 05 14 14 f7 ae a9 69 f6 0b 66 9a e2 Sep 21 07:16:31.436560: | ba c5 95 be 9d d7 1d 95 b2 e5 44 2f 74 a2 61 9a Sep 21 07:16:31.436563: | d1 d1 39 91 9a e6 88 e4 f8 26 37 4e 6c 83 ac 09 Sep 21 07:16:31.436565: | 7d ba 07 36 1f 8c 81 07 75 51 f0 1c 71 b3 eb b4 Sep 21 07:16:31.436567: | 74 b7 5d 41 6d 06 3a d0 1a 7e 53 62 48 e9 ba c1 Sep 21 07:16:31.436569: | 69 c5 6e 0d be 77 d0 eb 0d 39 12 e5 88 d2 29 9c Sep 21 07:16:31.436572: | 2b bb ee ef 1b c0 ca 54 33 14 62 8d 2f a0 e7 8d Sep 21 07:16:31.436574: | 6c 31 17 89 33 52 e6 60 43 88 b8 54 21 f9 54 30 Sep 21 07:16:31.436578: | 01 f9 c3 23 b1 e7 ad 9e 75 44 78 36 65 76 6d 26 Sep 21 07:16:31.436580: | 91 72 a6 46 e4 a8 43 ac 1f 57 d0 4f 60 5e b4 a4 Sep 21 07:16:31.436582: | f3 f1 72 1a 1b 60 a8 42 76 40 18 31 29 98 ed 3f Sep 21 07:16:31.436584: | 75 2e 66 31 05 05 83 1a 01 92 04 47 b0 78 65 84 Sep 21 07:16:31.436587: | 41 b1 f1 97 59 c4 8a 7d c4 0f 92 b9 bb ea 69 3d Sep 21 07:16:31.436589: | 1b 86 39 d0 b6 2b 29 37 94 6f 18 7f 86 cc 30 5e Sep 21 07:16:31.436591: | 3f 28 b8 95 44 7a b7 fa 76 da 64 e2 e6 ee 02 11 Sep 21 07:16:31.436593: | 43 f6 25 ad 94 c8 6a 98 fb 6e b5 05 40 06 4f f4 Sep 21 07:16:31.436596: | a9 b0 6f fd 38 fa 89 40 79 60 e4 0f b7 8c 82 dc Sep 21 07:16:31.436598: | 78 4a 3e 39 22 6e ef 81 f4 59 cd 4a 09 a6 ab a7 Sep 21 07:16:31.436600: | 39 90 5f 88 19 f6 56 b3 35 5a d6 f2 03 cb 68 0b Sep 21 07:16:31.436603: | c8 2a 9e 96 35 01 81 b4 89 5f f4 fb b8 80 40 5c Sep 21 07:16:31.436605: | 42 5a 1d 94 22 97 61 a5 3e 9a 81 07 53 71 fe b6 Sep 21 07:16:31.436623: | state #3 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:31.436627: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:31.436630: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13aeaa0 Sep 21 07:16:31.436633: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:31.436636: | event_schedule: new EVENT_RETRANSMIT-pe@0x5621a13aeaa0 Sep 21 07:16:31.436640: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #3 Sep 21 07:16:31.436642: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:31.436647: | #3 STATE_V2_CREATE_I: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48837.8049 Sep 21 07:16:31.436652: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:31.436657: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:31.436661: | #1 spent 0.773 milliseconds in callback v2_msgid_schedule_next_initiator Sep 21 07:16:31.436666: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:908) Sep 21 07:16:31.436669: | libevent_free: release ptr-libevent@0x7f08c8006900 Sep 21 07:16:31.441212: | spent 0.00239 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.441229: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.441232: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.441234: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.441235: | 36 f0 4f 06 25 be ea 65 08 1b d0 96 ce 2a bd e2 Sep 21 07:16:31.441237: | 00 4c f7 3e 7d e9 02 7e bd bb ab 47 96 b2 9b e3 Sep 21 07:16:31.441238: | 46 8a 0e 8b 7b b1 c5 25 44 d4 cc 5b 15 83 15 5e Sep 21 07:16:31.441240: | 33 11 9f 9c 91 10 68 97 71 32 11 58 98 e4 cd b5 Sep 21 07:16:31.441241: | 3d ab 83 20 61 61 3a cf c9 17 9e 1d f5 63 00 00 Sep 21 07:16:31.441243: | 91 26 84 22 e4 03 c4 08 eb ab f7 4b 2d ac 2b 0d Sep 21 07:16:31.441244: | 4b 0f be 8b aa c3 ab 99 c0 a7 10 e4 6d c8 e2 a9 Sep 21 07:16:31.441246: | dd 80 fd 1b bf b5 34 a2 91 c3 ac 19 c7 b3 d9 fb Sep 21 07:16:31.441247: | 86 92 53 c0 66 d9 d9 1d d9 ce 0a 19 67 53 c9 6b Sep 21 07:16:31.441249: | c3 ca a7 1f 1f 83 21 b0 48 88 16 d3 30 89 4b 65 Sep 21 07:16:31.441250: | 17 7b fe 09 46 7e a9 36 41 67 0a ee 44 10 0e e0 Sep 21 07:16:31.441252: | 22 da 2b 6f 76 6e 7e e6 d1 89 0a 5c ee 2f d6 7a Sep 21 07:16:31.441253: | a9 17 2c 69 18 a4 fe cf b1 d0 9c be d1 80 19 f2 Sep 21 07:16:31.441255: | 89 71 1b f6 0c 82 d5 4e cf 8a 4f e4 e4 38 4e f1 Sep 21 07:16:31.441257: | 63 d1 87 86 e6 f4 5f 5d 5e 06 92 27 43 0a 2e 91 Sep 21 07:16:31.441258: | 02 6a cd 26 ac 20 ae fb d4 55 1d 25 bc b6 be dc Sep 21 07:16:31.441260: | 35 8e 83 89 6a 5b 53 84 74 9f 16 f6 4f 05 21 99 Sep 21 07:16:31.441263: | 7b 03 c7 ed 9f 79 90 b9 87 66 1c 53 b3 1d e3 c3 Sep 21 07:16:31.441265: | 26 31 5e 78 cc c7 a5 4d 4d fb e0 7e 4d c3 83 77 Sep 21 07:16:31.441266: | 80 d2 40 50 67 33 c4 bf dd 1d 8f 8b 31 06 48 b7 Sep 21 07:16:31.441268: | a9 5b 24 8d 52 85 ac 70 ad bf 21 0f 2a 0c 0b 61 Sep 21 07:16:31.441269: | 7e d4 65 01 a8 9d d9 9a e9 24 2e c9 94 02 3e c4 Sep 21 07:16:31.441271: | 3d 51 a7 5e 29 ab 09 da 32 e5 f4 02 cc 5c 9c 41 Sep 21 07:16:31.441273: | 3a 64 60 a0 ec 42 48 98 b0 87 5e d3 25 63 97 fc Sep 21 07:16:31.441274: | 23 43 05 6c 70 84 9c 27 e2 86 5e 9d da 81 1a 7d Sep 21 07:16:31.441276: | 7b 47 03 76 c0 67 7b 78 f2 5c 18 1c 3a a8 be 8c Sep 21 07:16:31.441277: | 9b 45 fb 16 f9 cb cf 46 27 99 e1 26 06 ce 89 72 Sep 21 07:16:31.441280: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.441283: | **parse ISAKMP Message: Sep 21 07:16:31.441285: | initiator cookie: Sep 21 07:16:31.441286: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.441288: | responder cookie: Sep 21 07:16:31.441289: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.441291: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.441293: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.441294: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.441296: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.441298: | Message ID: 1 (0x1) Sep 21 07:16:31.441299: | length: 464 (0x1d0) Sep 21 07:16:31.441301: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:31.441303: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:16:31.441306: | State DB: found IKEv2 state #4 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:16:31.441311: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.441313: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.441316: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.441318: | #4 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:31.441321: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:16:31.441322: | unpacking clear payload Sep 21 07:16:31.441324: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.441326: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.441328: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:16:31.441329: | flags: none (0x0) Sep 21 07:16:31.441331: | length: 436 (0x1b4) Sep 21 07:16:31.441332: | processing payload: ISAKMP_NEXT_v2SK (len=432) Sep 21 07:16:31.441335: | Message ID: start-responder #4 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:31.441337: | #4 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:31.441339: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:31.441341: | Now let's proceed with state specific processing Sep 21 07:16:31.441343: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:31.441345: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:16:31.441348: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Sep 21 07:16:31.441350: | adding ikev2_inI2outR2 KE work-order 5 for state #4 Sep 21 07:16:31.441352: | state #4 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:16:31.441354: | libevent_free: release ptr-libevent@0x5621a13afd70 Sep 21 07:16:31.441356: | free_event_entry: release EVENT_SO_DISCARD-pe@0x5621a13adf50 Sep 21 07:16:31.441358: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13adf50 Sep 21 07:16:31.441361: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:31.441364: | libevent_malloc: new ptr-libevent@0x5621a13afd70 size 128 Sep 21 07:16:31.441372: | #4 spent 0.0258 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:16:31.441391: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.441390: | crypto helper 4 resuming Sep 21 07:16:31.441396: | #4 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:31.441405: | crypto helper 4 starting work-order 5 for state #4 Sep 21 07:16:31.441409: | suspending state #4 and saving MD Sep 21 07:16:31.441415: | crypto helper 4 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 5 Sep 21 07:16:31.441419: | #4 is busy; has a suspended MD Sep 21 07:16:31.441427: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.441430: | "north-eastnets/0x2" #4 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.441435: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.441440: | #4 spent 0.209 milliseconds in ikev2_process_packet() Sep 21 07:16:31.441444: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:31.441446: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.441449: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.441453: | spent 0.223 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.441984: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Sep 21 07:16:31.442305: | crypto helper 4 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 5 time elapsed 0.00089 seconds Sep 21 07:16:31.442312: | (#4) spent 0.867 milliseconds in crypto helper computing work-order 5: ikev2_inI2outR2 KE (pcr) Sep 21 07:16:31.442314: | crypto helper 4 sending results from work-order 5 for state #4 to event queue Sep 21 07:16:31.442316: | scheduling resume sending helper answer for #4 Sep 21 07:16:31.442318: | libevent_malloc: new ptr-libevent@0x7f08bc0010a0 size 128 Sep 21 07:16:31.442324: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:31.442332: | processing resume sending helper answer for #4 Sep 21 07:16:31.442339: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.442342: | crypto helper 4 replies to request ID 5 Sep 21 07:16:31.442343: | calling continuation function 0x56219f926630 Sep 21 07:16:31.442345: | ikev2_parent_inI2outR2_continue for #4: calculating g^{xy}, sending R2 Sep 21 07:16:31.442347: | #4 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:31.442362: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.442364: | data for hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.442365: | data for hmac: 36 f0 4f 06 25 be ea 65 08 1b d0 96 ce 2a bd e2 Sep 21 07:16:31.442367: | data for hmac: 00 4c f7 3e 7d e9 02 7e bd bb ab 47 96 b2 9b e3 Sep 21 07:16:31.442368: | data for hmac: 46 8a 0e 8b 7b b1 c5 25 44 d4 cc 5b 15 83 15 5e Sep 21 07:16:31.442370: | data for hmac: 33 11 9f 9c 91 10 68 97 71 32 11 58 98 e4 cd b5 Sep 21 07:16:31.442371: | data for hmac: 3d ab 83 20 61 61 3a cf c9 17 9e 1d f5 63 00 00 Sep 21 07:16:31.442372: | data for hmac: 91 26 84 22 e4 03 c4 08 eb ab f7 4b 2d ac 2b 0d Sep 21 07:16:31.442374: | data for hmac: 4b 0f be 8b aa c3 ab 99 c0 a7 10 e4 6d c8 e2 a9 Sep 21 07:16:31.442375: | data for hmac: dd 80 fd 1b bf b5 34 a2 91 c3 ac 19 c7 b3 d9 fb Sep 21 07:16:31.442377: | data for hmac: 86 92 53 c0 66 d9 d9 1d d9 ce 0a 19 67 53 c9 6b Sep 21 07:16:31.442378: | data for hmac: c3 ca a7 1f 1f 83 21 b0 48 88 16 d3 30 89 4b 65 Sep 21 07:16:31.442381: | data for hmac: 17 7b fe 09 46 7e a9 36 41 67 0a ee 44 10 0e e0 Sep 21 07:16:31.442383: | data for hmac: 22 da 2b 6f 76 6e 7e e6 d1 89 0a 5c ee 2f d6 7a Sep 21 07:16:31.442384: | data for hmac: a9 17 2c 69 18 a4 fe cf b1 d0 9c be d1 80 19 f2 Sep 21 07:16:31.442386: | data for hmac: 89 71 1b f6 0c 82 d5 4e cf 8a 4f e4 e4 38 4e f1 Sep 21 07:16:31.442387: | data for hmac: 63 d1 87 86 e6 f4 5f 5d 5e 06 92 27 43 0a 2e 91 Sep 21 07:16:31.442389: | data for hmac: 02 6a cd 26 ac 20 ae fb d4 55 1d 25 bc b6 be dc Sep 21 07:16:31.442390: | data for hmac: 35 8e 83 89 6a 5b 53 84 74 9f 16 f6 4f 05 21 99 Sep 21 07:16:31.442392: | data for hmac: 7b 03 c7 ed 9f 79 90 b9 87 66 1c 53 b3 1d e3 c3 Sep 21 07:16:31.442393: | data for hmac: 26 31 5e 78 cc c7 a5 4d 4d fb e0 7e 4d c3 83 77 Sep 21 07:16:31.442394: | data for hmac: 80 d2 40 50 67 33 c4 bf dd 1d 8f 8b 31 06 48 b7 Sep 21 07:16:31.442396: | data for hmac: a9 5b 24 8d 52 85 ac 70 ad bf 21 0f 2a 0c 0b 61 Sep 21 07:16:31.442397: | data for hmac: 7e d4 65 01 a8 9d d9 9a e9 24 2e c9 94 02 3e c4 Sep 21 07:16:31.442399: | data for hmac: 3d 51 a7 5e 29 ab 09 da 32 e5 f4 02 cc 5c 9c 41 Sep 21 07:16:31.442400: | data for hmac: 3a 64 60 a0 ec 42 48 98 b0 87 5e d3 25 63 97 fc Sep 21 07:16:31.442402: | data for hmac: 23 43 05 6c 70 84 9c 27 e2 86 5e 9d da 81 1a 7d Sep 21 07:16:31.442403: | data for hmac: 7b 47 03 76 c0 67 7b 78 f2 5c 18 1c 3a a8 be 8c Sep 21 07:16:31.442404: | calculated auth: 9b 45 fb 16 f9 cb cf 46 27 99 e1 26 06 ce 89 72 Sep 21 07:16:31.442406: | provided auth: 9b 45 fb 16 f9 cb cf 46 27 99 e1 26 06 ce 89 72 Sep 21 07:16:31.442407: | authenticator matched Sep 21 07:16:31.442413: | #4 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:31.442415: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:16:31.442417: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:16:31.442418: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:31.442420: | flags: none (0x0) Sep 21 07:16:31.442422: | length: 12 (0xc) Sep 21 07:16:31.442423: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.442425: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:16:31.442426: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.442428: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.442429: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.442431: | flags: none (0x0) Sep 21 07:16:31.442432: | length: 13 (0xd) Sep 21 07:16:31.442434: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.442435: | processing payload: ISAKMP_NEXT_v2IDr (len=5) Sep 21 07:16:31.442437: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.442438: | **parse IKEv2 Authentication Payload: Sep 21 07:16:31.442440: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.442441: | flags: none (0x0) Sep 21 07:16:31.442443: | length: 282 (0x11a) Sep 21 07:16:31.442444: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.442446: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:16:31.442447: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.442449: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.442450: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.442452: | flags: none (0x0) Sep 21 07:16:31.442453: | length: 44 (0x2c) Sep 21 07:16:31.442454: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:16:31.442456: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.442458: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.442459: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.442460: | flags: none (0x0) Sep 21 07:16:31.442462: | length: 24 (0x18) Sep 21 07:16:31.442463: | number of TS: 1 (0x1) Sep 21 07:16:31.442465: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.442466: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.442468: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.442470: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.442472: | flags: none (0x0) Sep 21 07:16:31.442473: | length: 24 (0x18) Sep 21 07:16:31.442474: | number of TS: 1 (0x1) Sep 21 07:16:31.442476: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.442477: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:16:31.442479: | Now let's proceed with state specific processing Sep 21 07:16:31.442480: | calling processor Responder: process IKE_AUTH request Sep 21 07:16:31.442484: "north-eastnets/0x2" #4: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:16:31.442488: | #4 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.442490: | received IDr payload - extracting our alleged ID Sep 21 07:16:31.442492: | refine_host_connection for IKEv2: starting with "north-eastnets/0x2" Sep 21 07:16:31.442495: | match_id a=@east Sep 21 07:16:31.442496: | b=@east Sep 21 07:16:31.442498: | results matched Sep 21 07:16:31.442500: | refine_host_connection: checking "north-eastnets/0x2" against "north-eastnets/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:31.442502: | Warning: not switching back to template of current instance Sep 21 07:16:31.442503: | Peer expects us to be @north (ID_FQDN) according to its IDr payload Sep 21 07:16:31.442505: | This connection's local id is @north (ID_FQDN) Sep 21 07:16:31.442507: | refine_host_connection: checked north-eastnets/0x2 against north-eastnets/0x2, now for see if best Sep 21 07:16:31.442510: | started looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.442511: | actually looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.442513: | line 1: key type PKK_RSA(@north) to type PKK_RSA Sep 21 07:16:31.442515: | 1: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.442517: | 2: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.442519: | line 1: match=002 Sep 21 07:16:31.442521: | match 002 beats previous best_match 000 match=0x5621a13990a0 (line=1) Sep 21 07:16:31.442523: | concluding with best_match=002 best=0x5621a13990a0 (lineno=1) Sep 21 07:16:31.442524: | returning because exact peer id match Sep 21 07:16:31.442526: | offered CA: '%none' Sep 21 07:16:31.442528: "north-eastnets/0x2" #4: IKEv2 mode peer ID is ID_FQDN: '@east' Sep 21 07:16:31.442538: | verifying AUTH payload Sep 21 07:16:31.442546: | required RSA CA is '%any' Sep 21 07:16:31.442549: | checking RSA keyid '@east' for match with '@east' Sep 21 07:16:31.442550: | RSA key issuer CA is '%any' Sep 21 07:16:31.442586: | an RSA Sig check passed with *AQO9bJbr3 [preloaded keys] Sep 21 07:16:31.442591: | #4 spent 0.037 milliseconds in try_all_keys() trying a pubkey Sep 21 07:16:31.442593: "north-eastnets/0x2" #4: Authenticated using RSA Sep 21 07:16:31.442595: | #4 spent 0.0538 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:16:31.442598: | parent state #4: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:16:31.442600: | #4 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.442602: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.442604: | libevent_free: release ptr-libevent@0x5621a13afd70 Sep 21 07:16:31.442606: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13adf50 Sep 21 07:16:31.442608: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13adf50 Sep 21 07:16:31.442610: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #4 Sep 21 07:16:31.442612: | libevent_malloc: new ptr-libevent@0x5621a13afd70 size 128 Sep 21 07:16:31.442680: | pstats #4 ikev2.ike established Sep 21 07:16:31.442685: | **emit ISAKMP Message: Sep 21 07:16:31.442686: | initiator cookie: Sep 21 07:16:31.442688: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.442689: | responder cookie: Sep 21 07:16:31.442691: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.442694: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.442696: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.442697: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.442699: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.442701: | Message ID: 1 (0x1) Sep 21 07:16:31.442702: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.442704: | IKEv2 CERT: send a certificate? Sep 21 07:16:31.442706: | IKEv2 CERT: no certificate to send Sep 21 07:16:31.442707: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.442709: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.442710: | flags: none (0x0) Sep 21 07:16:31.442712: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.442714: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.442717: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.442720: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.442729: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.442730: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.442732: | flags: none (0x0) Sep 21 07:16:31.442733: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.442736: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.442737: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.442739: | emitting 5 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:16:31.442741: | my identity 6e 6f 72 74 68 Sep 21 07:16:31.442743: | emitting length of IKEv2 Identification - Responder - Payload: 13 Sep 21 07:16:31.442747: | assembled IDr payload Sep 21 07:16:31.442749: | CHILD SA proposals received Sep 21 07:16:31.442750: | going to assemble AUTH payload Sep 21 07:16:31.442752: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:31.442753: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.442755: | flags: none (0x0) Sep 21 07:16:31.442756: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.442758: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:16:31.442760: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.442762: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.442765: | started looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.442767: | actually looking for secret for @north->@east of kind PKK_RSA Sep 21 07:16:31.442769: | line 1: key type PKK_RSA(@north) to type PKK_RSA Sep 21 07:16:31.442771: | 1: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.442773: | 2: compared key (none) to @north / @east -> 002 Sep 21 07:16:31.442774: | line 1: match=002 Sep 21 07:16:31.442776: | match 002 beats previous best_match 000 match=0x5621a13990a0 (line=1) Sep 21 07:16:31.442778: | concluding with best_match=002 best=0x5621a13990a0 (lineno=1) Sep 21 07:16:31.445406: | #4 spent 2.61 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:16:31.445413: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:16:31.445415: | rsa signature 3d 54 10 64 53 f6 42 25 cb 6c a1 46 93 ed df 56 Sep 21 07:16:31.445416: | rsa signature 80 ad 7b 5a cc 5c a7 12 3b c7 51 d7 9f 1d d8 c5 Sep 21 07:16:31.445418: | rsa signature ce fc f0 19 d6 8f 02 b8 6e 3a 2b 30 57 ca 71 7d Sep 21 07:16:31.445419: | rsa signature 6c 86 4f 04 83 b1 01 74 43 fb 95 5d 74 bc 7a 79 Sep 21 07:16:31.445422: | rsa signature 88 00 1d 78 06 e3 27 d6 f8 9c ea a8 74 08 4e 6f Sep 21 07:16:31.445424: | rsa signature a4 78 20 73 88 b3 85 3e e3 4d 9d 06 dc c8 c5 f4 Sep 21 07:16:31.445425: | rsa signature 21 98 e7 f4 49 a9 f4 fd f9 3c 3c c1 7f ff e5 78 Sep 21 07:16:31.445426: | rsa signature 0a 2b 10 ae eb 94 67 f6 3f a2 c4 6a b9 cb ab 96 Sep 21 07:16:31.445428: | rsa signature 32 9b bb b6 a0 86 a6 51 57 37 14 65 47 c6 c2 d1 Sep 21 07:16:31.445429: | rsa signature 4e ed 88 ad e6 ce f7 02 e8 ae e7 9f 5e 8a 69 41 Sep 21 07:16:31.445431: | rsa signature 69 dc 80 a5 ab 1b 9c b0 7d bc 15 0d 63 c3 71 12 Sep 21 07:16:31.445432: | rsa signature 0a 1c aa 98 e9 77 d4 52 a6 be 4c 87 b7 84 92 d8 Sep 21 07:16:31.445433: | rsa signature 8b 29 a0 f1 0f c2 37 5d f5 ee 33 ac 42 e9 29 da Sep 21 07:16:31.445435: | rsa signature 90 e1 6c 5c cf b6 70 fe de 84 80 fa a4 75 9e a9 Sep 21 07:16:31.445436: | rsa signature 8a 6b e5 63 2b ac 19 42 b8 03 02 89 52 ba 7c ad Sep 21 07:16:31.445438: | rsa signature a5 bb 4b f7 5f 71 05 ea 77 78 00 a7 64 3a 74 1c Sep 21 07:16:31.445439: | rsa signature d0 d1 08 ef cf 88 a1 13 ae 3a fb ad e6 ba d5 95 Sep 21 07:16:31.445440: | rsa signature 1b f2 Sep 21 07:16:31.445443: | #4 spent 2.67 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:16:31.445445: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:16:31.445448: | creating state object #5 at 0x5621a13b8820 Sep 21 07:16:31.445450: | State DB: adding IKEv2 state #5 in UNDEFINED Sep 21 07:16:31.445452: | pstats #5 ikev2.child started Sep 21 07:16:31.445454: | duplicating state object #4 "north-eastnets/0x2" as #5 for IPSEC SA Sep 21 07:16:31.445458: | #5 setting local endpoint to 192.1.3.33:500 from #4.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.445461: | Message ID: init_child #4.#5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.445464: | Message ID: switch-from #4 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.445467: | Message ID: switch-to #4.#5 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:31.445469: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:16:31.445470: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.445472: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.445474: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.445475: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.445477: | length: 16 (0x10) Sep 21 07:16:31.445478: | start port: 0 (0x0) Sep 21 07:16:31.445480: | end port: 65535 (0xffff) Sep 21 07:16:31.445482: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.445483: | TS low c0 00 02 00 Sep 21 07:16:31.445485: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.445486: | TS high c0 00 02 ff Sep 21 07:16:31.445488: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.445490: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.445491: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.445493: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.445494: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.445496: | length: 16 (0x10) Sep 21 07:16:31.445497: | start port: 0 (0x0) Sep 21 07:16:31.445498: | end port: 65535 (0xffff) Sep 21 07:16:31.445500: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.445501: | TS low c0 00 03 00 Sep 21 07:16:31.445503: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.445504: | TS high c0 00 03 ff Sep 21 07:16:31.445505: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.445507: | looking for best SPD in current connection Sep 21 07:16:31.445511: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.445515: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.445518: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:31.445520: | looking for better host pair Sep 21 07:16:31.445523: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Sep 21 07:16:31.445526: | checking hostpair 192.0.3.0/24:0 -> 192.0.22.0/24:0 is found Sep 21 07:16:31.445527: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:31.445529: | match_id a=@east Sep 21 07:16:31.445531: | b=@east Sep 21 07:16:31.445532: | results matched Sep 21 07:16:31.445535: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.445538: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.445541: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:31.445542: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:31.445544: | match_id a=@east Sep 21 07:16:31.445545: | b=@east Sep 21 07:16:31.445546: | results matched Sep 21 07:16:31.445549: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.445552: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.445555: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.445557: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.445558: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.445560: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.445562: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.445565: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.445568: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.445570: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.445571: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.445573: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.445575: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.445576: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.445578: | protocol fitness found better match d north-eastnets/0x1, TSi[0],TSr[0] Sep 21 07:16:31.445580: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:31.445582: | printing contents struct traffic_selector Sep 21 07:16:31.445583: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.445584: | ipprotoid: 0 Sep 21 07:16:31.445586: | port range: 0-65535 Sep 21 07:16:31.445588: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.445589: | printing contents struct traffic_selector Sep 21 07:16:31.445591: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.445592: | ipprotoid: 0 Sep 21 07:16:31.445593: | port range: 0-65535 Sep 21 07:16:31.445596: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:31.445600: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.445602: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:31.445604: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.445606: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.445607: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.445609: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.445610: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.445612: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.445615: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.445617: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.445618: | length: 40 (0x28) Sep 21 07:16:31.445620: | prop #: 1 (0x1) Sep 21 07:16:31.445621: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.445623: | spi size: 4 (0x4) Sep 21 07:16:31.445624: | # transforms: 3 (0x3) Sep 21 07:16:31.445626: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.445628: | remote SPI 40 66 dd 7c Sep 21 07:16:31.445629: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.445631: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445633: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445634: | length: 12 (0xc) Sep 21 07:16:31.445636: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.445637: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.445639: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.445641: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.445642: | length/value: 128 (0x80) Sep 21 07:16:31.445645: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.445646: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445648: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445649: | length: 8 (0x8) Sep 21 07:16:31.445651: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.445652: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.445654: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.445656: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445658: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.445659: | length: 8 (0x8) Sep 21 07:16:31.445660: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.445662: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.445664: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.445666: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:16:31.445669: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:16:31.445671: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.445674: "north-eastnets/0x2" #4: proposal 1:ESP:SPI=4066dd7c;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Sep 21 07:16:31.445677: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=4066dd7c;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Sep 21 07:16:31.445678: | converting proposal to internal trans attrs Sep 21 07:16:31.445690: | netlink_get_spi: allocated 0xfff4871b for esp.0@192.1.3.33 Sep 21 07:16:31.445692: | Emitting ikev2_proposal ... Sep 21 07:16:31.445694: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.445695: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.445697: | flags: none (0x0) Sep 21 07:16:31.445699: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.445701: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.445702: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.445704: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.445705: | prop #: 1 (0x1) Sep 21 07:16:31.445707: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.445708: | spi size: 4 (0x4) Sep 21 07:16:31.445710: | # transforms: 3 (0x3) Sep 21 07:16:31.445713: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.445715: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.445716: | our spi ff f4 87 1b Sep 21 