Sep 21 07:16:29.649489: FIPS Product: YES Sep 21 07:16:29.649521: FIPS Kernel: NO Sep 21 07:16:29.649523: FIPS Mode: NO Sep 21 07:16:29.649525: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:16:29.649658: Initializing NSS Sep 21 07:16:29.649661: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:16:29.678603: NSS initialized Sep 21 07:16:29.678613: NSS crypto library initialized Sep 21 07:16:29.678615: FIPS HMAC integrity support [enabled] Sep 21 07:16:29.678616: FIPS mode disabled for pluto daemon Sep 21 07:16:29.718641: FIPS HMAC integrity verification self-test FAILED Sep 21 07:16:29.718717: libcap-ng support [enabled] Sep 21 07:16:29.718723: Linux audit support [enabled] Sep 21 07:16:29.718741: Linux audit activated Sep 21 07:16:29.718749: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:11504 Sep 21 07:16:29.718752: core dump dir: /tmp Sep 21 07:16:29.718753: secrets file: /etc/ipsec.secrets Sep 21 07:16:29.718754: leak-detective disabled Sep 21 07:16:29.718755: NSS crypto [enabled] Sep 21 07:16:29.718757: XAUTH PAM support [enabled] Sep 21 07:16:29.718836: | libevent is using pluto's memory allocator Sep 21 07:16:29.718842: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:16:29.718865: | libevent_malloc: new ptr-libevent@0x5633dba7f500 size 40 Sep 21 07:16:29.718870: | libevent_malloc: new ptr-libevent@0x5633dba807b0 size 40 Sep 21 07:16:29.718872: | libevent_malloc: new ptr-libevent@0x5633dba807e0 size 40 Sep 21 07:16:29.718874: | creating event base Sep 21 07:16:29.718875: | libevent_malloc: new ptr-libevent@0x5633dba80770 size 56 Sep 21 07:16:29.718877: | libevent_malloc: new ptr-libevent@0x5633dba80810 size 664 Sep 21 07:16:29.718886: | libevent_malloc: new ptr-libevent@0x5633dba80ab0 size 24 Sep 21 07:16:29.718888: | libevent_malloc: new ptr-libevent@0x5633dba72270 size 384 Sep 21 07:16:29.718895: | libevent_malloc: new ptr-libevent@0x5633dba80ad0 size 16 Sep 21 07:16:29.718897: | libevent_malloc: new ptr-libevent@0x5633dba80af0 size 40 Sep 21 07:16:29.718898: | libevent_malloc: new ptr-libevent@0x5633dba80b20 size 48 Sep 21 07:16:29.718903: | libevent_realloc: new ptr-libevent@0x5633dba04370 size 256 Sep 21 07:16:29.718905: | libevent_malloc: new ptr-libevent@0x5633dba80b60 size 16 Sep 21 07:16:29.718908: | libevent_free: release ptr-libevent@0x5633dba80770 Sep 21 07:16:29.718911: | libevent initialized Sep 21 07:16:29.718913: | libevent_realloc: new ptr-libevent@0x5633dba80b80 size 64 Sep 21 07:16:29.718918: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:16:29.718928: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:16:29.718929: NAT-Traversal support [enabled] Sep 21 07:16:29.718931: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:16:29.718935: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:16:29.718937: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:16:29.718964: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:16:29.718966: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:16:29.718968: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:16:29.718999: Encryption algorithms: Sep 21 07:16:29.719006: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:16:29.719008: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:16:29.719011: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:16:29.719013: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:16:29.719015: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:16:29.719021: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:16:29.719024: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:16:29.719026: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:16:29.719028: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:16:29.719030: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:16:29.719032: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:16:29.719034: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:16:29.719036: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:16:29.719038: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:16:29.719040: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:16:29.719042: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:16:29.719044: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:16:29.719048: Hash algorithms: Sep 21 07:16:29.719050: MD5 IKEv1: IKE IKEv2: Sep 21 07:16:29.719052: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:16:29.719054: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:16:29.719055: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:16:29.719057: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:16:29.719065: PRF algorithms: Sep 21 07:16:29.719067: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:16:29.719069: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:16:29.719071: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:16:29.719073: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:16:29.719074: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:16:29.719076: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:16:29.719091: Integrity algorithms: Sep 21 07:16:29.719093: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:16:29.719095: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:16:29.719097: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:16:29.719099: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:16:29.719102: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:16:29.719103: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:16:29.719105: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:16:29.719107: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:16:29.719109: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:16:29.719116: DH algorithms: Sep 21 07:16:29.719118: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:16:29.719120: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:16:29.719122: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:16:29.719125: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:16:29.719126: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:16:29.719128: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:16:29.719130: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:16:29.719132: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:16:29.719133: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:16:29.719135: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:16:29.719137: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:16:29.719138: testing CAMELLIA_CBC: Sep 21 07:16:29.719140: Camellia: 16 bytes with 128-bit key Sep 21 07:16:29.719227: Camellia: 16 bytes with 128-bit key Sep 21 07:16:29.719247: Camellia: 16 bytes with 256-bit key Sep 21 07:16:29.719266: Camellia: 16 bytes with 256-bit key Sep 21 07:16:29.719283: testing AES_GCM_16: Sep 21 07:16:29.719285: empty string Sep 21 07:16:29.719302: one block Sep 21 07:16:29.719318: two blocks Sep 21 07:16:29.719334: two blocks with associated data Sep 21 07:16:29.719350: testing AES_CTR: Sep 21 07:16:29.719352: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:16:29.719368: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:16:29.719385: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:16:29.719401: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:16:29.719417: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:16:29.719433: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:16:29.719450: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:16:29.719466: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:16:29.719482: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:16:29.719499: testing AES_CBC: Sep 21 07:16:29.719500: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:16:29.719516: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:16:29.719534: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:16:29.719551: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:16:29.719571: testing AES_XCBC: Sep 21 07:16:29.719572: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:16:29.719676: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:16:29.719824: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:16:29.719969: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:16:29.720101: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:16:29.720234: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:16:29.720368: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:16:29.720657: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:16:29.720799: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:16:29.720976: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:16:29.721175: testing HMAC_MD5: Sep 21 07:16:29.721179: RFC 2104: MD5_HMAC test 1 Sep 21 07:16:29.721286: RFC 2104: MD5_HMAC test 2 Sep 21 07:16:29.721379: RFC 2104: MD5_HMAC test 3 Sep 21 07:16:29.721487: 8 CPU cores online Sep 21 07:16:29.721489: starting up 7 crypto helpers Sep 21 07:16:29.721513: started thread for crypto helper 0 Sep 21 07:16:29.721530: started thread for crypto helper 1 Sep 21 07:16:29.721544: started thread for crypto helper 2 Sep 21 07:16:29.721546: | starting up helper thread 0 Sep 21 07:16:29.721573: started thread for crypto helper 3 Sep 21 07:16:29.721574: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:16:29.721581: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:29.721580: | starting up helper thread 3 Sep 21 07:16:29.721596: started thread for crypto helper 4 Sep 21 07:16:29.721600: | starting up helper thread 4 Sep 21 07:16:29.721618: | starting up helper thread 1 Sep 21 07:16:29.721572: | starting up helper thread 2 Sep 21 07:16:29.721646: | starting up helper thread 5 Sep 21 07:16:29.721651: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:16:29.721654: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:16:29.721656: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:29.721642: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:16:29.721661: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:29.721636: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:16:29.721666: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:29.721596: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:16:29.721642: started thread for crypto helper 5 Sep 21 07:16:29.721668: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:29.721684: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:29.