07:16:31.445718: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445719: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445721: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.445722: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.445724: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.445726: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.445727: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.445729: | length/value: 128 (0x80) Sep 21 07:16:31.445730: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.445732: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445733: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445735: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.445736: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.445738: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445740: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.445742: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.445743: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.445745: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.445746: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.445748: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.445749: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.445751: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.445753: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.445754: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:16:31.445756: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.445757: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:16:31.445759: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.445761: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.445762: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.445763: | flags: none (0x0) Sep 21 07:16:31.445765: | number of TS: 1 (0x1) Sep 21 07:16:31.445767: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.445769: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.445770: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.445772: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.445773: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.445775: | start port: 0 (0x0) Sep 21 07:16:31.445776: | end port: 65535 (0xffff) Sep 21 07:16:31.445778: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.445779: | IP start c0 00 02 00 Sep 21 07:16:31.445781: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.445786: | IP end c0 00 02 ff Sep 21 07:16:31.445804: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.445808: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.445811: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.445813: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.445815: | flags: none (0x0) Sep 21 07:16:31.445817: | number of TS: 1 (0x1) Sep 21 07:16:31.445819: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.445822: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.445825: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.445827: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.445829: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.445831: | start port: 0 (0x0) Sep 21 07:16:31.445834: | end port: 65535 (0xffff) Sep 21 07:16:31.445836: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.445837: | IP start c0 00 03 00 Sep 21 07:16:31.445839: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.445840: | IP end c0 00 03 ff Sep 21 07:16:31.445842: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.445843: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.445845: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.445847: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.446317: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:16:31.446326: | install_ipsec_sa() for #5: inbound and outbound Sep 21 07:16:31.446328: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:31.446331: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.446337: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.446340: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.446343: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.446346: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.446351: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Sep 21 07:16:31.446355: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.446359: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.446363: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.446367: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.446371: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.446374: | netlink: enabling tunnel mode Sep 21 07:16:31.446377: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.446380: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.446531: | netlink response for Add SA esp.4066dd7c@192.1.2.23 included non-error error Sep 21 07:16:31.446537: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.446541: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.446544: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.446547: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.446551: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.446554: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.446557: | netlink: enabling tunnel mode Sep 21 07:16:31.446560: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.446563: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.446655: | netlink response for Add SA esp.fff4871b@192.1.3.33 included non-error error Sep 21 07:16:31.446661: | set up incoming SA, ref=0/0 Sep 21 07:16:31.446663: | sr for #5: erouted Sep 21 07:16:31.446670: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.446672: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.446675: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.446678: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.446681: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.446683: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.446687: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Sep 21 07:16:31.446691: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:north-eastnets/0x1 esr:{(nil)} ro:north-eastnets/0x1 rosr:{(nil)} and state: #5 Sep 21 07:16:31.446694: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.446702: | eroute_connection replace eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 (raw_eroute) Sep 21 07:16:31.446707: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.446776: | raw_eroute result=success Sep 21 07:16:31.446781: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.446795: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x5621a13a4a30,sr=0x5621a13a4a30} to #5 (was #2) (newest_ipsec_sa=#2) Sep 21 07:16:31.446910: | #4 spent 0.384 milliseconds in install_ipsec_sa() Sep 21 07:16:31.446917: | ISAKMP_v2_IKE_AUTH: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #5 (was #2) (spd.eroute=#5) cloned from #4 Sep 21 07:16:31.446920: | adding 13 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.446924: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446928: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446930: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446933: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446936: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446939: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446941: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446944: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446947: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446950: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446953: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446956: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446959: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.446962: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.446964: | emitting length of IKEv2 Encryption Payload: 436 Sep 21 07:16:31.446967: | emitting length of ISAKMP Message: 464 Sep 21 07:16:31.447010: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.447014: | data being hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.447017: | data being hmac: 0f 0e d8 2b 0b 08 90 41 22 19 f9 c5 4a e0 9f 8d Sep 21 07:16:31.447019: | data being hmac: 3e fd b7 f5 c4 e1 ab 14 c1 97 60 fc cb 0c ec fa Sep 21 07:16:31.447022: | data being hmac: d1 e4 15 0e b9 79 dc 45 67 61 d8 7e 01 40 e8 a9 Sep 21 07:16:31.447024: | data being hmac: e1 17 2e f2 47 31 e4 d1 cb 89 6d ad a3 25 24 09 Sep 21 07:16:31.447027: | data being hmac: c0 cd 3d 71 80 1f 33 0d cb 5d 20 fd b6 14 48 61 Sep 21 07:16:31.447029: | data being hmac: 92 e1 fc 52 f8 8e dc 7c 3f 39 db 4c cd 2d f4 9a Sep 21 07:16:31.447034: | data being hmac: 5b db 5a b1 e6 b0 4d 4d 4b d1 55 37 90 38 34 53 Sep 21 07:16:31.447036: | data being hmac: 2a 75 6b a5 76 56 b5 50 5c cd 72 7a 2a 30 83 d3 Sep 21 07:16:31.447039: | data being hmac: 7c f8 2d c3 b7 8b d3 d3 82 3c 45 fe ea 0c 31 be Sep 21 07:16:31.447041: | data being hmac: da 6e 3b 4e ac 0b 23 c2 00 d9 bf f8 75 09 1d 29 Sep 21 07:16:31.447043: | data being hmac: b9 d7 53 3b 8c 96 17 91 63 50 c4 34 df e8 4e 78 Sep 21 07:16:31.447046: | data being hmac: ec 73 ca ec 93 e5 14 71 8c 6f bf 3c 9d fd dd 7c Sep 21 07:16:31.447048: | data being hmac: 01 1a 75 a4 cc 69 d2 59 a0 5a 47 7e 00 1d 9d 40 Sep 21 07:16:31.447050: | data being hmac: 06 ce 96 28 3f ed 91 c5 78 1a 17 63 df d8 99 26 Sep 21 07:16:31.447053: | data being hmac: c2 08 84 f9 15 30 77 cd 3b 98 e0 e5 8e 38 d3 8b Sep 21 07:16:31.447055: | data being hmac: 45 17 98 bb 9f 6e 06 53 70 37 0b 04 75 f1 6a 5e Sep 21 07:16:31.447057: | data being hmac: 94 95 99 a1 d7 24 24 c8 54 8b 62 96 6b be 85 a2 Sep 21 07:16:31.447059: | data being hmac: a7 b2 86 15 56 a5 06 ac d2 fc b3 43 ef 47 0a d0 Sep 21 07:16:31.447062: | data being hmac: 99 f9 ad d3 89 02 55 da b6 43 a8 c5 e8 dc d7 64 Sep 21 07:16:31.447064: | data being hmac: 66 50 b4 75 53 79 a5 f5 1c b5 2b 1a 6e f8 8c 14 Sep 21 07:16:31.447066: | data being hmac: 34 9f d6 32 25 f9 66 8e 2a 73 00 0e 4a cc a2 dd Sep 21 07:16:31.447069: | data being hmac: 00 fd 25 83 49 df ae f9 ff 6c 8f 8e e6 7e e3 3c Sep 21 07:16:31.447071: | data being hmac: a1 57 0a 64 f0 ab 5a ad 94 0c 13 70 b1 f4 88 76 Sep 21 07:16:31.447073: | data being hmac: f1 97 b8 51 c1 bd c5 21 ae c9 42 85 0f 20 12 54 Sep 21 07:16:31.447076: | data being hmac: 56 ef e4 49 1c 88 95 70 70 61 26 5d 86 3f 80 2c Sep 21 07:16:31.447078: | data being hmac: a3 32 3d db a6 74 4b ed 30 b2 89 44 fa e0 8b 47 Sep 21 07:16:31.447080: | out calculated auth: Sep 21 07:16:31.447083: | 7d 43 6d 61 58 be aa e4 69 32 e6 d0 4f a5 20 32 Sep 21 07:16:31.447088: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:16:31.447094: | #4 spent 4.25 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:16:31.447101: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.447106: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.447110: | #5 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:16:31.447113: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:16:31.447117: | child state #5: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:31.447120: | Message ID: updating counters for #5 to 1 after switching state Sep 21 07:16:31.447126: | Message ID: recv #4.#5 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.447131: | Message ID: sent #4.#5 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.447134: | pstats #5 ikev2.child established Sep 21 07:16:31.447142: "north-eastnets/0x1" #5: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Sep 21 07:16:31.447146: | NAT-T: encaps is 'auto' Sep 21 07:16:31.447151: "north-eastnets/0x1" #5: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x4066dd7c <0xfff4871b xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.447156: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.447166: | sending 464 bytes for STATE_PARENT_R1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:31.447169: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.447173: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.447175: | 0f 0e d8 2b 0b 08 90 41 22 19 f9 c5 4a e0 9f 8d Sep 21 07:16:31.447177: | 3e fd b7 f5 c4 e1 ab 14 c1 97 60 fc cb 0c ec fa Sep 21 07:16:31.447179: | d1 e4 15 0e b9 79 dc 45 67 61 d8 7e 01 40 e8 a9 Sep 21 07:16:31.447182: | e1 17 2e f2 47 31 e4 d1 cb 89 6d ad a3 25 24 09 Sep 21 07:16:31.447184: | c0 cd 3d 71 80 1f 33 0d cb 5d 20 fd b6 14 48 61 Sep 21 07:16:31.447186: | 92 e1 fc 52 f8 8e dc 7c 3f 39 db 4c cd 2d f4 9a Sep 21 07:16:31.447188: | 5b db 5a b1 e6 b0 4d 4d 4b d1 55 37 90 38 34 53 Sep 21 07:16:31.447190: | 2a 75 6b a5 76 56 b5 50 5c cd 72 7a 2a 30 83 d3 Sep 21 07:16:31.447193: | 7c f8 2d c3 b7 8b d3 d3 82 3c 45 fe ea 0c 31 be Sep 21 07:16:31.447195: | da 6e 3b 4e ac 0b 23 c2 00 d9 bf f8 75 09 1d 29 Sep 21 07:16:31.447197: | b9 d7 53 3b 8c 96 17 91 63 50 c4 34 df e8 4e 78 Sep 21 07:16:31.447199: | ec 73 ca ec 93 e5 14 71 8c 6f bf 3c 9d fd dd 7c Sep 21 07:16:31.447201: | 01 1a 75 a4 cc 69 d2 59 a0 5a 47 7e 00 1d 9d 40 Sep 21 07:16:31.447204: | 06 ce 96 28 3f ed 91 c5 78 1a 17 63 df d8 99 26 Sep 21 07:16:31.447206: | c2 08 84 f9 15 30 77 cd 3b 98 e0 e5 8e 38 d3 8b Sep 21 07:16:31.447208: | 45 17 98 bb 9f 6e 06 53 70 37 0b 04 75 f1 6a 5e Sep 21 07:16:31.447210: | 94 95 99 a1 d7 24 24 c8 54 8b 62 96 6b be 85 a2 Sep 21 07:16:31.447213: | a7 b2 86 15 56 a5 06 ac d2 fc b3 43 ef 47 0a d0 Sep 21 07:16:31.447215: | 99 f9 ad d3 89 02 55 da b6 43 a8 c5 e8 dc d7 64 Sep 21 07:16:31.447218: | 66 50 b4 75 53 79 a5 f5 1c b5 2b 1a 6e f8 8c 14 Sep 21 07:16:31.447220: | 34 9f d6 32 25 f9 66 8e 2a 73 00 0e 4a cc a2 dd Sep 21 07:16:31.447222: | 00 fd 25 83 49 df ae f9 ff 6c 8f 8e e6 7e e3 3c Sep 21 07:16:31.447225: | a1 57 0a 64 f0 ab 5a ad 94 0c 13 70 b1 f4 88 76 Sep 21 07:16:31.447227: | f1 97 b8 51 c1 bd c5 21 ae c9 42 85 0f 20 12 54 Sep 21 07:16:31.447230: | 56 ef e4 49 1c 88 95 70 70 61 26 5d 86 3f 80 2c Sep 21 07:16:31.447232: | a3 32 3d db a6 74 4b ed 30 b2 89 44 fa e0 8b 47 Sep 21 07:16:31.447234: | 7d 43 6d 61 58 be aa e4 69 32 e6 d0 4f a5 20 32 Sep 21 07:16:31.447283: | releasing whack for #5 (sock=fd@-1) Sep 21 07:16:31.447287: | releasing whack and unpending for parent #4 Sep 21 07:16:31.447290: | unpending state #4 connection "north-eastnets/0x1" Sep 21 07:16:31.447294: | #5 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.447297: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13b6e70 Sep 21 07:16:31.447300: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #5 Sep 21 07:16:31.447303: | libevent_malloc: new ptr-libevent@0x5621a13bad60 size 128 Sep 21 07:16:31.447309: | resume sending helper answer for #4 suppresed complete_v2_state_transition() Sep 21 07:16:31.447314: | #4 spent 4.58 milliseconds in resume sending helper answer Sep 21 07:16:31.447318: | stop processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.447322: | libevent_free: release ptr-libevent@0x7f08bc0010a0 Sep 21 07:16:31.452930: | spent 0.00238 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.452949: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.452951: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.452953: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.452955: | 87 46 b7 2d f5 8b 51 32 fb 09 de f9 e2 60 dc 50 Sep 21 07:16:31.452957: | 52 0c ca f0 c4 2c 69 66 60 f4 68 6e a8 c5 98 0d Sep 21 07:16:31.452958: | b2 b7 50 72 f4 88 3f 2d 7a 0f d9 af a9 bd f9 bf Sep 21 07:16:31.452960: | d2 ab 54 81 98 f6 14 b9 0a 33 6d 6a 3d 32 fd a0 Sep 21 07:16:31.452961: | f0 54 5e 95 23 3e 4f b9 7c 67 69 11 ca 90 05 a4 Sep 21 07:16:31.452963: | 72 c6 74 55 d5 eb 4a c5 99 cf 76 79 f2 cc 46 4f Sep 21 07:16:31.452964: | 60 62 6c b0 42 2d 10 bf a8 c6 09 67 7b 91 96 c4 Sep 21 07:16:31.452968: | c7 eb 10 6d 2d 31 76 a3 a0 19 6f e4 5a 48 61 46 Sep 21 07:16:31.452970: | ad 4b c7 1f 3f f5 9f 4b 21 a1 69 c3 2f 32 d2 ed Sep 21 07:16:31.452972: | 6a 09 e4 c0 61 c9 a9 24 16 73 f5 83 96 67 43 2a Sep 21 07:16:31.452973: | 91 4f 8d 11 3f 7b 3f 63 db d7 e4 f7 64 77 b6 b5 Sep 21 07:16:31.452975: | 16 02 f5 60 8b e7 22 c6 28 07 ed aa ab 42 ab e1 Sep 21 07:16:31.452976: | d4 fb 9c 60 78 5d 10 22 65 fa bd cc d1 c3 42 40 Sep 21 07:16:31.452978: | e4 9e 7e 6a ac e9 24 e2 73 3b 41 27 60 99 e7 22 Sep 21 07:16:31.452979: | 18 f6 29 fc 3d d4 cd 73 f6 15 a6 8f b5 f7 ba 8a Sep 21 07:16:31.452980: | 63 14 c1 08 d0 7e 11 aa cd 2f 3c 1d 13 fb fa 18 Sep 21 07:16:31.452982: | 09 3f 05 27 29 6e 70 b5 ee 2b 1b fe d0 38 df a6 Sep 21 07:16:31.452983: | 89 b0 f5 fe 29 43 27 64 df 08 f9 fe 84 bc 63 1e Sep 21 07:16:31.452985: | 15 4c ba 8b 1c db 49 c3 ff 9d 92 09 f8 d1 a9 89 Sep 21 07:16:31.452986: | 43 6e d9 e5 7f 58 4e e9 97 d8 a5 0a ab 9a d2 af Sep 21 07:16:31.452988: | 0e 06 6b 8b 95 45 f2 e1 35 b4 3a 1e 04 70 23 eb Sep 21 07:16:31.452990: | 13 f6 98 28 a6 a3 5e 36 66 26 3a db ae 3f 17 34 Sep 21 07:16:31.452991: | 83 36 ba 40 02 77 f8 90 51 84 54 80 42 da 32 fc Sep 21 07:16:31.452993: | 72 bd b3 a5 58 09 38 40 75 6b c8 3f c5 b2 16 7c Sep 21 07:16:31.452994: | e6 5b 28 4a 9c 06 80 90 05 18 53 2b 34 6d b6 66 Sep 21 07:16:31.452996: | 85 57 77 0a e7 86 44 16 65 7a 70 21 1c 2a 17 8a Sep 21 07:16:31.452997: | ba 5f d1 7a fa 84 95 c1 fb 0a c6 ce 46 f6 85 70 Sep 21 07:16:31.452999: | 67 30 00 9c dc fe 61 73 ce 36 ae 1f e6 4e 0b 16 Sep 21 07:16:31.453000: | cd 1b 88 7d 1d b5 a2 40 3d 74 76 f2 72 b2 d4 f2 Sep 21 07:16:31.453002: | c2 56 3f a1 eb 61 46 d7 34 fd c8 12 82 1c 56 eb Sep 21 07:16:31.453003: | b2 98 e3 d6 19 34 78 89 48 9c 12 a8 cf 0f 42 5c Sep 21 07:16:31.453005: | ff e6 89 c1 28 b6 be 01 b9 27 45 26 02 fa 36 29 Sep 21 07:16:31.453006: | 14 f8 d0 48 72 9a 18 16 d5 8a 45 da bd 9e 07 e3 Sep 21 07:16:31.453008: | d8 18 9e fb 45 e5 74 af 0f be b5 17 35 b0 c3 e4 Sep 21 07:16:31.453009: | d2 ed 4d 1c 73 d4 7e ab e3 86 8c 3e 4e 17 0b fc Sep 21 07:16:31.453011: | cb 7a 6e 4d 01 b3 af c0 76 2e 47 aa fb 3c 28 68 Sep 21 07:16:31.453014: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.453016: | **parse ISAKMP Message: Sep 21 07:16:31.453018: | initiator cookie: Sep 21 07:16:31.453020: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.453021: | responder cookie: Sep 21 07:16:31.453023: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.453025: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.453027: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.453028: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.453030: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.453032: | Message ID: 2 (0x2) Sep 21 07:16:31.453034: | length: 608 (0x260) Sep 21 07:16:31.453036: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:16:31.453038: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA response Sep 21 07:16:31.453041: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Sep 21 07:16:31.453045: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.453047: | State DB: found IKEv2 state #3 in V2_CREATE_I (find_v2_sa_by_initiator_wip) Sep 21 07:16:31.453050: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.453053: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.453055: | #3 is idle Sep 21 07:16:31.453056: | #3 idle Sep 21 07:16:31.453058: | unpacking clear payload Sep 21 07:16:31.453060: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.453063: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.453065: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.453066: | flags: none (0x0) Sep 21 07:16:31.453068: | length: 580 (0x244) Sep 21 07:16:31.453070: | processing payload: ISAKMP_NEXT_v2SK (len=576) Sep 21 07:16:31.453072: | #3 in state V2_CREATE_I: sent IPsec Child req wait response Sep 21 07:16:31.453095: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.453098: | data for hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.453099: | data for hmac: 87 46 b7 2d f5 8b 51 32 fb 09 de f9 e2 60 dc 50 Sep 21 07:16:31.453101: | data for hmac: 52 0c ca f0 c4 2c 69 66 60 f4 68 6e a8 c5 98 0d Sep 21 07:16:31.453102: | data for hmac: b2 b7 50 72 f4 88 3f 2d 7a 0f d9 af a9 bd f9 bf Sep 21 07:16:31.453104: | data for hmac: d2 ab 54 81 98 f6 14 b9 0a 33 6d 6a 3d 32 fd a0 Sep 21 07:16:31.453106: | data for hmac: f0 54 5e 95 23 3e 4f b9 7c 67 69 11 ca 90 05 a4 Sep 21 07:16:31.453107: | data for hmac: 72 c6 74 55 d5 eb 4a c5 99 cf 76 79 f2 cc 46 4f Sep 21 07:16:31.453109: | data for hmac: 60 62 6c b0 42 2d 10 bf a8 c6 09 67 7b 91 96 c4 Sep 21 07:16:31.453110: | data for hmac: c7 eb 10 6d 2d 31 76 a3 a0 19 6f e4 5a 48 61 46 Sep 21 07:16:31.453112: | data for hmac: ad 4b c7 1f 3f f5 9f 4b 21 a1 69 c3 2f 32 d2 ed Sep 21 07:16:31.453113: | data for hmac: 6a 09 e4 c0 61 c9 a9 24 16 73 f5 83 96 67 43 2a Sep 21 07:16:31.453115: | data for hmac: 91 4f 8d 11 3f 7b 3f 63 db d7 e4 f7 64 77 b6 b5 Sep 21 07:16:31.453116: | data for hmac: 16 02 f5 60 8b e7 22 c6 28 07 ed aa ab 42 ab e1 Sep 21 07:16:31.453118: | data for hmac: d4 fb 9c 60 78 5d 10 22 65 fa bd cc d1 c3 42 40 Sep 21 07:16:31.453120: | data for hmac: e4 9e 7e 6a ac e9 24 e2 73 3b 41 27 60 99 e7 22 Sep 21 07:16:31.453121: | data for hmac: 18 f6 29 fc 3d d4 cd 73 f6 15 a6 8f b5 f7 ba 8a Sep 21 07:16:31.453123: | data for hmac: 63 14 c1 08 d0 7e 11 aa cd 2f 3c 1d 13 fb fa 18 Sep 21 07:16:31.453124: | data for hmac: 09 3f 05 27 29 6e 70 b5 ee 2b 1b fe d0 38 df a6 Sep 21 07:16:31.453126: | data for hmac: 89 b0 f5 fe 29 43 27 64 df 08 f9 fe 84 bc 63 1e Sep 21 07:16:31.453127: | data for hmac: 15 4c ba 8b 1c db 49 c3 ff 9d 92 09 f8 d1 a9 89 Sep 21 07:16:31.453129: | data for hmac: 43 6e d9 e5 7f 58 4e e9 97 d8 a5 0a ab 9a d2 af Sep 21 07:16:31.453131: | data for hmac: 0e 06 6b 8b 95 45 f2 e1 35 b4 3a 1e 04 70 23 eb Sep 21 07:16:31.453132: | data for hmac: 13 f6 98 28 a6 a3 5e 36 66 26 3a db ae 3f 17 34 Sep 21 07:16:31.453134: | data for hmac: 83 36 ba 40 02 77 f8 90 51 84 54 80 42 da 32 fc Sep 21 07:16:31.453135: | data for hmac: 72 bd b3 a5 58 09 38 40 75 6b c8 3f c5 b2 16 7c Sep 21 07:16:31.453137: | data for hmac: e6 5b 28 4a 9c 06 80 90 05 18 53 2b 34 6d b6 66 Sep 21 07:16:31.453139: | data for hmac: 85 57 77 0a e7 86 44 16 65 7a 70 21 1c 2a 17 8a Sep 21 07:16:31.453140: | data for hmac: ba 5f d1 7a fa 84 95 c1 fb 0a c6 ce 46 f6 85 70 Sep 21 07:16:31.453142: | data for hmac: 67 30 00 9c dc fe 61 73 ce 36 ae 1f e6 4e 0b 16 Sep 21 07:16:31.453143: | data for hmac: cd 1b 88 7d 1d b5 a2 40 3d 74 76 f2 72 b2 d4 f2 Sep 21 07:16:31.453145: | data for hmac: c2 56 3f a1 eb 61 46 d7 34 fd c8 12 82 1c 56 eb Sep 21 07:16:31.453146: | data for hmac: b2 98 e3 d6 19 34 78 89 48 9c 12 a8 cf 0f 42 5c Sep 21 07:16:31.453148: | data for hmac: ff e6 89 c1 28 b6 be 01 b9 27 45 26 02 fa 36 29 Sep 21 07:16:31.453150: | data for hmac: 14 f8 d0 48 72 9a 18 16 d5 8a 45 da bd 9e 07 e3 Sep 21 07:16:31.453151: | data for hmac: d8 18 9e fb 45 e5 74 af 0f be b5 17 35 b0 c3 e4 Sep 21 07:16:31.453153: | data for hmac: d2 ed 4d 1c 73 d4 7e ab e3 86 8c 3e 4e 17 0b fc Sep 21 07:16:31.453154: | calculated auth: cb 7a 6e 4d 01 b3 af c0 76 2e 47 aa fb 3c 28 68 Sep 21 07:16:31.453156: | provided auth: cb 7a 6e 4d 01 b3 af c0 76 2e 47 aa fb 3c 28 68 Sep 21 07:16:31.453158: | authenticator matched Sep 21 07:16:31.453166: | #3 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:16:31.453168: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.453170: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.453172: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.453173: | flags: none (0x0) Sep 21 07:16:31.453175: | length: 52 (0x34) Sep 21 07:16:31.453177: | processing payload: ISAKMP_NEXT_v2SA (len=48) Sep 21 07:16:31.453178: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.453180: | **parse IKEv2 Nonce Payload: Sep 21 07:16:31.453182: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.453183: | flags: none (0x0) Sep 21 07:16:31.453185: | length: 36 (0x24) Sep 21 07:16:31.453186: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.453188: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.453190: | **parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.453192: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.453193: | flags: none (0x0) Sep 21 07:16:31.453195: | length: 392 (0x188) Sep 21 07:16:31.453196: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.453198: | processing payload: ISAKMP_NEXT_v2KE (len=384) Sep 21 07:16:31.453200: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.453201: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.453203: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.453205: | flags: none (0x0) Sep 21 07:16:31.453206: | length: 24 (0x18) Sep 21 07:16:31.453208: | number of TS: 1 (0x1) Sep 21 07:16:31.453209: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.453211: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.453213: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.453214: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.453216: | flags: none (0x0) Sep 21 07:16:31.453217: | length: 24 (0x18) Sep 21 07:16:31.453219: | number of TS: 1 (0x1) Sep 21 07:16:31.453221: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.453222: | selected state microcode Process CREATE_CHILD_SA IPsec SA Response Sep 21 07:16:31.453226: | #1 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.453228: | forcing ST #3 to CHILD #1.#3 in FSM processor Sep 21 07:16:31.453230: | Now let's proceed with state specific processing Sep 21 07:16:31.453232: | calling processor Process CREATE_CHILD_SA IPsec SA Response Sep 21 07:16:31.453238: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.453240: | Comparing remote proposals against CREATE_CHILD_SA initiator accepting remote ESP/AH proposal 1 local proposals Sep 21 07:16:31.453242: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.453244: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.453246: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.453247: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.453249: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.453251: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:16:31.453253: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.453255: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.453257: | length: 48 (0x30) Sep 21 07:16:31.453258: | prop #: 1 (0x1) Sep 21 07:16:31.453260: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.453261: | spi size: 4 (0x4) Sep 21 07:16:31.453263: | # transforms: 4 (0x4) Sep 21 07:16:31.453265: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.453266: | remote SPI 54 3d 20 7b Sep 21 07:16:31.453268: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.453272: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453273: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.453275: | length: 12 (0xc) Sep 21 07:16:31.453277: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.453278: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.453280: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.453282: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.453283: | length/value: 128 (0x80) Sep 21 07:16:31.453286: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.453288: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453290: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.453291: | length: 8 (0x8) Sep 21 07:16:31.453293: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.453294: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.453296: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.453298: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453300: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.453301: | length: 8 (0x8) Sep 21 07:16:31.453303: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.453305: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.453307: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.453308: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453311: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.453313: | length: 8 (0x8) Sep 21 07:16:31.453315: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.453318: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.453321: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.453325: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Sep 21 07:16:31.453329: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Sep 21 07:16:31.453331: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.453333: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Sep 21 07:16:31.453349: | CREATE_CHILD_SA initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=543d207b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.453351: | converting proposal to internal trans attrs Sep 21 07:16:31.453355: | updating #3's .st_oakley with preserved PRF, but why update? Sep 21 07:16:31.453374: | adding ikev2 Child SA initiator pfs=yes work-order 6 for state #3 Sep 21 07:16:31.453376: | state #3 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.453378: | #3 STATE_V2_CREATE_I: retransmits: cleared Sep 21 07:16:31.453380: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:31.453382: | free_event_entry: release EVENT_RETRANSMIT-pe@0x5621a13aeaa0 Sep 21 07:16:31.453384: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13aeaa0 Sep 21 07:16:31.453386: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:16:31.453388: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:31.453399: | #3 spent 0.161 milliseconds in processing: Process CREATE_CHILD_SA IPsec SA Response in ikev2_process_state_packet() Sep 21 07:16:31.453402: | crypto helper 6 resuming Sep 21 07:16:31.453407: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.453409: | crypto helper 6 starting work-order 6 for state #3 Sep 21 07:16:31.453411: | #3 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_SUSPEND Sep 21 07:16:31.453419: | suspending state #3 and saving MD Sep 21 07:16:31.453413: | crypto helper 6 doing crypto (ikev2 Child SA initiator pfs=yes); request ID 6 Sep 21 07:16:31.453423: | #3 is busy; has a suspended MD Sep 21 07:16:31.453435: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.453439: | "north-eastnets/0x2" #3 complete v2 state STATE_V2_CREATE_I transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.453444: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.453449: | #1 spent 0.506 milliseconds in ikev2_process_packet() Sep 21 07:16:31.453453: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:31.453456: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.453459: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.453463: | spent 0.52 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.454809: | crypto helper 6 finished crypto (ikev2 Child SA initiator pfs=yes); request ID 6 time elapsed 0.001396 seconds Sep 21 07:16:31.454819: | (#3) spent 1.39 milliseconds in crypto helper computing work-order 6: ikev2 Child SA initiator pfs=yes (dh) Sep 21 07:16:31.454821: | crypto helper 6 sending results from work-order 6 for state #3 to event queue Sep 21 07:16:31.454823: | scheduling resume sending helper answer for #3 Sep 21 07:16:31.454825: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:31.454845: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:31.454852: | processing resume sending helper answer for #3 Sep 21 07:16:31.454859: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.454862: | crypto helper 6 replies to request ID 6 Sep 21 07:16:31.454863: | calling continuation function 0x56219f9274f0 Sep 21 07:16:31.454865: | ikev2_child_inR_continue for #3 STATE_V2_CREATE_I Sep 21 07:16:31.454867: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.454869: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.454871: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.454872: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.454874: | length: 16 (0x10) Sep 21 07:16:31.454875: | start port: 0 (0x0) Sep 21 07:16:31.454877: | end port: 65535 (0xffff) Sep 21 07:16:31.454879: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.454880: | TS low c0 00 03 00 Sep 21 07:16:31.454882: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.454883: | TS high c0 00 03 ff Sep 21 07:16:31.454885: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.454886: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.454888: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.454890: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.454891: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.454892: | length: 16 (0x10) Sep 21 07:16:31.454894: | start port: 0 (0x0) Sep 21 07:16:31.454895: | end port: 65535 (0xffff) Sep 21 07:16:31.454897: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.454898: | TS low c0 00 16 00 Sep 21 07:16:31.454900: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.454901: | TS high c0 00 16 ff Sep 21 07:16:31.454903: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.454906: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:31.454909: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.454913: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.454915: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.454916: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.454921: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.454923: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.454925: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.454929: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.454930: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.454932: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.454933: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.454935: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.454937: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.454938: | found an acceptable TSi/TSr Traffic Selector Sep 21 07:16:31.454939: | printing contents struct traffic_selector Sep 21 07:16:31.454941: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.454942: | ipprotoid: 0 Sep 21 07:16:31.454944: | port range: 0-65535 Sep 21 07:16:31.454946: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.454947: | printing contents struct traffic_selector Sep 21 07:16:31.454949: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.454950: | ipprotoid: 0 Sep 21 07:16:31.454951: | port range: 0-65535 Sep 21 07:16:31.454954: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:16:31.454956: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.455150: | install_ipsec_sa() for #3: inbound and outbound Sep 21 07:16:31.455153: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:31.455155: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.455157: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.455159: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.455160: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.455162: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.455164: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.455167: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.455169: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.455170: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.455173: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.455175: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.455176: | netlink: enabling tunnel mode Sep 21 07:16:31.455178: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.455180: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.455224: | netlink response for Add SA esp.543d207b@192.1.2.23 included non-error error Sep 21 07:16:31.455226: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.455243: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.455245: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.455247: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.455249: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.455251: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.455252: | netlink: enabling tunnel mode Sep 21 07:16:31.455254: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.455255: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.455287: | netlink response for Add SA esp.c8d0fe50@192.1.3.33 included non-error error Sep 21 07:16:31.455290: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.455294: | add inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:31.455296: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.455332: | raw_eroute result=success Sep 21 07:16:31.455335: | set up incoming SA, ref=0/0 Sep 21 07:16:31.455336: | sr for #3: unrouted Sep 21 07:16:31.455338: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.455339: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.455341: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.455343: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.455345: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.455346: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.455348: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.455351: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #3 Sep 21 07:16:31.455353: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.455357: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23 (raw_eroute) Sep 21 07:16:31.455359: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.455377: | raw_eroute result=success Sep 21 07:16:31.455379: | running updown command "ipsec _updown" for verb up Sep 21 07:16:31.455381: | command executing up-client Sep 21 07:16:31.455396: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Sep 21 07:16:31.455399: | popen cmd is 1043 chars long Sep 21 07:16:31.455400: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Sep 21 07:16:31.455402: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_: Sep 21 07:16:31.455404: | cmd( 160):MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PL: Sep 21 07:16:31.455406: | cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO: Sep 21 07:16:31.455407: | cmd( 320):_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@ea: Sep 21 07:16:31.455409: | cmd( 400):st' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_P: Sep 21 07:16:31.455410: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:31.455412: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Sep 21 07:16:31.455414: | cmd( 640):CRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Sep 21 07:16:31.455415: | cmd( 720):ND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: Sep 21 07:16:31.455417: | cmd( 800):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: Sep 21 07:16:31.455418: | cmd( 880):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R: Sep 21 07:16:31.455420: | cmd( 960):OUTING='no' VTI_SHARED='no' SPI_IN=0x543d207b SPI_OUT=0xc8d0fe50 ipsec _updown 2: Sep 21 07:16:31.455421: | cmd(1040):>&1: Sep 21 07:16:31.464891: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.464904: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:31.464907: | command executing prepare-client Sep 21 07:16:31.464927: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no Sep 21 07:16:31.464929: | popen cmd is 1048 chars long Sep 21 07:16:31.464932: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:31.464933: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Sep 21 07:16:31.464935: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Sep 21 07:16:31.464936: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:16:31.464938: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID: Sep 21 07:16:31.464940: | cmd( 400):='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PL: Sep 21 07:16:31.464941: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:16:31.464943: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSAS: Sep 21 07:16:31.464944: | cmd( 640):IG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CO: Sep 21 07:16:31.464946: | cmd( 720):NN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Sep 21 07:16:31.464947: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Sep 21 07:16:31.464949: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Sep 21 07:16:31.464950: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x543d207b SPI_OUT=0xc8d0fe50 ipsec _upd: Sep 21 07:16:31.464952: | cmd(1040):own 2>&1: Sep 21 07:16:31.473765: | running updown command "ipsec _updown" for verb route Sep 21 07:16:31.473781: | command executing route-client Sep 21 07:16:31.473805: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Sep 21 07:16:31.473809: | popen cmd is 1046 chars long Sep 21 07:16:31.473811: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Sep 21 07:16:31.473816: | cmd( 80):x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLU: Sep 21 07:16:31.473818: | cmd( 160):TO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0': Sep 21 07:16:31.473819: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Sep 21 07:16:31.473821: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=': Sep 21 07:16:31.473822: | cmd( 400):@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUT: Sep 21 07:16:31.473824: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Sep 21 07:16:31.473825: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Sep 21 07:16:31.473827: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:16:31.473829: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Sep 21 07:16:31.473830: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Sep 21 07:16:31.473832: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Sep 21 07:16:31.473833: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x543d207b SPI_OUT=0xc8d0fe50 ipsec _updow: Sep 21 07:16:31.473835: | cmd(1040):n 2>&1: Sep 21 07:16:31.483812: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x5621a13a5a80,sr=0x5621a13a5a80} to #3 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:31.483892: | #1 spent 0.716 milliseconds in install_ipsec_sa() Sep 21 07:16:31.483900: | inR2: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 Sep 21 07:16:31.483904: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.483910: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:31.483913: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13aeaa0 Sep 21 07:16:31.483923: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.483928: | #3 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_OK Sep 21 07:16:31.483932: | IKEv2: transition from state STATE_V2_CREATE_I to state STATE_V2_IPSEC_I Sep 21 07:16:31.483936: | child state #3: V2_CREATE_I(established IKE SA) => V2_IPSEC_I(established CHILD SA) Sep 21 07:16:31.483939: | Message ID: updating counters for #3 to 2 after switching state Sep 21 07:16:31.483945: | Message ID: recv #1.#3 response 2; ike: initiator.sent=2 initiator.recv=1->2 responder.sent=-1 responder.recv=-1; child: wip.initiator=2->-1 wip.responder=-1 Sep 21 07:16:31.483951: | Message ID: #1.#3 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.483954: | pstats #3 ikev2.child established Sep 21 07:16:31.483962: "north-eastnets/0x2" #3: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Sep 21 07:16:31.483974: | NAT-T: encaps is 'auto' Sep 21 07:16:31.483980: "north-eastnets/0x2" #3: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x543d207b <0xc8d0fe50 xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.483985: | releasing whack for #3 (sock=fd@25) Sep 21 07:16:31.483992: | close_any(fd@25) (in release_whack() at state.c:654) Sep 21 07:16:31.483995: | releasing whack and unpending for parent #1 Sep 21 07:16:31.483998: | unpending state #1 connection "north-eastnets/0x2" Sep 21 07:16:31.484003: | #3 will start re-keying in 27838 seconds with margin of 962 seconds (attempting re-key) Sep 21 07:16:31.484007: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13aeaa0 Sep 21 07:16:31.484011: | inserting event EVENT_SA_REKEY, timeout in 27838 seconds for #3 Sep 21 07:16:31.484018: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:31.484025: | #3 spent 1.14 milliseconds in resume sending helper answer Sep 21 07:16:31.484033: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.484036: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:31.484051: | spent 0.00263 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.484065: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:31.484070: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.484073: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.484075: | f3 c4 df 72 fe bc a4 2e b7 f0 db c1 61 ea 8d 49 Sep 21 07:16:31.484077: | 72 2b 5d f2 41 bd de f5 05 79 53 6e 05 98 99 fb Sep 21 07:16:31.484080: | 2b f2 04 4b 32 6f 90 5e d0 9e d2 81 3e 4a b8 50 Sep 21 07:16:31.484082: | 06 54 56 cc da 2f 26 da f4 bc 8f 0e d2 9c ba 7a Sep 21 07:16:31.484084: | 72 e3 9e ce 98 ed c0 d1 2f 06 b5 0c 95 30 ab ca Sep 21 07:16:31.484087: | ab 77 e0 49 d3 ae 49 89 ba 63 66 3f a6 f2 85 75 Sep 21 07:16:31.484089: | c0 4e 3a 72 75 2b 3f 87 16 6c 97 be a5 85 d0 ce Sep 21 07:16:31.484092: | 68 8b 7c c0 24 83 e2 e5 dd ea 91 5a 69 0a 03 4c Sep 21 07:16:31.484094: | 60 df 08 a9 91 de 95 ff f8 e8 f9 18 02 21 c1 01 Sep 21 07:16:31.484096: | 6c 19 3e 60 94 65 7a db 2a 2b fe 26 73 9b f6 4c Sep 21 07:16:31.484098: | 13 04 15 97 f7 b5 78 3c 35 87 c3 55 8b fd 1d 36 Sep 21 07:16:31.484101: | bb f8 62 f4 66 dc 80 84 19 08 be 97 c5 1a 23 1c Sep 21 07:16:31.484103: | 84 d2 1b be c6 02 e4 91 f7 de 80 8a 3a 1d 4a 02 Sep 21 07:16:31.484105: | c6 85 2c 5a ae c6 46 10 67 48 3e 5e 1c 94 8b 76 Sep 21 07:16:31.484107: | 9f 3a 9c 92 6a 4d 79 97 d4 2a 88 02 08 54 07 3b Sep 21 07:16:31.484110: | c1 40 e9 b7 9e e6 66 29 10 d3 77 a2 7d cd 58 08 Sep 21 07:16:31.484112: | fd cf 3c f0 e5 56 df 11 fe 78 fc 87 0c 83 19 ea Sep 21 07:16:31.484114: | 9c 90 3d 75 e0 95 4e 90 27 f5 83 c7 8b 44 bf 8d Sep 21 07:16:31.484116: | 97 a5 c6 73 3b ca 8e a7 3d b3 8e 70 81 ed ac d6 Sep 21 07:16:31.484118: | 46 22 fe 12 32 d0 65 16 b3 db 01 da 1e e1 14 1f Sep 21 07:16:31.484121: | 64 7a 70 5c d1 05 2f b1 9a c6 22 2b ac fc 80 9d Sep 21 07:16:31.484124: | 2b d8 05 a6 3e 7c 2b a6 26 20 9f b6 ae 38 7d 0a Sep 21 07:16:31.484126: | 34 2a e6 1f 11 37 79 e1 b0 58 f3 19 b0 4a f9 5f Sep 21 07:16:31.484128: | a9 db b7 fc c8 a2 ab 1a 76 b8 c6 80 64 0e 79 a0 Sep 21 07:16:31.484130: | c6 2e 8b 1a 1a 2e 4f dd c4 e5 9c 02 fa b9 32 93 Sep 21 07:16:31.484133: | 3d 6e b5 83 6a da 9d 12 03 81 80 36 d2 4f 4f ac Sep 21 07:16:31.484135: | 5a 23 2a 33 1e 15 26 6d 70 d3 ac 22 40 2e 41 a9 Sep 21 07:16:31.484137: | 8c 93 07 52 2c 79 28 43 fa 01 00 e2 a8 26 1b f4 Sep 21 07:16:31.484140: | 42 ad 37 25 d1 17 ee 0b 3e 9a 90 1f 0c eb 6f ce Sep 21 07:16:31.484142: | f7 77 20 05 8c fb 68 e9 78 11 cd 87 83 c2 15 64 Sep 21 07:16:31.484145: | 9a c7 8a ef e5 bd 78 48 db 63 68 68 3f 81 5c 48 Sep 21 07:16:31.484147: | 12 2c eb e5 67 ef 46 61 8a 91 8d 05 86 33 8f 59 Sep 21 07:16:31.484149: | 17 8f fc ff 20 4f 24 4d 03 c9 c4 c5 de 19 4e 2c Sep 21 07:16:31.484152: | 9f fb e9 e3 88 f8 1d ad 36 dd c9 e0 42 8b d8 9d Sep 21 07:16:31.484154: | 08 13 57 bb b3 b9 60 84 d0 f4 e0 6d 4e dd 24 81 Sep 21 07:16:31.484157: | a5 ec 7e 3f 22 8d e7 34 ce 76 d2 ae ba 09 5b e7 Sep 21 07:16:31.484162: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:31.484166: | **parse ISAKMP Message: Sep 21 07:16:31.484169: | initiator cookie: Sep 21 07:16:31.484171: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.484173: | responder cookie: Sep 21 07:16:31.484176: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.484179: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.484182: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.484187: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.484190: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.484193: | Message ID: 2 (0x2) Sep 21 07:16:31.484195: | length: 608 (0x260) Sep 21 07:16:31.484198: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:16:31.484202: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Sep 21 07:16:31.484206: | State DB: found IKEv2 state #4 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:31.484213: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.484216: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.484220: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.484223: | #4 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:16:31.484227: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:16:31.484229: | unpacking clear payload Sep 21 07:16:31.484232: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.484235: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.484237: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.484240: | flags: none (0x0) Sep 21 07:16:31.484242: | length: 580 (0x244) Sep 21 07:16:31.484244: | processing payload: ISAKMP_NEXT_v2SK (len=576) Sep 21 07:16:31.484248: | Message ID: start-responder #4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:31.484250: | #4 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:31.484295: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.484300: | data for hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.484302: | data for hmac: f3 c4 df 72 fe bc a4 2e b7 f0 db c1 61 ea 8d 49 Sep 21 07:16:31.484305: | data for hmac: 72 2b 5d f2 41 bd de f5 05 79 53 6e 05 98 99 fb Sep 21 07:16:31.484308: | data for hmac: 2b f2 04 4b 32 6f 90 5e d0 9e d2 81 3e 4a b8 50 Sep 21 07:16:31.484310: | data for hmac: 06 54 56 cc da 2f 26 da f4 bc 8f 0e d2 9c ba 7a Sep 21 07:16:31.484313: | data for hmac: 72 e3 9e ce 98 ed c0 d1 2f 06 b5 0c 95 30 ab ca Sep 21 07:16:31.484315: | data for hmac: ab 77 e0 49 d3 ae 49 89 ba 63 66 3f a6 f2 85 75 Sep 21 07:16:31.484318: | data for hmac: c0 4e 3a 72 75 2b 3f 87 16 6c 97 be a5 85 d0 ce Sep 21 07:16:31.484320: | data for hmac: 68 8b 7c c0 24 83 e2 e5 dd ea 91 5a 69 0a 03 4c Sep 21 07:16:31.484323: | data for hmac: 60 df 08 a9 91 de 95 ff f8 e8 f9 18 02 21 c1 01 Sep 21 07:16:31.484326: | data for hmac: 6c 19 3e 60 94 65 7a db 2a 2b fe 26 73 9b f6 4c Sep 21 07:16:31.484328: | data for hmac: 13 04 15 97 f7 b5 78 3c 35 87 c3 55 8b fd 1d 36 Sep 21 07:16:31.484331: | data for hmac: bb f8 62 f4 66 dc 80 84 19 08 be 97 c5 1a 23 1c Sep 21 07:16:31.484333: | data for hmac: 84 d2 1b be c6 02 e4 91 f7 de 80 8a 3a 1d 4a 02 Sep 21 07:16:31.484335: | data for hmac: c6 85 2c 5a ae c6 46 10 67 48 3e 5e 1c 94 8b 76 Sep 21 07:16:31.484338: | data for hmac: 9f 3a 9c 92 6a 4d 79 97 d4 2a 88 02 08 54 07 3b Sep 21 07:16:31.484340: | data for hmac: c1 40 e9 b7 9e e6 66 29 10 d3 77 a2 7d cd 58 08 Sep 21 07:16:31.484342: | data for hmac: fd cf 3c f0 e5 56 df 11 fe 78 fc 87 0c 83 19 ea Sep 21 07:16:31.484344: | data for hmac: 9c 90 3d 75 e0 95 4e 90 27 f5 83 c7 8b 44 bf 8d Sep 21 07:16:31.484347: | data for hmac: 97 a5 c6 73 3b ca 8e a7 3d b3 8e 70 81 ed ac d6 Sep 21 07:16:31.484349: | data for hmac: 46 22 fe 12 32 d0 65 16 b3 db 01 da 1e e1 14 1f Sep 21 07:16:31.484351: | data for hmac: 64 7a 70 5c d1 05 2f b1 9a c6 22 2b ac fc 80 9d Sep 21 07:16:31.484353: | data for hmac: 2b d8 05 a6 3e 7c 2b a6 26 20 9f b6 ae 38 7d 0a Sep 21 07:16:31.484358: | data for hmac: 34 2a e6 1f 11 37 79 e1 b0 58 f3 19 b0 4a f9 5f Sep 21 07:16:31.484360: | data for hmac: a9 db b7 fc c8 a2 ab 1a 76 b8 c6 80 64 0e 79 a0 Sep 21 07:16:31.484362: | data for hmac: c6 2e 8b 1a 1a 2e 4f dd c4 e5 9c 02 fa b9 32 93 Sep 21 07:16:31.484364: | data for hmac: 3d 6e b5 83 6a da 9d 12 03 81 80 36 d2 4f 4f ac Sep 21 07:16:31.484366: | data for hmac: 5a 23 2a 33 1e 15 26 6d 70 d3 ac 22 40 2e 41 a9 Sep 21 07:16:31.484368: | data for hmac: 8c 93 07 52 2c 79 28 43 fa 01 00 e2 a8 26 1b f4 Sep 21 07:16:31.484370: | data for hmac: 42 ad 37 25 d1 17 ee 0b 3e 9a 90 1f 0c eb 6f ce Sep 21 07:16:31.484372: | data for hmac: f7 77 20 05 8c fb 68 e9 78 11 cd 87 83 c2 15 64 Sep 21 07:16:31.484374: | data for hmac: 9a c7 8a ef e5 bd 78 48 db 63 68 68 3f 81 5c 48 Sep 21 07:16:31.484376: | data for hmac: 12 2c eb e5 67 ef 46 61 8a 91 8d 05 86 33 8f 59 Sep 21 07:16:31.484378: | data for hmac: 17 8f fc ff 20 4f 24 4d 03 c9 c4 c5 de 19 4e 2c Sep 21 07:16:31.484380: | data for hmac: 9f fb e9 e3 88 f8 1d ad 36 dd c9 e0 42 8b d8 9d Sep 21 07:16:31.484382: | data for hmac: 08 13 57 bb b3 b9 60 84 d0 f4 e0 6d 4e dd 24 81 Sep 21 07:16:31.484384: | calculated auth: a5 ec 7e 3f 22 8d e7 34 ce 76 d2 ae ba 09 5b e7 Sep 21 07:16:31.484387: | provided auth: a5 ec 7e 3f 22 8d e7 34 ce 76 d2 ae ba 09 5b e7 Sep 21 07:16:31.484389: | authenticator matched Sep 21 07:16:31.484401: | #4 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:16:31.484404: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.484407: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.484410: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.484412: | flags: none (0x0) Sep 21 07:16:31.484415: | length: 52 (0x34) Sep 21 07:16:31.484417: | processing payload: ISAKMP_NEXT_v2SA (len=48) Sep 21 07:16:31.484419: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.484421: | **parse IKEv2 Nonce Payload: Sep 21 07:16:31.484423: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.484426: | flags: none (0x0) Sep 21 07:16:31.484428: | length: 36 (0x24) Sep 21 07:16:31.484430: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.484432: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.484435: | **parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.484438: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.484440: | flags: none (0x0) Sep 21 07:16:31.484442: | length: 392 (0x188) Sep 21 07:16:31.484444: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.484447: | processing payload: ISAKMP_NEXT_v2KE (len=384) Sep 21 07:16:31.484449: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.484452: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.484454: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.484456: | flags: none (0x0) Sep 21 07:16:31.484458: | length: 24 (0x18) Sep 21 07:16:31.484460: | number of TS: 1 (0x1) Sep 21 07:16:31.484463: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.484465: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.484467: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.484470: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.484472: | flags: none (0x0) Sep 21 07:16:31.484474: | length: 24 (0x18) Sep 21 07:16:31.484477: | number of TS: 1 (0x1) Sep 21 07:16:31.484479: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.484483: | state #4 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Sep 21 07:16:31.484486: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:31.484494: | #4 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.484499: | creating state object #6 at 0x5621a13be420 Sep 21 07:16:31.484503: | State DB: adding IKEv2 state #6 in UNDEFINED Sep 21 07:16:31.484510: | pstats #6 ikev2.child started Sep 21 07:16:31.484514: | duplicating state object #4 "north-eastnets/0x2" as #6 for IPSEC SA Sep 21 07:16:31.484520: | #6 setting local endpoint to 192.1.3.33:500 from #4.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.484528: | Message ID: init_child #4.#6; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.484531: | child state #6: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Sep 21 07:16:31.484536: | "north-eastnets/0x2" #4 received Child SA Request CREATE_CHILD_SA from 192.1.2.23:500 Child "north-eastnets/0x2" #6 in STATE_V2_CREATE_R will process it further Sep 21 07:16:31.484541: | Message ID: switch-from #4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:31.484546: | Message ID: switch-to #4.#6 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:31.484548: | forcing ST #4 to CHILD #4.#6 in FSM processor Sep 21 07:16:31.484551: | Now let's proceed with state specific processing Sep 21 07:16:31.484553: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:31.484562: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.484567: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:31.484571: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.484575: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.484578: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.484581: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.484584: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.484588: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:16:31.484591: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.484595: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.484597: | length: 48 (0x30) Sep 21 07:16:31.484600: | prop #: 1 (0x1) Sep 21 07:16:31.484603: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.484606: | spi size: 4 (0x4) Sep 21 07:16:31.484609: | # transforms: 4 (0x4) Sep 21 07:16:31.484612: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.484615: | remote SPI 43 bb c6 ab Sep 21 07:16:31.484618: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.484621: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.484623: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.484626: | length: 12 (0xc) Sep 21 07:16:31.484628: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.484631: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.484633: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.484636: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.484638: | length/value: 128 (0x80) Sep 21 07:16:31.484644: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.484647: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.484650: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.484653: | length: 8 (0x8) Sep 21 07:16:31.484656: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.484659: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.484663: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.484666: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.484669: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.484674: | length: 8 (0x8) Sep 21 07:16:31.484677: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.484680: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.484684: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.484688: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.484690: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.484693: | length: 8 (0x8) Sep 21 07:16:31.484695: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.484697: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.484701: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.484705: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Sep 21 07:16:31.484709: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Sep 21 07:16:31.484712: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.484717: "north-eastnets/0x2" #4: proposal 1:ESP:SPI=43bbc6ab;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Sep 21 07:16:31.484724: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=43bbc6ab;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.484728: | converting proposal to internal trans attrs Sep 21 07:16:31.484733: | updating #6's .st_oakley with preserved PRF, but why update? Sep 21 07:16:31.484737: | Child SA TS Request has child->sa == md->st; so using child connection Sep 21 07:16:31.484740: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.484744: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.484747: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.484750: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.484752: | length: 16 (0x10) Sep 21 07:16:31.484755: | start port: 0 (0x0) Sep 21 07:16:31.484758: | end port: 65535 (0xffff) Sep 21 07:16:31.484762: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.484765: | TS low c0 00 16 00 Sep 21 07:16:31.484768: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.484770: | TS high c0 00 16 ff Sep 21 07:16:31.484773: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.484775: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.484777: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.484780: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.484782: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.484792: | length: 16 (0x10) Sep 21 07:16:31.484794: | start port: 0 (0x0) Sep 21 07:16:31.484797: | end port: 65535 (0xffff) Sep 21 07:16:31.484799: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.484802: | TS low c0 00 03 00 Sep 21 07:16:31.484804: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.484807: | TS high c0 00 03 ff Sep 21 07:16:31.484810: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.484813: | looking for best SPD in current connection Sep 21 07:16:31.484820: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.484826: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.484835: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.484839: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.484842: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.484846: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.484849: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.484854: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.484861: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.484864: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.484867: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.484869: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.484872: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.484875: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.484877: | found better spd route for TSi[0],TSr[0] Sep 21 07:16:31.484880: | looking for better host pair Sep 21 07:16:31.484886: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Sep 21 07:16:31.484892: | checking hostpair 192.0.3.0/24:0 -> 192.0.22.0/24:0 is found Sep 21 07:16:31.484895: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:31.484900: | match_id a=@east Sep 21 07:16:31.484903: | b=@east Sep 21 07:16:31.484906: | results matched Sep 21 07:16:31.484912: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.484918: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.484925: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.484928: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.484931: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.484933: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.484936: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.484940: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.484947: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.484951: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.484954: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.484957: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.484960: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.484963: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.484966: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:31.484970: | match_id a=@east Sep 21 07:16:31.484973: | b=@east Sep 21 07:16:31.484975: | results matched Sep 21 07:16:31.484982: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.484988: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.484994: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: NO Sep 21 07:16:31.484997: | did not find a better connection using host pair Sep 21 07:16:31.484999: | printing contents struct traffic_selector Sep 21 07:16:31.485002: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.485004: | ipprotoid: 0 Sep 21 07:16:31.485006: | port range: 0-65535 Sep 21 07:16:31.485010: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.485013: | printing contents struct traffic_selector Sep 21 07:16:31.485016: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.485018: | ipprotoid: 0 Sep 21 07:16:31.485021: | port range: 0-65535 Sep 21 07:16:31.485025: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:16:31.485030: | adding Child Responder KE and nonce nr work-order 7 for state #6 Sep 21 07:16:31.485034: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:31.485039: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Sep 21 07:16:31.485042: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:31.485055: | #6 spent 0.493 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Sep 21 07:16:31.485059: | crypto helper 5 resuming Sep 21 07:16:31.485063: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.485070: | crypto helper 5 starting work-order 7 for state #6 Sep 21 07:16:31.485078: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.485080: | crypto helper 5 doing build KE and nonce (Child Responder KE and nonce nr); request ID 7 Sep 21 07:16:31.485085: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:31.485090: | suspending state #6 and saving MD Sep 21 07:16:31.485093: | #6 is busy; has a suspended MD Sep 21 07:16:31.485098: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.485103: | "north-eastnets/0x2" #6 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.485108: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.485114: | #4 spent 1.05 milliseconds in ikev2_process_packet() Sep 21 07:16:31.485119: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:31.485123: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.485125: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.485129: | spent 1.07 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.485137: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.485142: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.485146: | spent 0.00479 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.485148: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.485152: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.485156: | spent 0.00358 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.485158: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.485161: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.485165: | spent 0.00343 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.487556: | crypto helper 5 finished build KE and nonce (Child Responder KE and nonce nr); request ID 7 time elapsed 0.002477 seconds Sep 21 07:16:31.487567: | (#6) spent 2.47 milliseconds in crypto helper computing work-order 7: Child Responder KE and nonce nr (pcr) Sep 21 07:16:31.487570: | crypto helper 5 sending results from work-order 7 for state #6 to event queue Sep 21 07:16:31.487573: | scheduling resume sending helper answer for #6 Sep 21 07:16:31.487576: | libevent_malloc: new ptr-libevent@0x7f08b4005780 size 128 Sep 21 07:16:31.487583: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:31.487615: | processing resume sending helper answer for #6 Sep 21 07:16:31.487623: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.487627: | crypto helper 5 replies to request ID 7 Sep 21 07:16:31.487629: | calling continuation function 0x56219f926630 Sep 21 07:16:31.487631: | ikev2_child_inIoutR_continue for #6 STATE_V2_CREATE_R Sep 21 07:16:31.487637: | adding DHv2 for child sa work-order 8 for state #6 Sep 21 07:16:31.487639: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.487642: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:31.487644: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:31.487645: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:31.487648: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Sep 21 07:16:31.487650: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:31.487657: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.487658: | crypto helper 1 resuming Sep 21 07:16:31.487663: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:31.487671: | suspending state #6 and saving MD Sep 21 07:16:31.487674: | #6 is busy; has a suspended MD Sep 21 07:16:31.487668: | crypto helper 1 starting work-order 8 for state #6 Sep 21 07:16:31.487678: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.487684: | crypto helper 1 doing crypto (DHv2 for child sa); request ID 8 Sep 21 07:16:31.487686: | "north-eastnets/0x2" #6 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.487688: | resume sending helper answer for #6 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:31.487692: | #6 spent 0.0609 milliseconds in resume sending helper answer Sep 21 07:16:31.487695: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.487697: | libevent_free: release ptr-libevent@0x7f08b4005780 Sep 21 07:16:31.490136: | crypto helper 1 finished crypto (DHv2 for child sa); request ID 8 time elapsed 0.002452 seconds Sep 21 07:16:31.490144: | (#6) spent 2.45 milliseconds in crypto helper computing work-order 8: DHv2 for child sa (dh) Sep 21 07:16:31.490147: | crypto helper 1 sending results from work-order 8 for state #6 to event queue Sep 21 07:16:31.490149: | scheduling resume sending helper answer for #6 Sep 21 07:16:31.490153: | libevent_malloc: new ptr-libevent@0x7f08c8006b50 size 128 Sep 21 07:16:31.490158: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:31.490200: | processing resume sending helper answer for #6 Sep 21 07:16:31.490208: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.490211: | crypto helper 1 replies to request ID 8 Sep 21 07:16:31.490213: | calling continuation function 0x56219f9274f0 Sep 21 07:16:31.490216: | ikev2_child_inIoutR_continue_continue for #6 STATE_V2_CREATE_R Sep 21 07:16:31.490220: | **emit ISAKMP Message: Sep 21 07:16:31.490222: | initiator cookie: Sep 21 07:16:31.490224: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.490225: | responder cookie: Sep 21 07:16:31.490227: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.490229: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.490231: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.490232: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.490234: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.490236: | Message ID: 2 (0x2) Sep 21 07:16:31.490238: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.490240: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.490242: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490243: | flags: none (0x0) Sep 21 07:16:31.490245: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.490247: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490250: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.490268: | netlink_get_spi: allocated 0x18ee805c for esp.0@192.1.3.33 Sep 21 07:16:31.490271: | Emitting ikev2_proposal ... Sep 21 07:16:31.490272: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.490274: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490276: | flags: none (0x0) Sep 21 07:16:31.490278: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.490280: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490284: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.490286: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.490288: | prop #: 1 (0x1) Sep 21 07:16:31.490289: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.490291: | spi size: 4 (0x4) Sep 21 07:16:31.490292: | # transforms: 4 (0x4) Sep 21 07:16:31.490294: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.490296: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.490298: | our spi 18 ee 80 5c Sep 21 07:16:31.490299: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.490301: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490303: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.490305: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.490306: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.490308: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.490310: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.490312: | length/value: 128 (0x80) Sep 21 07:16:31.490314: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.490315: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.490317: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490318: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.490320: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.490322: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490324: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.490326: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.490327: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.490329: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490330: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.490332: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.490334: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490336: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.490337: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.490339: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.490341: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.490342: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.490344: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.490345: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.490347: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.490349: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.490351: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:31.490352: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.490354: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:31.490356: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.490357: | ****emit IKEv2 Nonce Payload: Sep 21 07:16:31.490359: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490362: | flags: none (0x0) Sep 21 07:16:31.490364: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.490366: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490368: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.490369: | IKEv2 nonce 4b 2c 98 44 b7 67 1c 3c 20 10 4b 94 87 45 17 fb Sep 21 07:16:31.490371: | IKEv2 nonce e3 5c 19 1c ae 8e a2 37 28 c6 a4 ae e4 ef 21 62 Sep 21 07:16:31.490372: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.490374: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.490376: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490377: | flags: none (0x0) Sep 21 07:16:31.490379: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.490381: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.490383: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490384: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.490386: | ikev2 g^x dc 0f 89 3d fb 55 39 db 1b 86 06 a3 ce e5 02 14 Sep 21 07:16:31.490388: | ikev2 g^x 3a cb 93 82 6a 08 a7 dd 3e df 9b b6 ec d0 b0 19 Sep 21 07:16:31.490389: | ikev2 g^x 83 81 bf 1f a7 58 ea 3c 65 64 68 ba f2 d1 50 22 Sep 21 07:16:31.490391: | ikev2 g^x 09 59 a1 76 e6 6c 45 7a dc 93 c0 8c 97 41 09 ea Sep 21 07:16:31.490392: | ikev2 g^x 4b 43 a9 26 e8 44 6d 15 75 d6 62 f5 b2 5c 06 4c Sep 21 07:16:31.490394: | ikev2 g^x b3 ed 6a 7a 04 68 91 e8 50 37 67 db 2a 34 6d 9c Sep 21 07:16:31.490395: | ikev2 g^x a4 7a 60 ae e2 4d d8 9e 03 a9 9c 68 0b 47 50 c3 Sep 21 07:16:31.490397: | ikev2 g^x 11 4f 9b b4 45 13 ec 60 07 01 e4 36 35 85 06 ad Sep 21 07:16:31.490398: | ikev2 g^x 13 07 4f ca 40 3a 6b 7c 13 6a 2b d3 ea ce 7a ac Sep 21 07:16:31.490400: | ikev2 g^x 39 cf 86 34 d8 f0 52 86 ce 4f 7b 31 7d 97 c8 17 Sep 21 07:16:31.490401: | ikev2 g^x 5b ad fc e6 f1 24 62 8c d7 a3 b3 83 51 2c 25 fe Sep 21 07:16:31.490403: | ikev2 g^x d8 e6 b9 64 ca 85 be ad be 68 f6 d2 40 b6 8b ad Sep 21 07:16:31.490404: | ikev2 g^x 89 3c ee 3e e0 43 2d d8 00 81 7d 58 e0 79 fb 00 Sep 21 07:16:31.490406: | ikev2 g^x 01 88 36 46 7d e8 9c 0d 09 2d bc 80 28 68 ab 4e Sep 21 07:16:31.490407: | ikev2 g^x e3 01 dc 1f 9a d1 2b f7 4c a1 e1 93 d2 b8 c2 dc Sep 21 07:16:31.490409: | ikev2 g^x c3 cf 2e ce 02 c5 f2 7f d8 92 2a 2c be 3c 4b 30 Sep 21 07:16:31.490410: | ikev2 g^x 65 ce 57 cf c4 1f c3 59 f7 1e 95 e3 ef 8b 75 f5 Sep 21 07:16:31.490412: | ikev2 g^x 9a fc df 53 51 78 25 19 48 c4 f6 39 32 37 6d 0b Sep 21 07:16:31.490413: | ikev2 g^x 0d 09 fe 23 c2 7a 25 fd c3 a1 d5 d2 96 ad 6d 77 Sep 21 07:16:31.490414: | ikev2 g^x 55 73 70 6c 28 6b 3a a5 72 9e 55 3d 57 ea a7 58 Sep 21 07:16:31.490416: | ikev2 g^x 7f 1f 35 0a 62 37 1d c7 ff d4 a8 3b cc 3c a6 ce Sep 21 07:16:31.490417: | ikev2 g^x 2a 5e ce 15 f8 74 45 6b b8 5e c4 f8 38 f8 4a ec Sep 21 07:16:31.490419: | ikev2 g^x 7f c4 c6 f4 4d c1 1e 99 8e 5d 88 6b 46 c8 08 9e Sep 21 07:16:31.490420: | ikev2 g^x 08 d4 8b ca a8 10 4e 59 4c dd 7f 5c c4 86 12 34 Sep 21 07:16:31.490422: | emitting length of IKEv2 Key Exchange Payload: 392 Sep 21 07:16:31.490424: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.490425: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490427: | flags: none (0x0) Sep 21 07:16:31.490428: | number of TS: 1 (0x1) Sep 21 07:16:31.490430: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.490432: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490435: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.490436: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.490438: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.490440: | start port: 0 (0x0) Sep 21 07:16:31.490441: | end port: 65535 (0xffff) Sep 21 07:16:31.490443: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.490445: | IP start c0 00 16 00 Sep 21 07:16:31.490446: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.490448: | IP end c0 00 16 ff Sep 21 07:16:31.490449: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.490451: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.490453: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.490454: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.490456: | flags: none (0x0) Sep 21 07:16:31.490457: | number of TS: 1 (0x1) Sep 21 07:16:31.490459: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.490461: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.490463: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.490464: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.490466: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.490467: | start port: 0 (0x0) Sep 21 07:16:31.490469: | end port: 65535 (0xffff) Sep 21 07:16:31.490471: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.490472: | IP start c0 00 03 00 Sep 21 07:16:31.490474: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.490475: | IP end c0 00 03 ff Sep 21 07:16:31.490477: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.490478: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.490480: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.490483: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.490683: | install_ipsec_sa() for #6: inbound and outbound Sep 21 07:16:31.490686: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:31.490688: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.490690: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.490692: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.490694: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.490695: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.490698: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Sep 21 07:16:31.490700: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.490703: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.490704: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.490707: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.490709: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.490711: | netlink: enabling tunnel mode Sep 21 07:16:31.490713: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.490715: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.490811: | netlink response for Add SA esp.43bbc6ab@192.1.2.23 included non-error error Sep 21 07:16:31.490820: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.490825: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.490829: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.490832: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.490838: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.490842: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.490845: | netlink: enabling tunnel mode Sep 21 07:16:31.490848: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.490851: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.490932: | netlink response for Add SA esp.18ee805c@192.1.3.33 included non-error error Sep 21 07:16:31.490937: | set up incoming SA, ref=0/0 Sep 21 07:16:31.490939: | sr for #6: erouted Sep 21 07:16:31.490943: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.490945: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.490949: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.490953: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.490956: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.490959: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.490964: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Sep 21 07:16:31.490981: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:north-eastnets/0x2 esr:{(nil)} ro:north-eastnets/0x2 rosr:{(nil)} and state: #6 Sep 21 07:16:31.490985: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.490994: | eroute_connection replace eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 (raw_eroute) Sep 21 07:16:31.490998: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.491040: | raw_eroute result=success Sep 21 07:16:31.491043: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.491046: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x5621a13a5a80,sr=0x5621a13a5a80} to #6 (was #3) (newest_ipsec_sa=#3) Sep 21 07:16:31.491129: | #4 spent 0.401 milliseconds in install_ipsec_sa() Sep 21 07:16:31.491136: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #6 (was #3) (spd.eroute=#6) cloned from #4 Sep 21 07:16:31.491140: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.491144: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491148: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491152: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491168: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491171: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491175: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491178: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491181: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491185: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491188: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491192: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491195: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491198: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491201: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491205: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491208: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.491211: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.491215: | emitting length of IKEv2 Encryption Payload: 580 Sep 21 07:16:31.491217: | emitting length of ISAKMP Message: 608 Sep 21 07:16:31.491237: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.491240: | data being hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.491241: | data being hmac: e5 0d ed b7 59 47 df a9 58 77 18 6d 34 7f c7 00 Sep 21 07:16:31.491243: | data being hmac: 8f a4 e0 09 a1 6e cf 5c 19 33 39 47 9f 35 b9 f5 Sep 21 07:16:31.491244: | data being hmac: 3f 70 52 01 88 ac 96 fd a3 cc 59 b9 29 ff 0d e0 Sep 21 07:16:31.491245: | data being hmac: 17 ce bc 91 e0 d8 ee e6 5e bf c9 91 70 95 aa 6a Sep 21 07:16:31.491247: | data being hmac: ec 1b 09 cf a6 97 8f 42 56 89 c9 bf 47 25 6b a9 Sep 21 07:16:31.491248: | data being hmac: af 5e e5 d3 81 c1 7a a8 65 5b fc 6d fc 5c 35 a9 Sep 21 07:16:31.491250: | data being hmac: 6e 5c 51 89 f3 29 49 be ae 96 c2 5a aa 0f 5b 81 Sep 21 07:16:31.491251: | data being hmac: b7 15 b2 25 8e 25 4b 8c 20 33 09 d2 0f 54 0d 21 Sep 21 07:16:31.491253: | data being hmac: 40 88 bf c2 48 7e af 27 57 12 f0 36 9f 1b ba a6 Sep 21 07:16:31.491254: | data being hmac: 43 e1 89 38 0c f4 c1 ae a9 47 19 a6 ea 63 e8 e6 Sep 21 07:16:31.491256: | data being hmac: 23 ba 7e 6f d5 f1 8d af a1 59 81 fa 5d 0a ff ba Sep 21 07:16:31.491257: | data being hmac: cc 8c e4 47 dc 07 7c f8 0b ba 8c 74 7e 12 c7 02 Sep 21 07:16:31.491259: | data being hmac: 2d f7 63 d3 0b 6f 3d d0 a0 85 e3 36 ba a5 95 dd Sep 21 07:16:31.491260: | data being hmac: 5e 82 3d 61 fc 6b d8 de c1 63 a5 af 38 24 1b 2c Sep 21 07:16:31.491261: | data being hmac: 5d 63 18 9b fc d9 6c 85 5d be f9 52 47 20 77 69 Sep 21 07:16:31.491263: | data being hmac: 30 d2 5a ea 73 24 e6 50 e6 fe ec 73 f7 b5 e9 90 Sep 21 07:16:31.491264: | data being hmac: 70 78 0a 48 31 58 11 13 be 25 ca d4 4b 1a 2c 6b Sep 21 07:16:31.491266: | data being hmac: c3 60 05 0a 40 bf d1 f5 e2 e4 ee 03 92 f4 99 2d Sep 21 07:16:31.491267: | data being hmac: dd 48 db a5 e7 4f d2 5b 44 c7 fc 70 ad ea 52 26 Sep 21 07:16:31.491269: | data being hmac: 87 4f b9 91 c3 32 32 01 6e 54 db a0 90 ed 52 8b Sep 21 07:16:31.491270: | data being hmac: 49 a5 ae c1 ee 3d 3b ac b6 7e 19 c2 9b 5d 87 d9 Sep 21 07:16:31.491272: | data being hmac: ac b3 00 c1 ab 85 b6 2f a6 86 ab f4 09 55 ac 5f Sep 21 07:16:31.491273: | data being hmac: 62 18 e9 3d 61 ed b0 36 0e fb e4 5c 7c bf 53 c7 Sep 21 07:16:31.491275: | data being hmac: ba 89 56 bc 36 da e0 be 4a 87 b5 31 47 a8 6c b6 Sep 21 07:16:31.491276: | data being hmac: d9 fa 86 53 95 1f f8 b2 08 55 e9 2a 73 80 8b 66 Sep 21 07:16:31.491277: | data being hmac: fe 8e b3 0f fa 3f c4 1f 04 3a 42 59 c2 e3 5d 9e Sep 21 07:16:31.491279: | data being hmac: a6 7d 12 f7 dd b0 9c 9b 28 54 30 e4 5a 73 cc f3 Sep 21 07:16:31.491280: | data being hmac: e8 65 ce 42 88 9d 65 e6 b5 01 1e 51 2b d3 8d fe Sep 21 07:16:31.491282: | data being hmac: 36 88 0c 8d 1b d2 df 0e 52 8b 7b 16 38 03 a1 d9 Sep 21 07:16:31.491283: | data being hmac: ee a0 41 53 49 34 74 13 d4 09 32 05 6b b3 0b a2 Sep 21 07:16:31.491285: | data being hmac: 6d 84 b5 c4 d7 c4 67 78 5f 89 45 26 9b e0 23 c2 Sep 21 07:16:31.491286: | data being hmac: 7a 2e c4 fe 5e 36 a3 2c 80 8f 97 fa cb 21 da 81 Sep 21 07:16:31.491288: | data being hmac: 91 cb 3d 40 e1 c7 63 da e9 fc d0 bb e5 4e 7f 3c Sep 21 07:16:31.491289: | data being hmac: 37 2e 77 19 c2 b3 fe 2c 22 1c 4f 21 d8 62 d3 4b Sep 21 07:16:31.491291: | data being hmac: a5 e2 85 26 96 89 1d b5 bf c2 f5 dc e0 39 57 a3 Sep 21 07:16:31.491292: | out calculated auth: Sep 21 07:16:31.491294: | b9 9c 00 88 81 42 2b 20 e4 fc 76 c7 db 5b db e1 Sep 21 07:16:31.491299: "north-eastnets/0x2" #6: negotiated new IPsec SA [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Sep 21 07:16:31.491303: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.491307: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Sep 21 07:16:31.491309: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Sep 21 07:16:31.491311: | child state #6: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:31.491313: | Message ID: updating counters for #6 to 2 after switching state Sep 21 07:16:31.491317: | Message ID: recv #4.#6 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:31.491320: | Message ID: sent #4.#6 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.491322: | pstats #6 ikev2.child established Sep 21 07:16:31.491325: "north-eastnets/0x2" #6: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Sep 21 07:16:31.491328: | NAT-T: encaps is 'auto' Sep 21 07:16:31.491331: "north-eastnets/0x2" #6: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x43bbc6ab <0x18ee805c xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.491334: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:31.491337: | sending 608 bytes for STATE_V2_CREATE_R through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:31.491339: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.491340: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.491342: | e5 0d ed b7 59 47 df a9 58 77 18 6d 34 7f c7 00 Sep 21 07:16:31.491343: | 8f a4 e0 09 a1 6e cf 5c 19 33 39 47 9f 35 b9 f5 Sep 21 07:16:31.491345: | 3f 70 52 01 88 ac 96 fd a3 cc 59 b9 29 ff 0d e0 Sep 21 07:16:31.491346: | 17 ce bc 91 e0 d8 ee e6 5e bf c9 91 70 95 aa 6a Sep 21 07:16:31.491348: | ec 1b 09 cf a6 97 8f 42 56 89 c9 bf 47 25 6b a9 Sep 21 07:16:31.491349: | af 5e e5 d3 81 c1 7a a8 65 5b fc 6d fc 5c 35 a9 Sep 21 07:16:31.491350: | 6e 5c 51 89 f3 29 49 be ae 96 c2 5a aa 0f 5b 81 Sep 21 07:16:31.491352: | b7 15 b2 25 8e 25 4b 8c 20 33 09 d2 0f 54 0d 21 Sep 21 07:16:31.491353: | 40 88 bf c2 48 7e af 27 57 12 f0 36 9f 1b ba a6 Sep 21 07:16:31.491355: | 43 e1 89 38 0c f4 c1 ae a9 47 19 a6 ea 63 e8 e6 Sep 21 07:16:31.491356: | 23 ba 7e 6f d5 f1 8d af a1 59 81 fa 5d 0a ff ba Sep 21 07:16:31.491357: | cc 8c e4 47 dc 07 7c f8 0b ba 8c 74 7e 12 c7 02 Sep 21 07:16:31.491359: | 2d f7 63 d3 0b 6f 3d d0 a0 85 e3 36 ba a5 95 dd Sep 21 07:16:31.491360: | 5e 82 3d 61 fc 6b d8 de c1 63 a5 af 38 24 1b 2c Sep 21 07:16:31.491362: | 5d 63 18 9b fc d9 6c 85 5d be f9 52 47 20 77 69 Sep 21 07:16:31.491363: | 30 d2 5a ea 73 24 e6 50 e6 fe ec 73 f7 b5 e9 90 Sep 21 07:16:31.491364: | 70 78 0a 48 31 58 11 13 be 25 ca d4 4b 1a 2c 6b Sep 21 07:16:31.491366: | c3 60 05 0a 40 bf d1 f5 e2 e4 ee 03 92 f4 99 2d Sep 21 07:16:31.491367: | dd 48 db a5 e7 4f d2 5b 44 c7 fc 70 ad ea 52 26 Sep 21 07:16:31.491369: | 87 4f b9 91 c3 32 32 01 6e 54 db a0 90 ed 52 8b Sep 21 07:16:31.491370: | 49 a5 ae c1 ee 3d 3b ac b6 7e 19 c2 9b 5d 87 d9 Sep 21 07:16:31.491371: | ac b3 00 c1 ab 85 b6 2f a6 86 ab f4 09 55 ac 5f Sep 21 07:16:31.491373: | 62 18 e9 3d 61 ed b0 36 0e fb e4 5c 7c bf 53 c7 Sep 21 07:16:31.491374: | ba 89 56 bc 36 da e0 be 4a 87 b5 31 47 a8 6c b6 Sep 21 07:16:31.491376: | d9 fa 86 53 95 1f f8 b2 08 55 e9 2a 73 80 8b 66 Sep 21 07:16:31.491377: | fe 8e b3 0f fa 3f c4 1f 04 3a 42 59 c2 e3 5d 9e Sep 21 07:16:31.491378: | a6 7d 12 f7 dd b0 9c 9b 28 54 30 e4 5a 73 cc f3 Sep 21 07:16:31.491380: | e8 65 ce 42 88 9d 65 e6 b5 01 1e 51 2b d3 8d fe Sep 21 07:16:31.491381: | 36 88 0c 8d 1b d2 df 0e 52 8b 7b 16 38 03 a1 d9 Sep 21 07:16:31.491383: | ee a0 41 53 49 34 74 13 d4 09 32 05 6b b3 0b a2 Sep 21 07:16:31.491384: | 6d 84 b5 c4 d7 c4 67 78 5f 89 45 26 9b e0 23 c2 Sep 21 07:16:31.491386: | 7a 2e c4 fe 5e 36 a3 2c 80 8f 97 fa cb 21 da 81 Sep 21 07:16:31.491388: | 91 cb 3d 40 e1 c7 63 da e9 fc d0 bb e5 4e 7f 3c Sep 21 07:16:31.491390: | 37 2e 77 19 c2 b3 fe 2c 22 1c 4f 21 d8 62 d3 4b Sep 21 07:16:31.491391: | a5 e2 85 26 96 89 1d b5 bf c2 f5 dc e0 39 57 a3 Sep 21 07:16:31.491392: | b9 9c 00 88 81 42 2b 20 e4 fc 76 c7 db 5b db e1 Sep 21 07:16:31.491430: | releasing whack for #6 (sock=fd@-1) Sep 21 07:16:31.491436: | releasing whack and unpending for parent #4 Sep 21 07:16:31.491439: | unpending state #4 connection "north-eastnets/0x2" Sep 21 07:16:31.491443: | #6 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.491446: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.491449: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:31.491451: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:31.491454: | event_schedule: new EVENT_SA_REKEY-pe@0x5621a13a9cf0 Sep 21 07:16:31.491458: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #6 Sep 21 07:16:31.491460: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:31.491466: | #6 spent 1.19 milliseconds in resume sending helper answer Sep 21 07:16:31.491471: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.491475: | libevent_free: release ptr-libevent@0x7f08c8006b50 Sep 21 07:16:31.543700: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:31.543871: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:31.543877: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:31.544003: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:16:31.544008: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:31.544019: | get_sa_info esp.2d973bf0@192.1.3.33 Sep 21 07:16:31.544038: | get_sa_info esp.ecbd618@192.1.2.23 Sep 21 07:16:31.544055: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:31.544063: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:31.544080: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:31.544089: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:31.544105: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:31.544114: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:31.544134: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:31.544142: | spent 0.443 milliseconds in whack Sep 21 07:16:32.676797: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:32.676823: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:16:32.676829: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:32.676838: | get_sa_info esp.2d973bf0@192.1.3.33 Sep 21 07:16:32.676854: | get_sa_info esp.ecbd618@192.1.2.23 Sep 21 07:16:32.676869: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:32.676877: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:32.676887: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:32.676895: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:32.676906: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:32.676913: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:32.676926: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:32.676933: | spent 0.144 milliseconds in whack Sep 21 07:16:33.542278: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:33.542306: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:16:33.542311: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:33.542319: | get_sa_info esp.2d973bf0@192.1.3.33 Sep 21 07:16:33.542335: | get_sa_info esp.ecbd618@192.1.2.23 Sep 21 07:16:33.542353: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:33.542363: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:33.542375: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:33.542384: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:33.542401: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:33.542410: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:33.542425: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:33.542433: | spent 0.162 milliseconds in whack Sep 21 07:16:33.910876: | spent 0.00388 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:33.910899: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:33.910903: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.910906: | 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.910909: | a1 26 be bf 3c 8a b6 b1 6c 4f 40 d6 be d9 a0 d7 Sep 21 07:16:33.910912: | 3a 3a 6d ed 84 58 5a 1a 3c 3d 33 3c 43 56 4b d0 Sep 21 07:16:33.910915: | a1 24 5b 12 3b 40 a0 7b d7 93 d7 4a 72 65 db f4 Sep 21 07:16:33.910921: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:33.910925: | **parse ISAKMP Message: Sep 21 07:16:33.910927: | initiator cookie: Sep 21 07:16:33.910929: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.910932: | responder cookie: Sep 21 07:16:33.910935: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.910938: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:33.910941: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.910944: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.910947: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.910950: | Message ID: 3 (0x3) Sep 21 07:16:33.910953: | length: 80 (0x50) Sep 21 07:16:33.910956: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:16:33.910960: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:16:33.910965: | State DB: found IKEv2 state #4 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:33.910972: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:33.910976: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:33.910981: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:33.910985: | #4 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Sep 21 07:16:33.910990: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 Sep 21 07:16:33.910993: | unpacking clear payload Sep 21 07:16:33.910996: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:33.910999: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:33.911005: | next payload type: ISAKMP_NEXT_v2D (0x2a) Sep 21 07:16:33.911008: | flags: none (0x0) Sep 21 07:16:33.911011: | length: 52 (0x34) Sep 21 07:16:33.911013: | processing payload: ISAKMP_NEXT_v2SK (len=48) Sep 21 07:16:33.911017: | Message ID: start-responder #4 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1->3 Sep 21 07:16:33.911020: | #4 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:33.911049: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.911052: | data for hmac: 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.911055: | data for hmac: a1 26 be bf 3c 8a b6 b1 6c 4f 40 d6 be d9 a0 d7 Sep 21 07:16:33.911057: | data for hmac: 3a 3a 6d ed 84 58 5a 1a 3c 3d 33 3c 43 56 4b d0 Sep 21 07:16:33.911060: | calculated auth: a1 24 5b 12 3b 40 a0 7b d7 93 d7 4a 72 65 db f4 Sep 21 07:16:33.911062: | provided auth: a1 24 5b 12 3b 40 a0 7b d7 93 d7 4a 72 65 db f4 Sep 21 07:16:33.911064: | authenticator matched Sep 21 07:16:33.911074: | #4 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:16:33.911077: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Sep 21 07:16:33.911080: | **parse IKEv2 Delete Payload: Sep 21 07:16:33.911083: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.911088: | flags: none (0x0) Sep 21 07:16:33.911090: | length: 12 (0xc) Sep 21 07:16:33.911093: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.911095: | SPI size: 4 (0x4) Sep 21 07:16:33.911097: | number of SPIs: 1 (0x1) Sep 21 07:16:33.911099: | processing payload: ISAKMP_NEXT_v2D (len=4) Sep 21 07:16:33.911102: | selected state microcode R2: process INFORMATIONAL Request Sep 21 07:16:33.911104: | Now let's proceed with state specific processing Sep 21 07:16:33.911107: | calling processor R2: process INFORMATIONAL Request Sep 21 07:16:33.911110: | an informational request should send a response Sep 21 07:16:33.911115: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:16:33.911118: | **emit ISAKMP Message: Sep 21 07:16:33.911121: | initiator cookie: Sep 21 07:16:33.911123: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.911125: | responder cookie: Sep 21 07:16:33.911127: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.911129: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.911132: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.911134: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.911137: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:33.911139: | Message ID: 3 (0x3) Sep 21 07:16:33.911142: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.911145: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.911147: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.911150: | flags: none (0x0) Sep 21 07:16:33.911152: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.911156: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.911159: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.911165: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Sep 21 07:16:33.911168: | SPI 43 bb c6 ab Sep 21 07:16:33.911170: | delete PROTO_v2_ESP SA(0x43bbc6ab) Sep 21 07:16:33.911173: | v2 CHILD SA #6 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Sep 21 07:16:33.911176: | State DB: found IKEv2 state #6 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Sep 21 07:16:33.911179: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x43bbc6ab) Sep 21 07:16:33.911182: "north-eastnets/0x2" #4: received Delete SA payload: replace IPsec State #6 now Sep 21 07:16:33.911185: | state #6 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.911189: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:33.911192: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13a9cf0 Sep 21 07:16:33.911195: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13a9cf0 Sep 21 07:16:33.911199: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #6 Sep 21 07:16:33.911202: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:33.911206: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.911208: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.911210: | flags: none (0x0) Sep 21 07:16:33.911213: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.911215: | SPI size: 4 (0x4) Sep 21 07:16:33.911217: | number of SPIs: 1 (0x1) Sep 21 07:16:33.911220: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.911223: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.911226: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Sep 21 07:16:33.911228: | local SPIs 18 ee 80 5c Sep 21 07:16:33.911230: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.911233: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.911236: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.911240: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.911243: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.911245: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.911248: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.911250: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.911253: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.911277: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.911280: | data being hmac: 2e 20 25 20 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.911283: | data being hmac: bc 2b a5 10 a9 bf a4 57 d9 8d 50 8d db 96 4d df Sep 21 07:16:33.911285: | data being hmac: cf 01 34 2a 16 94 77 16 56 97 99 f6 03 03 70 65 Sep 21 07:16:33.911287: | out calculated auth: Sep 21 07:16:33.911289: | ae 41 62 1c f8 bb 40 ba 4a 32 7e 9a 0f f7 7b e6 Sep 21 07:16:33.911296: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:33.911299: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.911301: | 2e 20 25 20 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.911303: | bc 2b a5 10 a9 bf a4 57 d9 8d 50 8d db 96 4d df Sep 21 07:16:33.911305: | cf 01 34 2a 16 94 77 16 56 97 99 f6 03 03 70 65 Sep 21 07:16:33.911307: | ae 41 62 1c f8 bb 40 ba 4a 32 7e 9a 0f f7 7b e6 Sep 21 07:16:33.911344: | Message ID: #4 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=3 Sep 21 07:16:33.911350: | Message ID: sent #4 response 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2->3 responder.recv=2 wip.initiator=-1 wip.responder=3 Sep 21 07:16:33.911356: | #4 spent 0.225 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Sep 21 07:16:33.911362: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.911366: | #4 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Sep 21 07:16:33.911369: | Message ID: updating counters for #4 to 3 after switching state Sep 21 07:16:33.911373: | Message ID: recv #4 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=2->3 wip.initiator=-1 wip.responder=3->-1 Sep 21 07:16:33.911377: | Message ID: #4 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.911380: "north-eastnets/0x2" #4: STATE_PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:33.911385: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:33.911389: | #4 spent 0.481 milliseconds in ikev2_process_packet() Sep 21 07:16:33.911393: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:33.911397: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:33.911399: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:33.911403: | spent 0.495 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:33.911411: | timer_event_cb: processing event@0x5621a13a9cf0 Sep 21 07:16:33.911414: | handling event EVENT_SA_REPLACE for child state #6 Sep 21 07:16:33.911418: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.911422: | picked newest_ipsec_sa #6 for #6 Sep 21 07:16:33.911426: | replacing stale CHILD SA Sep 21 07:16:33.911430: | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) Sep 21 07:16:33.911433: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:33.911437: | FOR_EACH_STATE_... in find_pending_phase2 Sep 21 07:16:33.911441: | creating state object #7 at 0x5621a13c1f40 Sep 21 07:16:33.911444: | State DB: adding IKEv2 state #7 in UNDEFINED Sep 21 07:16:33.911448: | pstats #7 ikev2.child started Sep 21 07:16:33.911451: | duplicating state object #4 "north-eastnets/0x2" as #7 for IPSEC SA Sep 21 07:16:33.911456: | #7 setting local endpoint to 192.1.3.33:500 from #4.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:33.911462: | Message ID: init_child #4.#7; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:33.911467: | suspend processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:33.911471: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:33.911474: | child state #7: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Sep 21 07:16:33.911482: | using existing local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:33.911488: | #7 schedule rekey initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #6 using IKE# 4 pfs=MODP3072 Sep 21 07:16:33.911491: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x7f08c4002b20 Sep 21 07:16:33.911495: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #7 Sep 21 07:16:33.911498: | libevent_malloc: new ptr-libevent@0x7f08c8006b50 size 128 Sep 21 07:16:33.911503: | RESET processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:33.911506: | event_schedule: new EVENT_SA_EXPIRE-pe@0x5621a13acfd0 Sep 21 07:16:33.911510: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #6 Sep 21 07:16:33.911512: | libevent_malloc: new ptr-libevent@0x5621a13badf0 size 128 Sep 21 07:16:33.911516: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:33.911519: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13a9cf0 Sep 21 07:16:33.911523: | #6 spent 0.112 milliseconds in timer_event_cb() EVENT_SA_REPLACE Sep 21 07:16:33.911526: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.911531: | timer_event_cb: processing event@0x7f08c4002b20 Sep 21 07:16:33.911534: | handling event EVENT_v2_INITIATE_CHILD for child state #7 Sep 21 07:16:33.911539: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.911543: | adding Child Rekey Initiator KE and nonce ni work-order 9 for state #7 Sep 21 07:16:33.911546: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:33.911549: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #7 Sep 21 07:16:33.911552: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:33.911561: | libevent_free: release ptr-libevent@0x7f08c8006b50 Sep 21 07:16:33.911563: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x7f08c4002b20 Sep 21 07:16:33.911568: | #7 spent 0.0355 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Sep 21 07:16:33.911573: | stop processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.911576: | timer_event_cb: processing event@0x5621a13acfd0 Sep 21 07:16:33.911579: | handling event EVENT_SA_EXPIRE for child state #6 Sep 21 07:16:33.911583: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.911586: | picked newest_ipsec_sa #6 for #6 Sep 21 07:16:33.911593: | un-established partial CHILD SA timeout (SA expired) Sep 21 07:16:33.911596: | pstats #6 ikev2.child re-failed exchange-timeout Sep 21 07:16:33.911598: | pstats #6 ikev2.child deleted completed Sep 21 07:16:33.911601: | #6 spent 6.77 milliseconds in total Sep 21 07:16:33.911606: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.911610: "north-eastnets/0x2" #6: deleting state (STATE_V2_IPSEC_R) aged 2.427s and NOT sending notification Sep 21 07:16:33.911612: | child state #6: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:33.911617: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:33.911631: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:33.911640: "north-eastnets/0x2" #6: ESP traffic information: in=0B out=0B Sep 21 07:16:33.911644: | child state #6: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.911707: | crypto helper 0 resuming Sep 21 07:16:33.911714: | crypto helper 0 starting work-order 9 for state #7 Sep 21 07:16:33.911721: | crypto helper 0 doing build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 9 Sep 21 07:16:33.913793: | crypto helper 0 finished build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 9 time elapsed 0.00206 seconds Sep 21 07:16:33.913812: | (#7) spent 2.07 milliseconds in crypto helper computing work-order 9: Child Rekey Initiator KE and nonce ni (pcr) Sep 21 07:16:33.913816: | crypto helper 0 sending results from work-order 9 for state #7 to event queue Sep 21 07:16:33.913819: | scheduling resume sending helper answer for #7 Sep 21 07:16:33.913823: | libevent_malloc: new ptr-libevent@0x7f08c0011ee0 size 128 Sep 21 07:16:33.913832: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:33.913977: | running updown command "ipsec _updown" for verb down Sep 21 07:16:33.913982: | command executing down-client Sep 21 07:16:33.914010: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Sep 21 07:16:33.914014: | popen cmd is 1054 chars long Sep 21 07:16:33.914017: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Sep 21 07:16:33.914019: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUT: Sep 21 07:16:33.914022: | cmd( 160):O_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' : Sep 21 07:16:33.914024: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:16:33.914026: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@: Sep 21 07:16:33.914029: | cmd( 400):east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO: Sep 21 07:16:33.914031: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:16:33.914033: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY: Sep 21 07:16:33.914035: | cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PL: Sep 21 07:16:33.914039: | cmd( 720):UTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_I: Sep 21 07:16:33.914042: | cmd( 800):S_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BAN: Sep 21 07:16:33.914044: | cmd( 880):NER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFA: Sep 21 07:16:33.914046: | cmd( 960):CE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x43bbc6ab SPI_OUT=0x18ee805c ipse: Sep 21 07:16:33.914048: | cmd(1040):c _updown 2>&1: Sep 21 07:16:33.925765: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.3.0/24:0 --0->- 192.0.22.0/24:0 Sep 21 07:16:33.925778: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.22.0/24:0 Sep 21 07:16:33.925781: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.925793: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:33.925831: | delete esp.43bbc6ab@192.1.2.23 Sep 21 07:16:33.925856: | netlink response for Del SA esp.43bbc6ab@192.1.2.23 included non-error error Sep 21 07:16:33.925860: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.925866: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.925908: | raw_eroute result=success Sep 21 07:16:33.925912: | delete esp.18ee805c@192.1.3.33 Sep 21 07:16:33.925933: | netlink response for Del SA esp.18ee805c@192.1.3.33 included non-error error Sep 21 07:16:33.925938: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.925941: | State DB: deleting IKEv2 state #6 in CHILDSA_DEL Sep 21 07:16:33.925945: | child state #6: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.925960: | stop processing: state #6 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.925969: | State DB: found IKEv2 state #7 in V2_REKEY_CHILD_I0 (v2_expire_unused_ike_sa) Sep 21 07:16:33.925971: | can't expire unused IKE SA #4; it has the child #7 Sep 21 07:16:33.925976: | libevent_free: release ptr-libevent@0x5621a13badf0 Sep 21 07:16:33.925979: | free_event_entry: release EVENT_SA_EXPIRE-pe@0x5621a13acfd0 Sep 21 07:16:33.925982: | in statetime_stop() and could not find #6 Sep 21 07:16:33.925984: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.925999: | spent 0.00193 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:33.926009: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:33.926011: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926014: | 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.926016: | b1 89 5e 1f 50 e0 ad 0f 46 31 ee 6f 37 15 34 9a Sep 21 07:16:33.926018: | 73 0d e9 9c dd 33 d1 3d 56 60 42 25 c4 6a 47 9a Sep 21 07:16:33.926020: | 13 97 fd 4e 67 db 4b ab 60 b5 dc 6a 70 79 17 62 Sep 21 07:16:33.926025: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:33.926028: | **parse ISAKMP Message: Sep 21 07:16:33.926030: | initiator cookie: Sep 21 07:16:33.926033: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.926035: | responder cookie: Sep 21 07:16:33.926037: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926040: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:33.926043: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.926046: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.926049: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.926051: | Message ID: 4 (0x4) Sep 21 07:16:33.926053: | length: 80 (0x50) Sep 21 07:16:33.926056: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:16:33.926059: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:16:33.926063: | State DB: found IKEv2 state #4 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:33.926071: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:33.926074: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:33.926078: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:33.926081: | #4 st.st_msgid_lastrecv 3 md.hdr.isa_msgid 00000004 Sep 21 07:16:33.926086: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 Sep 21 07:16:33.926088: | unpacking clear payload Sep 21 07:16:33.926176: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:33.926182: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:33.926185: | next payload type: ISAKMP_NEXT_v2D (0x2a) Sep 21 07:16:33.926187: | flags: none (0x0) Sep 21 07:16:33.926190: | length: 52 (0x34) Sep 21 07:16:33.926193: | processing payload: ISAKMP_NEXT_v2SK (len=48) Sep 21 07:16:33.926197: | Message ID: start-responder #4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1->4 Sep 21 07:16:33.926200: | #4 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:33.926227: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926230: | data for hmac: 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.926232: | data for hmac: b1 89 5e 1f 50 e0 ad 0f 46 31 ee 6f 37 15 34 9a Sep 21 07:16:33.926235: | data for hmac: 73 0d e9 9c dd 33 d1 3d 56 60 42 25 c4 6a 47 9a Sep 21 07:16:33.926237: | calculated auth: 13 97 fd 4e 67 db 4b ab 60 b5 dc 6a 70 79 17 62 Sep 21 07:16:33.926240: | provided auth: 13 97 fd 4e 67 db 4b ab 60 b5 dc 6a 70 79 17 62 Sep 21 07:16:33.926242: | authenticator matched Sep 21 07:16:33.926251: | #4 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:16:33.926254: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Sep 21 07:16:33.926257: | **parse IKEv2 Delete Payload: Sep 21 07:16:33.926260: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.926262: | flags: none (0x0) Sep 21 07:16:33.926265: | length: 12 (0xc) Sep 21 07:16:33.926267: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.926270: | SPI size: 4 (0x4) Sep 21 07:16:33.926272: | number of SPIs: 1 (0x1) Sep 21 07:16:33.926275: | processing payload: ISAKMP_NEXT_v2D (len=4) Sep 21 07:16:33.926277: | selected state microcode R2: process INFORMATIONAL Request Sep 21 07:16:33.926280: | Now let's proceed with state specific processing Sep 21 07:16:33.926282: | calling processor R2: process INFORMATIONAL Request Sep 21 07:16:33.926286: | an informational request should send a response Sep 21 07:16:33.926291: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:16:33.926294: | **emit ISAKMP Message: Sep 21 07:16:33.926297: | initiator cookie: Sep 21 07:16:33.926299: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.926302: | responder cookie: Sep 21 07:16:33.926304: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926306: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.926309: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.926312: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.926314: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:33.926317: | Message ID: 4 (0x4) Sep 21 07:16:33.926320: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.926323: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.926325: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.926328: | flags: none (0x0) Sep 21 07:16:33.926331: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.926334: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.926339: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.926347: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Sep 21 07:16:33.926349: | SPI 40 66 dd 7c Sep 21 07:16:33.926352: | delete PROTO_v2_ESP SA(0x4066dd7c) Sep 21 07:16:33.926355: | v2 CHILD SA #5 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Sep 21 07:16:33.926358: | State DB: found IKEv2 state #5 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Sep 21 07:16:33.926361: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x4066dd7c) Sep 21 07:16:33.926364: "north-eastnets/0x2" #4: received Delete SA payload: replace IPsec State #5 now Sep 21 07:16:33.926367: | state #5 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.926370: | libevent_free: release ptr-libevent@0x5621a13bad60 Sep 21 07:16:33.926373: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13b6e70 Sep 21 07:16:33.926376: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13b6e70 Sep 21 07:16:33.926380: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #5 Sep 21 07:16:33.926383: | libevent_malloc: new ptr-libevent@0x5621a13bad60 size 128 Sep 21 07:16:33.926386: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.926389: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.926391: | flags: none (0x0) Sep 21 07:16:33.926393: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.926396: | SPI size: 4 (0x4) Sep 21 07:16:33.926398: | number of SPIs: 1 (0x1) Sep 21 07:16:33.926401: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.926404: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.926408: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Sep 21 07:16:33.926410: | local SPIs ff f4 87 1b Sep 21 07:16:33.926412: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.926415: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.926418: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.926421: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.926424: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.926427: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.926430: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.926432: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.926435: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.926455: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926458: | data being hmac: 2e 20 25 20 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.926461: | data being hmac: d6 48 e9 81 43 c8 bd 79 05 72 9d 6f 16 b2 7b 80 Sep 21 07:16:33.926463: | data being hmac: a4 0f 7a 62 6e 3e ab a5 3e ef b1 2a 51 b6 5c 4e Sep 21 07:16:33.926466: | out calculated auth: Sep 21 07:16:33.926468: | 4d cb f7 6e f7 6b f0 2d 05 c7 7a 92 e0 75 b9 5f Sep 21 07:16:33.926476: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:33.926478: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926481: | 2e 20 25 20 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.926483: | d6 48 e9 81 43 c8 bd 79 05 72 9d 6f 16 b2 7b 80 Sep 21 07:16:33.926486: | a4 0f 7a 62 6e 3e ab a5 3e ef b1 2a 51 b6 5c 4e Sep 21 07:16:33.926488: | 4d cb f7 6e f7 6b f0 2d 05 c7 7a 92 e0 75 b9 5f Sep 21 07:16:33.926521: | Message ID: #4 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=4 Sep 21 07:16:33.926529: | Message ID: sent #4 response 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3->4 responder.recv=3 wip.initiator=-1 wip.responder=4 Sep 21 07:16:33.926535: | #4 spent 0.23 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Sep 21 07:16:33.926541: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.926545: | #4 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Sep 21 07:16:33.926548: | Message ID: updating counters for #4 to 4 after switching state Sep 21 07:16:33.926552: | Message ID: recv #4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=3->4 wip.initiator=-1 wip.responder=4->-1 Sep 21 07:16:33.926557: | Message ID: #4 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.926560: "north-eastnets/0x2" #4: STATE_PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:33.926565: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:33.926570: | #4 spent 0.48 milliseconds in ikev2_process_packet() Sep 21 07:16:33.926574: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:33.926577: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:33.926580: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:33.926584: | spent 0.494 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:33.926592: | processing resume sending helper answer for #7 Sep 21 07:16:33.926597: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:33.926600: | crypto helper 0 replies to request ID 9 Sep 21 07:16:33.926603: | calling continuation function 0x56219f926630 Sep 21 07:16:33.926606: | ikev2_child_outI_continue for #7 STATE_V2_REKEY_CHILD_I0 Sep 21 07:16:33.926609: | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:33.926612: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:33.926615: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13a9cf0 Sep 21 07:16:33.926618: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13a9cf0 Sep 21 07:16:33.926621: | inserting event EVENT_SA_REPLACE, timeout in 200 seconds for #7 Sep 21 07:16:33.926624: | libevent_malloc: new ptr-libevent@0x7f08b0001100 size 128 Sep 21 07:16:33.926629: | Message ID: #4 wakeing IKE SA (unack 0); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.926632: | scheduling callback v2_msgid_schedule_next_initiator (#4) Sep 21 07:16:33.926634: | libevent_malloc: new ptr-libevent@0x5621a13badf0 size 128 Sep 21 07:16:33.926640: | [RE]START processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.926643: | #7 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I with status STF_SUSPEND Sep 21 07:16:33.926646: | suspending state #7 and saving MD Sep 21 07:16:33.926648: | #7 is busy; has a suspended MD Sep 21 07:16:33.926653: | [RE]START processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:33.926656: | "north-eastnets/0x2" #7 complete v2 state STATE_V2_REKEY_CHILD_I0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:33.926660: | resume sending helper answer for #7 suppresed complete_v2_state_transition() Sep 21 07:16:33.926664: | #7 spent 0.0632 milliseconds in resume sending helper answer Sep 21 07:16:33.926669: | stop processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:33.926673: | libevent_free: release ptr-libevent@0x7f08c0011ee0 Sep 21 07:16:33.926676: | processing signal PLUTO_SIGCHLD Sep 21 07:16:33.926681: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:33.926684: | spent 0.00461 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:33.926691: | timer_event_cb: processing event@0x5621a13b6e70 Sep 21 07:16:33.926694: | handling event EVENT_SA_REPLACE for child state #5 Sep 21 07:16:33.926699: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.926702: | picked newest_ipsec_sa #5 for #5 Sep 21 07:16:33.926705: | replacing stale CHILD SA Sep 21 07:16:33.926709: | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) Sep 21 07:16:33.926712: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:33.926715: | FOR_EACH_STATE_... in find_pending_phase2 Sep 21 07:16:33.926719: | creating state object #8 at 0x5621a13be420 Sep 21 07:16:33.926722: | State DB: adding IKEv2 state #8 in UNDEFINED Sep 21 07:16:33.926725: | pstats #8 ikev2.child started Sep 21 07:16:33.926728: | duplicating state object #4 "north-eastnets/0x2" as #8 for IPSEC SA Sep 21 07:16:33.926733: | #8 setting local endpoint to 192.1.3.33:500 from #4.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:33.926739: | Message ID: init_child #4.#8; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:33.926742: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.926747: | suspend processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:33.926752: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:33.926755: | child state #8: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Sep 21 07:16:33.926759: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:16:33.926762: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x1 (ESP/AH initiator emitting proposals) Sep 21 07:16:33.926767: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:33.926773: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:33.926777: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:33.926789: | #8 schedule rekey initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #5 using IKE# 4 pfs=MODP3072 Sep 21 07:16:33.926795: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x5621a13acfd0 Sep 21 07:16:33.926798: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #8 Sep 21 07:16:33.926801: | libevent_malloc: new ptr-libevent@0x7f08c0011ee0 size 128 Sep 21 07:16:33.926806: | RESET processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:33.926809: | event_schedule: new EVENT_SA_EXPIRE-pe@0x7f08c4002b20 Sep 21 07:16:33.926813: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #5 Sep 21 07:16:33.926815: | libevent_malloc: new ptr-libevent@0x7f08c8006b50 size 128 Sep 21 07:16:33.926818: | libevent_free: release ptr-libevent@0x5621a13bad60 Sep 21 07:16:33.926821: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13b6e70 Sep 21 07:16:33.926825: | #5 spent 0.128 milliseconds in timer_event_cb() EVENT_SA_REPLACE Sep 21 07:16:33.926828: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.926831: | processing callback v2_msgid_schedule_next_initiator for #4 Sep 21 07:16:33.926836: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:904) Sep 21 07:16:33.926844: | Message ID: #4.#7 resuming SA using IKE SA (unack 0); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.926849: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:33.926853: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:33.926858: | **emit ISAKMP Message: Sep 21 07:16:33.926860: | initiator cookie: Sep 21 07:16:33.926862: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.926865: | responder cookie: Sep 21 07:16:33.926867: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.926870: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.926872: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.926875: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:33.926878: | flags: none (0x0) Sep 21 07:16:33.926880: | Message ID: 0 (0x0) Sep 21 07:16:33.926883: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.926886: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.926888: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.926891: | flags: none (0x0) Sep 21 07:16:33.926894: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.926897: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.926900: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.926915: | netlink_get_spi: allocated 0x86517917 for esp.0@192.1.3.33 Sep 21 07:16:33.926917: | Emitting ikev2_proposals ... Sep 21 07:16:33.926920: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:33.926923: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.926925: | flags: none (0x0) Sep 21 07:16:33.926929: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:33.926932: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.926935: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:33.926937: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:33.926940: | prop #: 1 (0x1) Sep 21 07:16:33.926942: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:33.926945: | spi size: 4 (0x4) Sep 21 07:16:33.926947: | # transforms: 4 (0x4) Sep 21 07:16:33.926950: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:33.926953: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:33.926956: | our spi 86 51 79 17 Sep 21 07:16:33.926958: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.926961: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.926963: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:33.926966: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:33.926969: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.926972: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:33.926974: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:33.926977: | length/value: 128 (0x80) Sep 21 07:16:33.926980: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:33.926982: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.926985: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.926987: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:33.926990: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:33.926993: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.926997: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.927000: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.927003: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.927005: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.927008: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:33.927010: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:33.927013: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.927016: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.927019: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.927021: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.927024: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:33.927026: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:33.927029: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:33.927032: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.927035: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.927037: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.927040: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:33.927043: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:33.927045: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:33.927048: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:33.927051: "north-eastnets/0x2" #7: CHILD SA to rekey #6 vanished abort this exchange Sep 21 07:16:33.927054: | ikev2_child_sa_respond returned STF_INTERNAL_ERROR Sep 21 07:16:33.927059: | [RE]START processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.927063: | #7 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I with status STF_INTERNAL_ERROR Sep 21 07:16:33.927138: | state transition function for STATE_V2_REKEY_CHILD_I0 had internal error Sep 21 07:16:33.927145: | stop processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:33.927150: | resume processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:33.927155: | #4 spent 0.292 milliseconds in callback v2_msgid_schedule_next_initiator Sep 21 07:16:33.927160: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:908) Sep 21 07:16:33.927163: | libevent_free: release ptr-libevent@0x5621a13badf0 Sep 21 07:16:33.927169: | timer_event_cb: processing event@0x5621a13acfd0 Sep 21 07:16:33.927172: | handling event EVENT_v2_INITIATE_CHILD for child state #8 Sep 21 07:16:33.927177: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.927181: | adding Child Rekey Initiator KE and nonce ni work-order 10 for state #8 Sep 21 07:16:33.927184: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13b6e70 Sep 21 07:16:33.927187: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #8 Sep 21 07:16:33.927190: | libevent_malloc: new ptr-libevent@0x5621a13badf0 size 128 Sep 21 07:16:33.927199: | libevent_free: release ptr-libevent@0x7f08c0011ee0 Sep 21 07:16:33.927202: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x5621a13acfd0 Sep 21 07:16:33.927206: | #8 spent 0.0363 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Sep 21 07:16:33.927211: | stop processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.927214: | timer_event_cb: processing event@0x7f08c4002b20 Sep 21 07:16:33.927217: | handling event EVENT_SA_EXPIRE for child state #5 Sep 21 07:16:33.927222: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:33.927225: | picked newest_ipsec_sa #5 for #5 Sep 21 07:16:33.927227: | un-established partial CHILD SA timeout (SA expired) Sep 21 07:16:33.927230: | pstats #5 ikev2.child re-failed exchange-timeout Sep 21 07:16:33.927233: | pstats #5 ikev2.child deleted completed Sep 21 07:16:33.927236: | #5 spent 0.128 milliseconds in total Sep 21 07:16:33.927241: | [RE]START processing: state #5 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.927244: "north-eastnets/0x1" #5: deleting state (STATE_V2_IPSEC_R) aged 2.481s and NOT sending notification Sep 21 07:16:33.927247: | child state #5: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:33.927251: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:33.927260: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:33.927267: "north-eastnets/0x1" #5: ESP traffic information: in=0B out=0B Sep 21 07:16:33.927271: | child state #5: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.927318: | crypto helper 3 resuming Sep 21 07:16:33.927323: | crypto helper 3 starting work-order 10 for state #8 Sep 21 07:16:33.927326: | crypto helper 3 doing build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 10 Sep 21 07:16:33.929780: | crypto helper 3 finished build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 10 time elapsed 0.002452 seconds Sep 21 07:16:33.929795: | (#8) spent 2.45 milliseconds in crypto helper computing work-order 10: Child Rekey Initiator KE and nonce ni (pcr) Sep 21 07:16:33.929798: | crypto helper 3 sending results from work-order 10 for state #8 to event queue Sep 21 07:16:33.929801: | scheduling resume sending helper answer for #8 Sep 21 07:16:33.929805: | libevent_malloc: new ptr-libevent@0x7f08b80097c0 size 128 Sep 21 07:16:33.929810: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:33.930035: | running updown command "ipsec _updown" for verb down Sep 21 07:16:33.930041: | command executing down-client Sep 21 07:16:33.930069: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:16:33.930072: | popen cmd is 1052 chars long Sep 21 07:16:33.930075: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Sep 21 07:16:33.930078: | cmd( 80):1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUT: Sep 21 07:16:33.930083: | cmd( 160):O_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' : Sep 21 07:16:33.930086: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:16:33.930089: | cmd( 320):TO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@: Sep 21 07:16:33.930143: | cmd( 400):east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_P: Sep 21 07:16:33.930147: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:33.930150: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY=': Sep 21 07:16:33.930152: | cmd( 640):RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Sep 21 07:16:33.930155: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Sep 21 07:16:33.930158: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Sep 21 07:16:33.930160: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Sep 21 07:16:33.930163: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4066dd7c SPI_OUT=0xfff4871b ipsec : Sep 21 07:16:33.930165: | cmd(1040):_updown 2>&1: Sep 21 07:16:33.941591: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.3.0/24:0 --0->- 192.0.2.0/24:0 Sep 21 07:16:33.941606: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.2.0/24:0 Sep 21 07:16:33.941611: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.941615: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:33.941667: | delete esp.4066dd7c@192.1.2.23 Sep 21 07:16:33.941705: | netlink response for Del SA esp.4066dd7c@192.1.2.23 included non-error error Sep 21 07:16:33.941710: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.941718: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.941765: | raw_eroute result=success Sep 21 07:16:33.941770: | delete esp.fff4871b@192.1.3.33 Sep 21 07:16:33.941805: | netlink response for Del SA esp.fff4871b@192.1.3.33 included non-error error Sep 21 07:16:33.941814: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:33.941818: | State DB: deleting IKEv2 state #5 in CHILDSA_DEL Sep 21 07:16:33.941823: | child state #5: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.941830: | stop processing: state #5 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.941836: | State DB: found IKEv2 state #8 in V2_REKEY_CHILD_I0 (v2_expire_unused_ike_sa) Sep 21 07:16:33.941839: | can't expire unused IKE SA #4; it has the child #8 Sep 21 07:16:33.941845: | libevent_free: release ptr-libevent@0x7f08c8006b50 Sep 21 07:16:33.941848: | free_event_entry: release EVENT_SA_EXPIRE-pe@0x7f08c4002b20 Sep 21 07:16:33.941851: | in statetime_stop() and could not find #5 Sep 21 07:16:33.941854: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Sep 21 07:16:33.941873: | spent 0.00248 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:33.941887: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:33.941890: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.941893: | 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.941895: | 3f 83 12 b9 38 2b dc 5b 02 c6 b9 6b 5a 84 4d a8 Sep 21 07:16:33.941897: | 71 e9 5d e6 a0 4e 5e 64 0a 94 6d d2 71 2a 8e 11 Sep 21 07:16:33.941899: | a0 88 97 74 ef 55 c0 e9 4e 2f 5c 6d 50 2c 21 73 Sep 21 07:16:33.941904: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:33.941908: | **parse ISAKMP Message: Sep 21 07:16:33.941911: | initiator cookie: Sep 21 07:16:33.941913: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.941919: | responder cookie: Sep 21 07:16:33.941921: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.941924: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:33.941926: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.941929: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.941932: | flags: none (0x0) Sep 21 07:16:33.941934: | Message ID: 0 (0x0) Sep 21 07:16:33.941937: | length: 80 (0x50) Sep 21 07:16:33.941940: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:16:33.941943: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Sep 21 07:16:33.941947: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Sep 21 07:16:33.941954: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:33.941958: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:33.941963: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:33.941966: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:33.941971: | Message ID: #1 not a duplicate - message is new; initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 Sep 21 07:16:33.941974: | unpacking clear payload Sep 21 07:16:33.941976: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:33.941979: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:33.941982: | next payload type: ISAKMP_NEXT_v2D (0x2a) Sep 21 07:16:33.941984: | flags: none (0x0) Sep 21 07:16:33.941986: | length: 52 (0x34) Sep 21 07:16:33.941989: | processing payload: ISAKMP_NEXT_v2SK (len=48) Sep 21 07:16:33.941994: | Message ID: start-responder #1 request 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:33.941997: | #1 in state PARENT_I3: PARENT SA established Sep 21 07:16:33.942034: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942038: | data for hmac: 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.942040: | data for hmac: 3f 83 12 b9 38 2b dc 5b 02 c6 b9 6b 5a 84 4d a8 Sep 21 07:16:33.942043: | data for hmac: 71 e9 5d e6 a0 4e 5e 64 0a 94 6d d2 71 2a 8e 11 Sep 21 07:16:33.942045: | calculated auth: a0 88 97 74 ef 55 c0 e9 4e 2f 5c 6d 50 2c 21 73 Sep 21 07:16:33.942048: | provided auth: a0 88 97 74 ef 55 c0 e9 4e 2f 5c 6d 50 2c 21 73 Sep 21 07:16:33.942050: | authenticator matched Sep 21 07:16:33.942061: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:16:33.942064: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Sep 21 07:16:33.942066: | **parse IKEv2 Delete Payload: Sep 21 07:16:33.942069: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.942072: | flags: none (0x0) Sep 21 07:16:33.942074: | length: 12 (0xc) Sep 21 07:16:33.942076: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.942078: | SPI size: 4 (0x4) Sep 21 07:16:33.942080: | number of SPIs: 1 (0x1) Sep 21 07:16:33.942083: | processing payload: ISAKMP_NEXT_v2D (len=4) Sep 21 07:16:33.942085: | selected state microcode I3: INFORMATIONAL Request Sep 21 07:16:33.942088: | Now let's proceed with state specific processing Sep 21 07:16:33.942090: | calling processor I3: INFORMATIONAL Request Sep 21 07:16:33.942094: | an informational request should send a response Sep 21 07:16:33.942099: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:16:33.942102: | **emit ISAKMP Message: Sep 21 07:16:33.942105: | initiator cookie: Sep 21 07:16:33.942107: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.942109: | responder cookie: Sep 21 07:16:33.942111: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942113: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.942116: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.942121: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.942124: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Sep 21 07:16:33.942126: | Message ID: 0 (0x0) Sep 21 07:16:33.942129: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.942132: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.942135: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.942137: | flags: none (0x0) Sep 21 07:16:33.942140: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.942143: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.942146: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.942155: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Sep 21 07:16:33.942158: | SPI 54 3d 20 7b Sep 21 07:16:33.942160: | delete PROTO_v2_ESP SA(0x543d207b) Sep 21 07:16:33.942164: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_I Sep 21 07:16:33.942167: | State DB: found IKEv2 state #3 in V2_IPSEC_I (find_v2_child_sa_by_outbound_spi) Sep 21 07:16:33.942170: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x543d207b) Sep 21 07:16:33.942173: "north-eastnets/0x2" #1: received Delete SA payload: delete IPsec State #3 now Sep 21 07:16:33.942176: | pstats #3 ikev2.child deleted completed Sep 21 07:16:33.942180: | #3 spent 4.17 milliseconds in total Sep 21 07:16:33.942184: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.942189: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.942193: "north-eastnets/0x2" #3: deleting other state #3 (STATE_V2_IPSEC_I) aged 2.509s and NOT sending notification Sep 21 07:16:33.942196: | child state #3: V2_IPSEC_I(established CHILD SA) => delete Sep 21 07:16:33.942200: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:33.942210: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:33.942218: "north-eastnets/0x2" #3: ESP traffic information: in=756B out=756B Sep 21 07:16:33.942221: | child state #3: V2_IPSEC_I(established CHILD SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.942224: | state #3 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.942227: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:33.942230: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13aeaa0 Sep 21 07:16:33.942309: | delete esp.543d207b@192.1.2.23 Sep 21 07:16:33.942338: | netlink response for Del SA esp.543d207b@192.1.2.23 included non-error error Sep 21 07:16:33.942343: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.942350: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.942361: | raw_eroute result=success Sep 21 07:16:33.942365: | delete esp.c8d0fe50@192.1.3.33 Sep 21 07:16:33.942388: | netlink response for Del SA esp.c8d0fe50@192.1.3.33 included non-error error Sep 21 07:16:33.942392: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.942395: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Sep 21 07:16:33.942399: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.942415: | stop processing: state #3 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.942421: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.942428: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.942431: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.942434: | flags: none (0x0) Sep 21 07:16:33.942436: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.942439: | SPI size: 4 (0x4) Sep 21 07:16:33.942441: | number of SPIs: 1 (0x1) Sep 21 07:16:33.942447: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.942451: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.942454: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Sep 21 07:16:33.942457: | local SPIs c8 d0 fe 50 Sep 21 07:16:33.942460: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.942463: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.942466: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.942469: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.942472: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.942475: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.942478: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.942481: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.942483: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.942510: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942514: | data being hmac: 2e 20 25 28 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.942517: | data being hmac: 8d 2d b6 f3 10 79 82 cb 95 fb 0e 90 84 6d 03 d0 Sep 21 07:16:33.942519: | data being hmac: f2 56 2c 4e a9 fb 20 f9 de bc 94 d8 f9 09 82 36 Sep 21 07:16:33.942521: | out calculated auth: Sep 21 07:16:33.942524: | dc 26 85 01 06 5f 09 a8 57 9a 48 c9 5c d6 bc 9f Sep 21 07:16:33.942532: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Sep 21 07:16:33.942534: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942537: | 2e 20 25 28 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.942539: | 8d 2d b6 f3 10 79 82 cb 95 fb 0e 90 84 6d 03 d0 Sep 21 07:16:33.942541: | f2 56 2c 4e a9 fb 20 f9 de bc 94 d8 f9 09 82 36 Sep 21 07:16:33.942544: | dc 26 85 01 06 5f 09 a8 57 9a 48 c9 5c d6 bc 9f Sep 21 07:16:33.942585: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=0 Sep 21 07:16:33.942591: | Message ID: sent #1 response 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=-1->0 responder.recv=-1 wip.initiator=-1 wip.responder=0 Sep 21 07:16:33.942598: | #1 spent 0.462 milliseconds in processing: I3: INFORMATIONAL Request in ikev2_process_state_packet() Sep 21 07:16:33.942603: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.942608: | #1 complete_v2_state_transition() PARENT_I3->PARENT_I3 with status STF_OK Sep 21 07:16:33.942611: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:16:33.942615: | Message ID: recv #1 request 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:33.942620: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.942623: "north-eastnets/0x2" #1: STATE_PARENT_I3: PARENT SA established Sep 21 07:16:33.942628: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:33.942633: | #1 spent 0.715 milliseconds in ikev2_process_packet() Sep 21 07:16:33.942637: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:33.942640: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:33.942645: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:33.942649: | spent 0.732 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:33.942657: | processing resume sending helper answer for #8 Sep 21 07:16:33.942662: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:33.942666: | crypto helper 3 replies to request ID 10 Sep 21 07:16:33.942668: | calling continuation function 0x56219f926630 Sep 21 07:16:33.942672: | ikev2_child_outI_continue for #8 STATE_V2_REKEY_CHILD_I0 Sep 21 07:16:33.942675: | state #8 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:33.942678: | libevent_free: release ptr-libevent@0x5621a13badf0 Sep 21 07:16:33.942681: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13b6e70 Sep 21 07:16:33.942684: | event_schedule: new EVENT_SA_REPLACE-pe@0x5621a13b6e70 Sep 21 07:16:33.942688: | inserting event EVENT_SA_REPLACE, timeout in 200 seconds for #8 Sep 21 07:16:33.942691: | libevent_malloc: new ptr-libevent@0x5621a13badf0 size 128 Sep 21 07:16:33.942695: | Message ID: #4 wakeing IKE SA (unack 0); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.942698: | scheduling callback v2_msgid_schedule_next_initiator (#4) Sep 21 07:16:33.942701: | libevent_malloc: new ptr-libevent@0x5621a132b7d0 size 128 Sep 21 07:16:33.942707: | [RE]START processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.942710: | #8 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I with status STF_SUSPEND Sep 21 07:16:33.942713: | suspending state #8 and saving MD Sep 21 07:16:33.942715: | #8 is busy; has a suspended MD Sep 21 07:16:33.942720: | [RE]START processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:33.942723: | "north-eastnets/0x1" #8 complete v2 state STATE_V2_REKEY_CHILD_I0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:33.942727: | resume sending helper answer for #8 suppresed complete_v2_state_transition() Sep 21 07:16:33.942731: | #8 spent 0.0649 milliseconds in resume sending helper answer Sep 21 07:16:33.942736: | stop processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:33.942739: | libevent_free: release ptr-libevent@0x7f08b80097c0 Sep 21 07:16:33.942742: | processing signal PLUTO_SIGCHLD Sep 21 07:16:33.942747: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:33.942751: | spent 0.00552 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:33.942760: | spent 0.00152 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:33.942769: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:33.942772: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942774: | 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.942777: | ba 58 08 30 2c d1 40 68 ea f3 82 2d 47 17 38 32 Sep 21 07:16:33.942779: | b6 54 d6 47 18 a7 49 f6 b8 6b b6 0d e0 15 5c 5a Sep 21 07:16:33.942781: | e4 fd f6 4d 99 80 29 53 45 b3 a7 6e e1 b9 ba bc Sep 21 07:16:33.942793: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:33.942799: | **parse ISAKMP Message: Sep 21 07:16:33.942802: | initiator cookie: Sep 21 07:16:33.942804: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.942806: | responder cookie: Sep 21 07:16:33.942808: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942811: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:33.942814: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.942816: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.942819: | flags: none (0x0) Sep 21 07:16:33.942821: | Message ID: 1 (0x1) Sep 21 07:16:33.942826: | length: 80 (0x50) Sep 21 07:16:33.942829: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:16:33.942832: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Sep 21 07:16:33.942835: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Sep 21 07:16:33.942841: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:33.942844: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:33.942849: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:33.942852: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:33.942856: | Message ID: #1 not a duplicate - message is new; initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 Sep 21 07:16:33.942859: | unpacking clear payload Sep 21 07:16:33.942861: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:33.942864: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:33.942867: | next payload type: ISAKMP_NEXT_v2D (0x2a) Sep 21 07:16:33.942869: | flags: none (0x0) Sep 21 07:16:33.942872: | length: 52 (0x34) Sep 21 07:16:33.942875: | processing payload: ISAKMP_NEXT_v2SK (len=48) Sep 21 07:16:33.942879: | Message ID: start-responder #1 request 1; ike: initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:33.942882: | #1 in state PARENT_I3: PARENT SA established Sep 21 07:16:33.942903: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942907: | data for hmac: 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.942910: | data for hmac: ba 58 08 30 2c d1 40 68 ea f3 82 2d 47 17 38 32 Sep 21 07:16:33.942912: | data for hmac: b6 54 d6 47 18 a7 49 f6 b8 6b b6 0d e0 15 5c 5a Sep 21 07:16:33.942915: | calculated auth: e4 fd f6 4d 99 80 29 53 45 b3 a7 6e e1 b9 ba bc Sep 21 07:16:33.942917: | provided auth: e4 fd f6 4d 99 80 29 53 45 b3 a7 6e e1 b9 ba bc Sep 21 07:16:33.942920: | authenticator matched Sep 21 07:16:33.942928: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:16:33.942931: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Sep 21 07:16:33.942934: | **parse IKEv2 Delete Payload: Sep 21 07:16:33.942937: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.942940: | flags: none (0x0) Sep 21 07:16:33.942942: | length: 8 (0x8) Sep 21 07:16:33.942944: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:33.942947: | SPI size: 0 (0x0) Sep 21 07:16:33.942950: | number of SPIs: 0 (0x0) Sep 21 07:16:33.942952: | processing payload: ISAKMP_NEXT_v2D (len=0) Sep 21 07:16:33.942955: | selected state microcode I3: INFORMATIONAL Request Sep 21 07:16:33.942957: | Now let's proceed with state specific processing Sep 21 07:16:33.942959: | calling processor I3: INFORMATIONAL Request Sep 21 07:16:33.942963: | an informational request should send a response Sep 21 07:16:33.942967: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:16:33.942971: | **emit ISAKMP Message: Sep 21 07:16:33.942974: | initiator cookie: Sep 21 07:16:33.942976: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.942978: | responder cookie: Sep 21 07:16:33.942980: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.942983: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.942986: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.942989: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.942992: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Sep 21 07:16:33.942994: | Message ID: 1 (0x1) Sep 21 07:16:33.942997: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.943000: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.943003: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.943008: | flags: none (0x0) Sep 21 07:16:33.943011: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.943014: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.943018: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.943023: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.943026: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943029: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943031: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943034: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943037: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943040: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943043: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943046: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943049: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943052: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943054: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943057: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943060: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943063: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943065: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943068: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.943071: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.943074: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.943076: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.943098: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.943101: | data being hmac: 2e 20 25 28 00 00 00 01 00 00 00 50 00 00 00 34 Sep 21 07:16:33.943104: | data being hmac: ec 9b b9 fe de 3c 46 4e dd 0c e3 73 34 88 8e 5f Sep 21 07:16:33.943107: | data being hmac: 9f af e5 d0 98 94 73 9c 36 ed 41 df 9b 42 12 24 Sep 21 07:16:33.943109: | out calculated auth: Sep 21 07:16:33.943112: | e1 6f 9e 0f b5 8c 7d 14 57 3b 2e e2 57 a8 f0 7b Sep 21 07:16:33.943120: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Sep 21 07:16:33.943124: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.943126: | 2e 20 25 28 00 00 00 01 00 00 00 50 00 00 00 34 Sep 21 07:16:33.943129: | ec 9b b9 fe de 3c 46 4e dd 0c e3 73 34 88 8e 5f Sep 21 07:16:33.943131: | 9f af e5 d0 98 94 73 9c 36 ed 41 df 9b 42 12 24 Sep 21 07:16:33.943133: | e1 6f 9e 0f b5 8c 7d 14 57 3b 2e e2 57 a8 f0 7b Sep 21 07:16:33.943158: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:16:33.943164: | Message ID: sent #1 response 1; ike: initiator.sent=2 initiator.recv=2 responder.sent=0->1 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:16:33.943168: | child state #2: V2_IPSEC_I(established CHILD SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.943173: | pstats #2 ikev2.child deleted completed Sep 21 07:16:33.943176: | #2 spent 1.56 milliseconds in total Sep 21 07:16:33.943181: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.943186: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.943189: "north-eastnets/0x1" #2: deleting other state #2 connection (STATE_CHILDSA_DEL) "north-eastnets/0x1" aged 2.870s and NOT sending notification Sep 21 07:16:33.943192: | child state #2: CHILDSA_DEL(informational) => delete Sep 21 07:16:33.943195: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.943198: | libevent_free: release ptr-libevent@0x5621a13acb40 Sep 21 07:16:33.943201: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13ada60 Sep 21 07:16:33.943260: | delete esp.ecbd618@192.1.2.23 Sep 21 07:16:33.943289: | netlink response for Del SA esp.ecbd618@192.1.2.23 included non-error error Sep 21 07:16:33.943292: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.943299: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.943307: | raw_eroute result=success Sep 21 07:16:33.943311: | delete esp.2d973bf0@192.1.3.33 Sep 21 07:16:33.943332: | netlink response for Del SA esp.2d973bf0@192.1.3.33 included non-error error Sep 21 07:16:33.943336: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:33.943339: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Sep 21 07:16:33.943342: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.943347: | stop processing: state #2 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.943352: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.943356: | State DB: IKEv2 state not found (delete_my_family) Sep 21 07:16:33.943359: | parent state #1: PARENT_I3(established IKE SA) => IKESA_DEL(established IKE SA) Sep 21 07:16:33.943362: | pstats #1 ikev2.ike deleted completed Sep 21 07:16:33.943366: | #1 spent 14.5 milliseconds in total Sep 21 07:16:33.943370: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.943374: "north-eastnets/0x2" #1: deleting state (STATE_IKESA_DEL) aged 2.877s and NOT sending notification Sep 21 07:16:33.943376: | parent state #1: IKESA_DEL(established IKE SA) => delete Sep 21 07:16:33.943422: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.943427: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:33.943430: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13a56a0 Sep 21 07:16:33.943433: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:33.943435: | picked newest_isakmp_sa #4 for #1 Sep 21 07:16:33.943438: | IKE delete_state() for #1 and connection 'north-eastnets/0x2' that is supposed to remain up; not a problem - have newer #4 Sep 21 07:16:33.943442: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.943445: | State DB: deleting IKEv2 state #1 in IKESA_DEL Sep 21 07:16:33.943448: | parent state #1: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:33.943453: | unreference key: 0x5621a13076c0 @east cnt 3-- Sep 21 07:16:33.943466: | stop processing: state #1 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.943481: | in statetime_stop() and could not find #1 Sep 21 07:16:33.943485: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.943488: | #0 complete_v2_state_transition() md.from_state=PARENT_I3 md.svm.state[from]=PARENT_I3 UNDEFINED->PARENT_I3 with status STF_OK Sep 21 07:16:33.943491: | STF_OK but no state object remains Sep 21 07:16:33.943494: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:33.943501: | in statetime_stop() and could not find #1 Sep 21 07:16:33.943505: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:33.943508: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:33.943511: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:33.943515: | spent 0.73 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:33.943519: | processing callback v2_msgid_schedule_next_initiator for #4 Sep 21 07:16:33.943523: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:904) Sep 21 07:16:33.943528: | Message ID: #4.#8 resuming SA using IKE SA (unack 0); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:33.943533: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:33.943538: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:33.943543: | **emit ISAKMP Message: Sep 21 07:16:33.943546: | initiator cookie: Sep 21 07:16:33.943549: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.943551: | responder cookie: Sep 21 07:16:33.943553: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.943556: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.943559: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.943562: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:33.943564: | flags: none (0x0) Sep 21 07:16:33.943567: | Message ID: 0 (0x0) Sep 21 07:16:33.943570: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.943573: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.943575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.943578: | flags: none (0x0) Sep 21 07:16:33.943581: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.943583: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.943587: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.943602: | netlink_get_spi: allocated 0xbd8184de for esp.0@192.1.3.33 Sep 21 07:16:33.943606: | Emitting ikev2_proposals ... Sep 21 07:16:33.943608: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:33.943610: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.943613: | flags: none (0x0) Sep 21 07:16:33.943616: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:33.943618: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.943622: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:33.943624: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:33.943626: | prop #: 1 (0x1) Sep 21 07:16:33.943629: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:33.943631: | spi size: 4 (0x4) Sep 21 07:16:33.943633: | # transforms: 4 (0x4) Sep 21 07:16:33.943636: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:33.943639: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:33.943641: | our spi bd 81 84 de Sep 21 07:16:33.943643: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.943645: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943647: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:33.943650: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:33.943653: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.943657: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:33.943660: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:33.943662: | length/value: 128 (0x80) Sep 21 07:16:33.943664: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:33.943667: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.943669: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943671: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:33.943673: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:33.943676: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943678: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.943680: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.943682: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.943684: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943686: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:33.943689: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:33.943691: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943693: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.943696: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.943698: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.943700: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:33.943702: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:33.943704: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:33.943706: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.943708: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.943711: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.943713: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:33.943715: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:33.943717: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:33.943719: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:33.943722: "north-eastnets/0x1" #8: CHILD SA to rekey #5 vanished abort this exchange Sep 21 07:16:33.943725: | ikev2_child_sa_respond returned STF_INTERNAL_ERROR Sep 21 07:16:33.943729: | [RE]START processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.943732: | #8 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I with status STF_INTERNAL_ERROR Sep 21 07:16:33.943791: | state transition function for STATE_V2_REKEY_CHILD_I0 had internal error Sep 21 07:16:33.943799: | stop processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:33.943803: | resume processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:33.943808: | #4 spent 0.273 milliseconds in callback v2_msgid_schedule_next_initiator Sep 21 07:16:33.943812: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:908) Sep 21 07:16:33.943816: | libevent_free: release ptr-libevent@0x5621a132b7d0 Sep 21 07:16:33.943827: | spent 0.00156 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:33.943836: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Sep 21 07:16:33.943839: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.943842: | 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.943844: | be fa b9 f3 0c de bd 6d bc 8f 88 7c 71 18 c4 81 Sep 21 07:16:33.943846: | 72 6f d8 ed 90 17 77 32 40 49 e5 d3 24 70 7d 3c Sep 21 07:16:33.943849: | d1 cb bc bf a5 4b 90 4e 0e 36 03 f3 7a 55 2d 52 Sep 21 07:16:33.943852: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Sep 21 07:16:33.943855: | **parse ISAKMP Message: Sep 21 07:16:33.943858: | initiator cookie: Sep 21 07:16:33.943860: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.943862: | responder cookie: Sep 21 07:16:33.943864: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.943867: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:33.943869: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.943872: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.943875: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.943877: | Message ID: 5 (0x5) Sep 21 07:16:33.943879: | length: 80 (0x50) Sep 21 07:16:33.943882: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:16:33.943885: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:16:33.943889: | State DB: found IKEv2 state #4 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:33.943894: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:33.943897: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:33.943901: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:33.943904: | #4 st.st_msgid_lastrecv 4 md.hdr.isa_msgid 00000005 Sep 21 07:16:33.943907: | Message ID: #4 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 Sep 21 07:16:33.943910: | unpacking clear payload Sep 21 07:16:33.943912: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:33.943915: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:33.943917: | next payload type: ISAKMP_NEXT_v2D (0x2a) Sep 21 07:16:33.943919: | flags: none (0x0) Sep 21 07:16:33.943922: | length: 52 (0x34) Sep 21 07:16:33.943924: | processing payload: ISAKMP_NEXT_v2SK (len=48) Sep 21 07:16:33.943929: | Message ID: start-responder #4 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1->5 Sep 21 07:16:33.943932: | #4 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:33.943955: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.943958: | data for hmac: 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.943960: | data for hmac: be fa b9 f3 0c de bd 6d bc 8f 88 7c 71 18 c4 81 Sep 21 07:16:33.943963: | data for hmac: 72 6f d8 ed 90 17 77 32 40 49 e5 d3 24 70 7d 3c Sep 21 07:16:33.943965: | calculated auth: d1 cb bc bf a5 4b 90 4e 0e 36 03 f3 7a 55 2d 52 Sep 21 07:16:33.943968: | provided auth: d1 cb bc bf a5 4b 90 4e 0e 36 03 f3 7a 55 2d 52 Sep 21 07:16:33.943970: | authenticator matched Sep 21 07:16:33.943979: | #4 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:16:33.943982: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Sep 21 07:16:33.943984: | **parse IKEv2 Delete Payload: Sep 21 07:16:33.943987: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.943989: | flags: none (0x0) Sep 21 07:16:33.943992: | length: 8 (0x8) Sep 21 07:16:33.943994: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:33.943996: | SPI size: 0 (0x0) Sep 21 07:16:33.943999: | number of SPIs: 0 (0x0) Sep 21 07:16:33.944003: | processing payload: ISAKMP_NEXT_v2D (len=0) Sep 21 07:16:33.944006: | selected state microcode R2: process INFORMATIONAL Request Sep 21 07:16:33.944009: | Now let's proceed with state specific processing Sep 21 07:16:33.944011: | calling processor R2: process INFORMATIONAL Request Sep 21 07:16:33.944014: | an informational request should send a response Sep 21 07:16:33.944018: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:16:33.944022: | **emit ISAKMP Message: Sep 21 07:16:33.944024: | initiator cookie: Sep 21 07:16:33.944026: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.944029: | responder cookie: Sep 21 07:16:33.944031: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.944033: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.944036: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.944038: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.944041: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:33.944043: | Message ID: 5 (0x5) Sep 21 07:16:33.944046: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.944049: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.944051: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.944054: | flags: none (0x0) Sep 21 07:16:33.944057: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.944060: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:16:33.944063: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.944067: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.944070: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944073: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944076: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944078: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944081: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944084: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944086: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944089: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944092: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944095: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944097: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944100: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944103: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944105: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944108: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944111: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.944114: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.944116: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.944119: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.944139: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.944142: | data being hmac: 2e 20 25 20 00 00 00 05 00 00 00 50 00 00 00 34 Sep 21 07:16:33.944145: | data being hmac: 93 94 a3 9c 78 3c 65 55 11 a1 d8 eb 8d 29 b8 1a Sep 21 07:16:33.944149: | data being hmac: 59 df bb 12 e6 68 01 af cf e9 63 c6 19 bc 86 49 Sep 21 07:16:33.944151: | out calculated auth: Sep 21 07:16:33.944153: | c4 9a 51 77 01 4c 05 d7 57 db 4d f3 77 43 b5 4a Sep 21 07:16:33.944160: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #4) Sep 21 07:16:33.944163: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.944165: | 2e 20 25 20 00 00 00 05 00 00 00 50 00 00 00 34 Sep 21 07:16:33.944167: | 93 94 a3 9c 78 3c 65 55 11 a1 d8 eb 8d 29 b8 1a Sep 21 07:16:33.944170: | 59 df bb 12 e6 68 01 af cf e9 63 c6 19 bc 86 49 Sep 21 07:16:33.944172: | c4 9a 51 77 01 4c 05 d7 57 db 4d f3 77 43 b5 4a Sep 21 07:16:33.944197: | Message ID: #4 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=5 Sep 21 07:16:33.944202: | Message ID: sent #4 response 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4->5 responder.recv=4 wip.initiator=-1 wip.responder=5 Sep 21 07:16:33.944206: | child state #8: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.944209: | pstats #8 ikev2.child deleted other Sep 21 07:16:33.944212: | #8 spent 2.55 milliseconds in total Sep 21 07:16:33.944217: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.944221: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.944225: "north-eastnets/0x1" #8: deleting other state #8 connection (STATE_CHILDSA_DEL) "north-eastnets/0x1" aged 0.017s and NOT sending notification Sep 21 07:16:33.944228: | child state #8: CHILDSA_DEL(informational) => delete Sep 21 07:16:33.944231: | state #8 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:33.944234: | libevent_free: release ptr-libevent@0x5621a13badf0 Sep 21 07:16:33.944237: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13b6e70 Sep 21 07:16:33.944240: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.944247: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.944259: | raw_eroute result=success Sep 21 07:16:33.944262: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:33.944265: | State DB: deleting IKEv2 state #8 in CHILDSA_DEL Sep 21 07:16:33.944268: | child state #8: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.944280: | stop processing: state #8 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.944285: | resume processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.944289: | child state #7: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.944291: | pstats #7 ikev2.child deleted other Sep 21 07:16:33.944294: | #7 spent 2.17 milliseconds in total Sep 21 07:16:33.944299: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.944303: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.944307: "north-eastnets/0x2" #7: deleting other state #7 (STATE_CHILDSA_DEL) aged 0.032s and NOT sending notification Sep 21 07:16:33.944310: | child state #7: CHILDSA_DEL(informational) => delete Sep 21 07:16:33.944312: | state #7 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:33.944315: | libevent_free: release ptr-libevent@0x7f08b0001100 Sep 21 07:16:33.944318: | free_event_entry: release EVENT_SA_REPLACE-pe@0x5621a13a9cf0 Sep 21 07:16:33.944321: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.944329: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Sep 21 07:16:33.944339: | raw_eroute result=success Sep 21 07:16:33.944342: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.944345: | State DB: deleting IKEv2 state #7 in CHILDSA_DEL Sep 21 07:16:33.944348: | child state #7: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.944358: | stop processing: state #7 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.944362: | resume processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.944366: | State DB: IKEv2 state not found (delete_my_family) Sep 21 07:16:33.944369: | parent state #4: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) Sep 21 07:16:33.944371: | pstats #4 ikev2.ike deleted completed Sep 21 07:16:33.944375: | #4 spent 10.4 milliseconds in total Sep 21 07:16:33.944379: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:33.944382: "north-eastnets/0x2" #4: deleting state (STATE_IKESA_DEL) aged 2.511s and NOT sending notification Sep 21 07:16:33.944385: | parent state #4: IKESA_DEL(established IKE SA) => delete Sep 21 07:16:33.944440: | state #4 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.944445: | libevent_free: release ptr-libevent@0x5621a13afd70 Sep 21 07:16:33.944449: | free_event_entry: release EVENT_SA_REKEY-pe@0x5621a13adf50 Sep 21 07:16:33.944451: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:33.944454: | picked newest_isakmp_sa #0 for #4 Sep 21 07:16:33.944457: "north-eastnets/0x2" #4: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Sep 21 07:16:33.944460: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 0 seconds Sep 21 07:16:33.944463: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds Sep 21 07:16:33.944466: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.944469: | State DB: deleting IKEv2 state #4 in IKESA_DEL Sep 21 07:16:33.944472: | parent state #4: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:33.944476: | unreference key: 0x5621a13076c0 @east cnt 2-- Sep 21 07:16:33.944487: | stop processing: state #4 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.944502: | in statetime_stop() and could not find #4 Sep 21 07:16:33.944506: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.944509: | #0 complete_v2_state_transition() md.from_state=PARENT_R2 md.svm.state[from]=PARENT_R2 UNDEFINED->PARENT_R2 with status STF_OK Sep 21 07:16:33.944512: | STF_OK but no state object remains Sep 21 07:16:33.944515: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:33.944517: | in statetime_stop() and could not find #4 Sep 21 07:16:33.944521: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Sep 21 07:16:33.944524: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:33.944527: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:33.944532: | spent 0.685 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:33.944537: | processing global timer EVENT_REVIVE_CONNS Sep 21 07:16:33.944540: Initiating connection north-eastnets/0x2 which received a Delete/Notify but must remain up per local policy Sep 21 07:16:33.944543: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:33.944547: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Sep 21 07:16:33.944550: | connection 'north-eastnets/0x2' +POLICY_UP Sep 21 07:16:33.944553: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Sep 21 07:16:33.944556: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:33.944567: | creating state object #9 at 0x5621a13be420 Sep 21 07:16:33.944570: | State DB: adding IKEv2 state #9 in UNDEFINED Sep 21 07:16:33.944576: | pstats #9 ikev2.ike started Sep 21 07:16:33.944580: | Message ID: init #9: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:33.944583: | parent state #9: UNDEFINED(ignore) => PARENT_I0(ignore) Sep 21 07:16:33.944588: | Message ID: init_ike #9; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:33.944593: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:33.944598: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:33.944601: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Sep 21 07:16:33.944605: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x2" IKE SA #9 "north-eastnets/0x2" Sep 21 07:16:33.944609: "north-eastnets/0x2" #9: initiating v2 parent SA Sep 21 07:16:33.944615: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:33.944619: | adding ikev2_outI1 KE work-order 11 for state #9 Sep 21 07:16:33.944622: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5621a13ada60 Sep 21 07:16:33.944625: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #9 Sep 21 07:16:33.944628: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:33.944638: | #9 spent 0.0907 milliseconds in ikev2_parent_outI1() Sep 21 07:16:33.944643: | RESET processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:33.944646: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:33.944649: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Sep 21 07:16:33.944653: | spent 0.112 milliseconds in global timer EVENT_REVIVE_CONNS Sep 21 07:16:33.944661: | crypto helper 2 resuming Sep 21 07:16:33.944665: | crypto helper 2 starting work-order 11 for state #9 Sep 21 07:16:33.944669: | crypto helper 2 doing build KE and nonce (ikev2_outI1 KE); request ID 11 Sep 21 07:16:33.945547: | crypto helper 2 finished build KE and nonce (ikev2_outI1 KE); request ID 11 time elapsed 0.000876 seconds Sep 21 07:16:33.945560: | (#9) spent 0.887 milliseconds in crypto helper computing work-order 11: ikev2_outI1 KE (pcr) Sep 21 07:16:33.945565: | crypto helper 2 sending results from work-order 11 for state #9 to event queue Sep 21 07:16:33.945568: | scheduling resume sending helper answer for #9 Sep 21 07:16:33.945571: | libevent_malloc: new ptr-libevent@0x7f08c4001710 size 128 Sep 21 07:16:33.945580: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:33.945591: | processing resume sending helper answer for #9 Sep 21 07:16:33.945598: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Sep 21 07:16:33.945602: | crypto helper 2 replies to request ID 11 Sep 21 07:16:33.945605: | calling continuation function 0x56219f926630 Sep 21 07:16:33.945607: | ikev2_parent_outI1_continue for #9 Sep 21 07:16:33.945612: | **emit ISAKMP Message: Sep 21 07:16:33.945615: | initiator cookie: Sep 21 07:16:33.945618: | 35 69 b2 2c 00 16 b2 61 Sep 21 07:16:33.945620: | responder cookie: Sep 21 07:16:33.945622: | 00 00 00 00 00 00 00 00 Sep 21 07:16:33.945625: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.945628: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.945630: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:33.945633: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.945635: | Message ID: 0 (0x0) Sep 21 07:16:33.945638: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.945647: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:33.945651: | Emitting ikev2_proposals ... Sep 21 07:16:33.945653: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:33.945656: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.945659: | flags: none (0x0) Sep 21 07:16:33.945662: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:33.945665: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.945668: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:33.945671: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:33.945673: | prop #: 1 (0x1) Sep 21 07:16:33.945676: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:33.945678: | spi size: 0 (0x0) Sep 21 07:16:33.945680: | # transforms: 4 (0x4) Sep 21 07:16:33.945683: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:33.945686: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.945689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945691: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:33.945694: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:33.945696: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.945700: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:33.945702: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:33.945705: | length/value: 256 (0x100) Sep 21 07:16:33.945708: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:33.945710: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.945713: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945716: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:33.945718: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:33.945721: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945724: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.945727: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.945730: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.945732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945734: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:33.945737: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:33.945740: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945743: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.945745: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.945747: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:33.945750: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:33.945752: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:33.945755: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:33.945758: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:33.945761: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:33.945765: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:33.945767: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:33.945770: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:33.945773: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:33.945775: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:33.945778: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:33.945781: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.945819: | flags: none (0x0) Sep 21 07:16:33.945825: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:33.945829: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:33.945832: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.945836: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:33.945839: | ikev2 g^x 20 f6 ee 76 2f e9 bb 2a 5b 5a de b5 d9 26 7a eb Sep 21 07:16:33.945841: | ikev2 g^x 99 9e 21 89 24 b2 97 2d 29 12 d8 49 50 4a eb 98 Sep 21 07:16:33.945843: | ikev2 g^x 97 60 c7 b5 19 ee 4f c7 46 13 44 fc 5c 02 c2 b3 Sep 21 07:16:33.945845: | ikev2 g^x 3f c9 a0 6f 8d 7a 8e 73 59 b9 f4 d0 20 44 ad bb Sep 21 07:16:33.945848: | ikev2 g^x c2 fe 26 01 24 6c 11 9b b8 71 91 c8 b5 85 81 c8 Sep 21 07:16:33.945850: | ikev2 g^x 77 b2 1d ac 4a 57 98 74 20 27 29 b8 98 f9 8c 82 Sep 21 07:16:33.945853: | ikev2 g^x af 80 09 23 9d 3c 09 d9 d5 33 23 8f 55 e8 9e 55 Sep 21 07:16:33.945855: | ikev2 g^x 7a 5d f7 ab a7 b1 c9 ad c8 cd 50 00 0b 3d 53 6b Sep 21 07:16:33.945857: | ikev2 g^x ed bd 77 83 1c 2f bb d4 e5 d1 ce 4d 7e c7 1a dc Sep 21 07:16:33.945859: | ikev2 g^x b2 ef 24 be 81 12 25 9d 32 2b f8 b3 ec d7 e2 d8 Sep 21 07:16:33.945862: | ikev2 g^x 97 9b a5 44 aa e9 27 61 e9 60 16 7e ff 14 d1 14 Sep 21 07:16:33.945864: | ikev2 g^x 6f 9f 27 10 ab 7f 14 cc 93 25 81 46 e6 f8 c4 30 Sep 21 07:16:33.945866: | ikev2 g^x 5e 3b 4f 21 46 db 81 2b 1f b5 f9 67 16 de 31 bd Sep 21 07:16:33.945868: | ikev2 g^x 18 5f 9a 49 1e 2c 0c 95 40 7c 29 ca 7d 98 d5 38 Sep 21 07:16:33.945871: | ikev2 g^x 7d f4 64 c9 92 8c d8 f1 00 13 5a 79 58 dc 0c d9 Sep 21 07:16:33.945873: | ikev2 g^x 2b 6f 7d df 5f 05 13 0c 8e 59 48 33 e9 bd 88 4e Sep 21 07:16:33.945875: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:33.945878: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:33.945880: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:33.945883: | flags: none (0x0) Sep 21 07:16:33.945886: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:33.945889: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:33.945892: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.945895: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:33.945897: | IKEv2 nonce ca 4b ca bc c2 fe 07 d9 bb 95 30 10 3a 44 cf 0e Sep 21 07:16:33.945900: | IKEv2 nonce 59 65 59 e8 2d 1f 4c e2 06 25 24 1d b7 79 c9 8d Sep 21 07:16:33.945902: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:33.945905: | Adding a v2N Payload Sep 21 07:16:33.945907: | ***emit IKEv2 Notify Payload: Sep 21 07:16:33.945910: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.945912: | flags: none (0x0) Sep 21 07:16:33.945915: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:33.945917: | SPI size: 0 (0x0) Sep 21 07:16:33.945920: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:33.945925: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:33.945927: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.945930: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:33.945934: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:33.945936: | natd_hash: rcookie is zero Sep 21 07:16:33.945948: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:33.945951: | natd_hash: icookie= 35 69 b2 2c 00 16 b2 61 Sep 21 07:16:33.945953: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:33.945955: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:33.945958: | natd_hash: port= 01 f4 Sep 21 07:16:33.945961: | natd_hash: hash= 1b e9 69 61 f1 75 6e d9 d4 cd 88 71 93 cf bd 24 Sep 21 07:16:33.945963: | natd_hash: hash= 6f cf 90 0b Sep 21 07:16:33.945965: | Adding a v2N Payload Sep 21 07:16:33.945968: | ***emit IKEv2 Notify Payload: Sep 21 07:16:33.945970: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.945973: | flags: none (0x0) Sep 21 07:16:33.945976: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:33.945978: | SPI size: 0 (0x0) Sep 21 07:16:33.945981: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:33.945984: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:33.945987: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.945990: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:33.945993: | Notify data 1b e9 69 61 f1 75 6e d9 d4 cd 88 71 93 cf bd 24 Sep 21 07:16:33.945995: | Notify data 6f cf 90 0b Sep 21 07:16:33.945998: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:33.946001: | natd_hash: rcookie is zero Sep 21 07:16:33.946007: | natd_hash: hasher=0x56219f9fc7a0(20) Sep 21 07:16:33.946010: | natd_hash: icookie= 35 69 b2 2c 00 16 b2 61 Sep 21 07:16:33.946013: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:33.946015: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:33.946017: | natd_hash: port= 01 f4 Sep 21 07:16:33.946020: | natd_hash: hash= e6 a5 9e 81 ac f2 3a 45 f4 c8 c8 2e 3c 75 d5 af Sep 21 07:16:33.946022: | natd_hash: hash= 7e 59 0f c8 Sep 21 07:16:33.946024: | Adding a v2N Payload Sep 21 07:16:33.946027: | ***emit IKEv2 Notify Payload: Sep 21 07:16:33.946029: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.946032: | flags: none (0x0) Sep 21 07:16:33.946034: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:33.946037: | SPI size: 0 (0x0) Sep 21 07:16:33.946039: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:33.946043: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:33.946046: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:33.946049: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:33.946051: | Notify data e6 a5 9e 81 ac f2 3a 45 f4 c8 c8 2e 3c 75 d5 af Sep 21 07:16:33.946053: | Notify data 7e 59 0f c8 Sep 21 07:16:33.946056: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:33.946059: | emitting length of ISAKMP Message: 440 Sep 21 07:16:33.946065: | stop processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Sep 21 07:16:33.946071: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:33.946075: | #9 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Sep 21 07:16:33.946077: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Sep 21 07:16:33.946080: | parent state #9: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Sep 21 07:16:33.946085: | Message ID: updating counters for #9 to 4294967295 after switching state Sep 21 07:16:33.946088: | Message ID: IKE #9 skipping update_recv as MD is fake Sep 21 07:16:33.946093: | Message ID: sent #9 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:33.946097: "north-eastnets/0x2" #9: STATE_PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:33.946102: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Sep 21 07:16:33.946108: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #9) Sep 21 07:16:33.946110: | 35 69 b2 2c 00 16 b2 61 00 00 00 00 00 00 00 00 Sep 21 07:16:33.946113: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:33.946115: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:33.946117: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:33.946120: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:33.946122: | 00 0e 00 00 20 f6 ee 76 2f e9 bb 2a 5b 5a de b5 Sep 21 07:16:33.946124: | d9 26 7a eb 99 9e 21 89 24 b2 97 2d 29 12 d8 49 Sep 21 07:16:33.946127: | 50 4a eb 98 97 60 c7 b5 19 ee 4f c7 46 13 44 fc Sep 21 07:16:33.946129: | 5c 02 c2 b3 3f c9 a0 6f 8d 7a 8e 73 59 b9 f4 d0 Sep 21 07:16:33.946131: | 20 44 ad bb c2 fe 26 01 24 6c 11 9b b8 71 91 c8 Sep 21 07:16:33.946134: | b5 85 81 c8 77 b2 1d ac 4a 57 98 74 20 27 29 b8 Sep 21 07:16:33.946136: | 98 f9 8c 82 af 80 09 23 9d 3c 09 d9 d5 33 23 8f Sep 21 07:16:33.946138: | 55 e8 9e 55 7a 5d f7 ab a7 b1 c9 ad c8 cd 50 00 Sep 21 07:16:33.946141: | 0b 3d 53 6b ed bd 77 83 1c 2f bb d4 e5 d1 ce 4d Sep 21 07:16:33.946143: | 7e c7 1a dc b2 ef 24 be 81 12 25 9d 32 2b f8 b3 Sep 21 07:16:33.946145: | ec d7 e2 d8 97 9b a5 44 aa e9 27 61 e9 60 16 7e Sep 21 07:16:33.946148: | ff 14 d1 14 6f 9f 27 10 ab 7f 14 cc 93 25 81 46 Sep 21 07:16:33.946150: | e6 f8 c4 30 5e 3b 4f 21 46 db 81 2b 1f b5 f9 67 Sep 21 07:16:33.946152: | 16 de 31 bd 18 5f 9a 49 1e 2c 0c 95 40 7c 29 ca Sep 21 07:16:33.946154: | 7d 98 d5 38 7d f4 64 c9 92 8c d8 f1 00 13 5a 79 Sep 21 07:16:33.946157: | 58 dc 0c d9 2b 6f 7d df 5f 05 13 0c 8e 59 48 33 Sep 21 07:16:33.946159: | e9 bd 88 4e 29 00 00 24 ca 4b ca bc c2 fe 07 d9 Sep 21 07:16:33.946162: | bb 95 30 10 3a 44 cf 0e 59 65 59 e8 2d 1f 4c e2 Sep 21 07:16:33.946165: | 06 25 24 1d b7 79 c9 8d 29 00 00 08 00 00 40 2e Sep 21 07:16:33.946167: | 29 00 00 1c 00 00 40 04 1b e9 69 61 f1 75 6e d9 Sep 21 07:16:33.946169: | d4 cd 88 71 93 cf bd 24 6f cf 90 0b 00 00 00 1c Sep 21 07:16:33.946172: | 00 00 40 05 e6 a5 9e 81 ac f2 3a 45 f4 c8 c8 2e Sep 21 07:16:33.946174: | 3c 75 d5 af 7e 59 0f c8 Sep 21 07:16:33.946202: | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:33.946207: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:33.946210: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5621a13ada60 Sep 21 07:16:33.946212: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:33.946216: | event_schedule: new EVENT_RETRANSMIT-pe@0x5621a13ada60 Sep 21 07:16:33.946220: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #9 Sep 21 07:16:33.946223: | libevent_malloc: new ptr-libevent@0x5621a13a56e0 size 128 Sep 21 07:16:33.946228: | #9 STATE_PARENT_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48840.31448 Sep 21 07:16:33.946231: | resume sending helper answer for #9 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:33.946237: | #9 spent 0.594 milliseconds in resume sending helper answer Sep 21 07:16:33.946242: | stop processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Sep 21 07:16:33.946245: | libevent_free: release ptr-libevent@0x7f08c4001710 Sep 21 07:16:33.952868: | kernel_process_msg_cb process netlink message Sep 21 07:16:33.952891: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:33.952895: | xfrm netlink msg len 376 Sep 21 07:16:33.952898: | xfrm acquire rtattribute type 5 Sep 21 07:16:33.952900: | xfrm acquire rtattribute type 16 Sep 21 07:16:33.952914: | add bare shunt 0x5621a13c0e20 192.0.3.254/32:0 --1--> 192.0.22.251/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:33.952921: initiate on demand from 192.0.3.254:0 to 192.0.22.251:0 proto=1 because: acquire Sep 21 07:16:33.952928: | find_connection: looking for policy for connection: 192.0.3.254:1/0 -> 192.0.22.251:1/0 Sep 21 07:16:33.952931: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:33.952937: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.3.0/24:0 -> 192.0.22.0/24:0 [pri: 25214988] Sep 21 07:16:33.952940: | find_connection: first OK "north-eastnets/0x2" [pri:25214988]{0x5621a13a5930} (child none) Sep 21 07:16:33.952944: | find_connection: concluding with "north-eastnets/0x2" [pri:25214988]{0x5621a13a5930} kind=CK_PERMANENT Sep 21 07:16:33.952947: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:33.952950: | assign_holdpass() need broad(er) shunt Sep 21 07:16:33.952953: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.952959: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:33.952962: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:33.952965: | raw_eroute result=success Sep 21 07:16:33.952967: | assign_holdpass() eroute_connection() done Sep 21 07:16:33.952970: | fiddle_bare_shunt called Sep 21 07:16:33.952972: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:33.952975: | removing specific host-to-host bare shunt Sep 21 07:16:33.952980: | delete narrow %hold eroute 192.0.3.254/32:0 --1-> 192.0.22.251/32:0 => %hold (raw_eroute) Sep 21 07:16:33.952983: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:33.952998: | raw_eroute result=success Sep 21 07:16:33.953002: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:33.953008: | delete bare shunt 0x5621a13c0e20 192.0.3.254/32:0 --1--> 192.0.22.251/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:33.953011: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:33.953013: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:33.953016: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:33.953022: | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "north-eastnets/0x2" Sep 21 07:16:33.953027: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.22.251 Sep 21 07:16:33.953035: | spent 0.144 milliseconds in kernel message Sep 21 07:16:33.953900: | kernel_process_msg_cb process netlink message Sep 21 07:16:33.953914: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:33.953917: | xfrm netlink msg len 376 Sep 21 07:16:33.953920: | xfrm acquire rtattribute type 5 Sep 21 07:16:33.953922: | xfrm acquire rtattribute type 16 Sep 21 07:16:33.953931: | add bare shunt 0x5621a13c0e20 192.0.3.254/32:8 --1--> 192.0.2.251/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:33.953937: initiate on demand from 192.0.3.254:8 to 192.0.2.251:0 proto=1 because: acquire Sep 21 07:16:33.953943: | find_connection: looking for policy for connection: 192.0.3.254:1/8 -> 192.0.2.251:1/0 Sep 21 07:16:33.953946: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:33.953952: | find_connection: conn "north-eastnets/0x1" has compatible peers: 192.0.3.0/24:0 -> 192.0.2.0/24:0 [pri: 25214986] Sep 21 07:16:33.953956: | find_connection: first OK "north-eastnets/0x1" [pri:25214986]{0x5621a13a48e0} (child none) Sep 21 07:16:33.953959: | find_connection: concluding with "north-eastnets/0x1" [pri:25214986]{0x5621a13a48e0} kind=CK_PERMANENT Sep 21 07:16:33.953962: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:33.953967: | assign_holdpass() need broad(er) shunt Sep 21 07:16:33.953970: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.953977: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:33.953979: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:33.953982: | raw_eroute result=success Sep 21 07:16:33.953984: | assign_holdpass() eroute_connection() done Sep 21 07:16:33.953987: | fiddle_bare_shunt called Sep 21 07:16:33.953989: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:33.953991: | removing specific host-to-host bare shunt Sep 21 07:16:33.953997: | delete narrow %hold eroute 192.0.3.254/32:8 --1-> 192.0.2.251/32:0 => %hold (raw_eroute) Sep 21 07:16:33.953999: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:33.954007: | raw_eroute result=success Sep 21 07:16:33.954011: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:33.954017: | delete bare shunt 0x5621a13c0e20 192.0.3.254/32:8 --1--> 192.0.2.251/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:33.954019: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:33.954021: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:33.954024: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:33.954029: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x1" IKE SA #9 "north-eastnets/0x2" Sep 21 07:16:33.954122: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.2.251 Sep 21 07:16:33.954133: | spent 0.135 milliseconds in kernel message Sep 21 07:16:34.016842: | kernel_process_msg_cb process netlink message Sep 21 07:16:34.016857: | netlink_get: XFRM_MSG_ACQUIRE message Sep 21 07:16:34.016860: | xfrm netlink msg len 376 Sep 21 07:16:34.016863: | xfrm acquire rtattribute type 5 Sep 21 07:16:34.016865: | xfrm acquire rtattribute type 16 Sep 21 07:16:34.016874: | add bare shunt 0x5621a13c0e20 192.0.3.254/32:8 --1--> 192.0.22.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:34.016878: initiate on demand from 192.0.3.254:8 to 192.0.22.254:0 proto=1 because: acquire Sep 21 07:16:34.016882: | find_connection: looking for policy for connection: 192.0.3.254:1/8 -> 192.0.22.254:1/0 Sep 21 07:16:34.016884: | FOR_EACH_CONNECTION_... in find_connection_for_clients Sep 21 07:16:34.016888: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.3.0/24:0 -> 192.0.22.0/24:0 [pri: 25214986] Sep 21 07:16:34.016890: | find_connection: first OK "north-eastnets/0x2" [pri:25214986]{0x5621a13a5930} (child none) Sep 21 07:16:34.016892: | find_connection: concluding with "north-eastnets/0x2" [pri:25214986]{0x5621a13a5930} kind=CK_PERMANENT Sep 21 07:16:34.016894: | assign hold, routing was prospective erouted, needs to be erouted HOLD Sep 21 07:16:34.016896: | assign_holdpass() need broad(er) shunt Sep 21 07:16:34.016897: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:34.016901: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => %hold>%hold (raw_eroute) Sep 21 07:16:34.016903: | netlink_raw_eroute: SPI_HOLD implemented as no-op Sep 21 07:16:34.016905: | raw_eroute result=success Sep 21 07:16:34.016906: | assign_holdpass() eroute_connection() done Sep 21 07:16:34.016908: | fiddle_bare_shunt called Sep 21 07:16:34.016910: | fiddle_bare_shunt with transport_proto 1 Sep 21 07:16:34.016911: | removing specific host-to-host bare shunt Sep 21 07:16:34.016914: | delete narrow %hold eroute 192.0.3.254/32:8 --1-> 192.0.22.254/32:0 => %hold (raw_eroute) Sep 21 07:16:34.016916: | netlink_raw_eroute: SPI_PASS Sep 21 07:16:34.016924: | raw_eroute result=success Sep 21 07:16:34.016926: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Sep 21 07:16:34.016930: | delete bare shunt 0x5621a13c0e20 192.0.3.254/32:8 --1--> 192.0.22.254/32:0 => %hold 0 %acquire-netlink Sep 21 07:16:34.016933: assign_holdpass() delete_bare_shunt() failed Sep 21 07:16:34.016935: initiate_ondemand_body() failed to install negotiation_shunt, Sep 21 07:16:34.016937: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:34.016941: | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "north-eastnets/0x2" Sep 21 07:16:34.016943: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.22.254 Sep 21 07:16:34.016948: | spent 0.0935 milliseconds in kernel message Sep 21 07:16:34.390272: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:34.390296: shutting down Sep 21 07:16:34.390305: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:16:34.390309: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:16:34.390315: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:34.390317: forgetting secrets Sep 21 07:16:34.390323: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:34.390327: | unreference key: 0x5621a13076c0 @east cnt 1-- Sep 21 07:16:34.390331: | unreference key: 0x5621a12fe8f0 @north cnt 1-- Sep 21 07:16:34.390336: | start processing: connection "north-eastnets/0x2" (in delete_connection() at connections.c:189) Sep 21 07:16:34.390340: | removing pending policy for no connection {0x5621a132ea30} Sep 21 07:16:34.390343: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:34.390346: | pass 0 Sep 21 07:16:34.390348: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:34.390351: | state #9 Sep 21 07:16:34.390355: | suspend processing: connection "north-eastnets/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:34.390361: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:34.390364: | pstats #9 ikev2.ike deleted other Sep 21 07:16:34.390369: | #9 spent 1.57 milliseconds in total Sep 21 07:16:34.390375: | [RE]START processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Sep 21 07:16:34.390379: "north-eastnets/0x2" #9: deleting state (STATE_PARENT_I1) aged 0.445s and NOT sending notification Sep 21 07:16:34.390382: | parent state #9: PARENT_I1(half-open IKE SA) => delete Sep 21 07:16:34.390385: | state #9 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:34.390388: | #9 STATE_PARENT_I1: retransmits: cleared Sep 21 07:16:34.390393: | libevent_free: release ptr-libevent@0x5621a13a56e0 Sep 21 07:16:34.390397: | free_event_entry: release EVENT_RETRANSMIT-pe@0x5621a13ada60 Sep 21 07:16:34.390400: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:34.390403: | removing pending policy for "north-eastnets/0x1" {0x5621a1302e10} Sep 21 07:16:34.390406: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:34.390410: | picked newest_isakmp_sa #0 for #9 Sep 21 07:16:34.390413: "north-eastnets/0x2" #9: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Sep 21 07:16:34.390416: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 5 seconds Sep 21 07:16:34.390420: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 5 seconds Sep 21 07:16:34.390426: | stop processing: connection "north-eastnets/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:16:34.390430: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:16:34.390432: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:34.390435: | State DB: deleting IKEv2 state #9 in PARENT_I1 Sep 21 07:16:34.390439: | parent state #9: PARENT_I1(half-open IKE SA) => UNDEFINED(ignore) Sep 21 07:16:34.390461: | stop processing: state #9 from 192.1.2.23:500 (in delete_state() at state.c:1143) Sep 21 07:16:34.390467: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:34.390475: | pass 1 Sep 21 07:16:34.390477: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:34.390484: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.3.0/24:0 --0->- 192.0.22.0/24:0 Sep 21 07:16:34.390490: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.22.0/24:0 Sep 21 07:16:34.390494: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:34.390688: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:34.390706: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:34.390710: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:34.390713: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:34.390716: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:34.390719: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:34.390723: | route owner of "north-eastnets/0x2" unrouted: NULL Sep 21 07:16:34.390726: | running updown command "ipsec _updown" for verb unroute Sep 21 07:16:34.390729: | command executing unroute-client Sep 21 07:16:34.390757: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:16:34.390761: | popen cmd is 1035 chars long Sep 21 07:16:34.390765: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:34.390767: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Sep 21 07:16:34.390770: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Sep 21 07:16:34.390772: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:16:34.390775: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: Sep 21 07:16:34.390777: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' P: Sep 21 07:16:34.390780: | cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: Sep 21 07:16:34.390782: | cmd( 560):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSA: Sep 21 07:16:34.390795: | cmd( 640):SIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_C: Sep 21 07:16:34.390797: | cmd( 720):ONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE: Sep 21 07:16:34.390800: | cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': Sep 21 07:16:34.390802: | cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='': Sep 21 07:16:34.390805: | cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:34.405622: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405636: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405641: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405654: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405665: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405677: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405690: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405704: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405716: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405727: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405739: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405751: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405765: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405778: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405842: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405848: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405850: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405852: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405856: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405858: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.405869: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.406259: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.406266: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.406279: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.412981: | flush revival: connection 'north-eastnets/0x2' revival flushed Sep 21 07:16:34.412996: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:16:34.413002: | start processing: connection "north-eastnets/0x1" (in delete_connection() at connections.c:189) Sep 21 07:16:34.413004: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:34.413006: | pass 0 Sep 21 07:16:34.413008: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:34.413009: | pass 1 Sep 21 07:16:34.413011: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:34.413016: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 192.0.3.0/24:0 --0->- 192.0.2.0/24:0 Sep 21 07:16:34.413020: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.2.0/24:0 Sep 21 07:16:34.413022: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:34.413059: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:34.413073: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:34.413079: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:34.413082: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:34.413086: | route owner of "north-eastnets/0x1" unrouted: NULL Sep 21 07:16:34.413089: | running updown command "ipsec _updown" for verb unroute Sep 21 07:16:34.413092: | command executing unroute-client Sep 21 07:16:34.413123: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:16:34.413130: | popen cmd is 1033 chars long Sep 21 07:16:34.413132: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:34.413134: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Sep 21 07:16:34.413135: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Sep 21 07:16:34.413137: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:16:34.413138: | cmd( 320):PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: Sep 21 07:16:34.413140: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLU: Sep 21 07:16:34.413142: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Sep 21 07:16:34.413143: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: Sep 21 07:16:34.413145: | cmd( 640):G+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Sep 21 07:16:34.413146: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Sep 21 07:16:34.413148: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Sep 21 07:16:34.413150: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Sep 21 07:16:34.413151: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:34.424118: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424136: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424139: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424143: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424146: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424155: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424166: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424176: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424184: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424194: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424202: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424212: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424222: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424231: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424241: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424250: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424260: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424269: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424278: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424287: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424297: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424599: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424608: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.424618: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:34.428653: | free hp@0x5621a13705a0 Sep 21 07:16:34.428666: | flush revival: connection 'north-eastnets/0x1' wasn't on the list Sep 21 07:16:34.428671: | stop processing: connection "north-eastnets/0x1" (in discard_connection() at connections.c:249) Sep 21 07:16:34.428678: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:16:34.428680: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:16:34.428690: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:16:34.428694: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:16:34.428697: shutting down interface eth0/eth0 192.0.3.254:4500 Sep 21 07:16:34.428700: shutting down interface eth0/eth0 192.0.3.254:500 Sep 21 07:16:34.428703: shutting down interface eth1/eth1 192.1.3.33:4500 Sep 21 07:16:34.428707: shutting down interface eth1/eth1 192.1.3.33:500 Sep 21 07:16:34.428711: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:16:34.428719: | libevent_free: release ptr-libevent@0x5621a13a3ba0 Sep 21 07:16:34.428723: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3b60 Sep 21 07:16:34.428733: | libevent_free: release ptr-libevent@0x5621a13a3c90 Sep 21 07:16:34.428736: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3c50 Sep 21 07:16:34.428741: | libevent_free: release ptr-libevent@0x5621a13a3d80 Sep 21 07:16:34.428744: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3d40 Sep 21 07:16:34.428750: | libevent_free: release ptr-libevent@0x5621a13a3e70 Sep 21 07:16:34.428752: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3e30 Sep 21 07:16:34.428758: | libevent_free: release ptr-libevent@0x5621a13a3f60 Sep 21 07:16:34.428760: | free_event_entry: release EVENT_NULL-pe@0x5621a13a3f20 Sep 21 07:16:34.428766: | libevent_free: release ptr-libevent@0x5621a13a4050 Sep 21 07:16:34.428769: | free_event_entry: release EVENT_NULL-pe@0x5621a13a4010 Sep 21 07:16:34.428774: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:34.429445: | libevent_free: release ptr-libevent@0x5621a13a34c0 Sep 21 07:16:34.429452: | free_event_entry: release EVENT_NULL-pe@0x5621a1387300 Sep 21 07:16:34.429456: | libevent_free: release ptr-libevent@0x5621a1398f50 Sep 21 07:16:34.429459: | free_event_entry: release EVENT_NULL-pe@0x5621a138cce0 Sep 21 07:16:34.429462: | libevent_free: release ptr-libevent@0x5621a1398ec0 Sep 21 07:16:34.429465: | free_event_entry: release EVENT_NULL-pe@0x5621a138cd20 Sep 21 07:16:34.429468: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:16:34.429470: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:16:34.429473: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:16:34.429475: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:16:34.429478: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:16:34.429480: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:16:34.429482: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:16:34.429485: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:16:34.429487: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:16:34.429492: | libevent_free: release ptr-libevent@0x5621a13a3590 Sep 21 07:16:34.429495: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:16:34.429498: | libevent_free: release ptr-libevent@0x5621a13a3670 Sep 21 07:16:34.429500: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:16:34.429503: | libevent_free: release ptr-libevent@0x5621a13a3730 Sep 21 07:16:34.429506: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:16:34.429509: | libevent_free: release ptr-libevent@0x5621a1398240 Sep 21 07:16:34.429514: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:16:34.429517: | releasing event base Sep 21 07:16:34.429529: | libevent_free: release ptr-libevent@0x5621a13a37f0 Sep 21 07:16:34.429531: | libevent_free: release ptr-libevent@0x5621a1378e10 Sep 21 07:16:34.429535: | libevent_free: release ptr-libevent@0x5621a1387640 Sep 21 07:16:34.429537: | libevent_free: release ptr-libevent@0x5621a13a4310 Sep 21 07:16:34.429540: | libevent_free: release ptr-libevent@0x5621a1387660 Sep 21 07:16:34.429543: | libevent_free: release ptr-libevent@0x5621a13a3550 Sep 21 07:16:34.429545: | libevent_free: release ptr-libevent@0x5621a13a3630 Sep 21 07:16:34.429548: | libevent_free: release ptr-libevent@0x5621a13876f0 Sep 21 07:16:34.429550: | libevent_free: release ptr-libevent@0x5621a138c000 Sep 21 07:16:34.429552: | libevent_free: release ptr-libevent@0x5621a138c020 Sep 21 07:16:34.429555: | libevent_free: release ptr-libevent@0x5621a13a40e0 Sep 21 07:16:34.429557: | libevent_free: release ptr-libevent@0x5621a13a3ff0 Sep 21 07:16:34.429560: | libevent_free: release ptr-libevent@0x5621a13a3f00 Sep 21 07:16:34.429562: | libevent_free: release ptr-libevent@0x5621a13a3e10 Sep 21 07:16:34.429564: | libevent_free: release ptr-libevent@0x5621a13a3d20 Sep 21 07:16:34.429567: | libevent_free: release ptr-libevent@0x5621a13a3c30 Sep 21 07:16:34.429569: | libevent_free: release ptr-libevent@0x5621a1309370 Sep 21 07:16:34.429572: | libevent_free: release ptr-libevent@0x5621a13a3710 Sep 21 07:16:34.429574: | libevent_free: release ptr-libevent@0x5621a13a3650 Sep 21 07:16:34.429576: | libevent_free: release ptr-libevent@0x5621a13a3570 Sep 21 07:16:34.429579: | libevent_free: release ptr-libevent@0x5621a13a37d0 Sep 21 07:16:34.429581: | libevent_free: release ptr-libevent@0x5621a13075b0 Sep 21 07:16:34.429584: | libevent_free: release ptr-libevent@0x5621a1387680 Sep 21 07:16:34.429587: | libevent_free: release ptr-libevent@0x5621a13876b0 Sep 21 07:16:34.429589: | libevent_free: release ptr-libevent@0x5621a13873a0 Sep 21 07:16:34.429591: | releasing global libevent data Sep 21 07:16:34.429594: | libevent_free: release ptr-libevent@0x5621a1386090 Sep 21 07:16:34.429597: | libevent_free: release ptr-libevent@0x5621a1387340 Sep 21 07:16:34.429600: | libevent_free: release ptr-libevent@0x5621a1387370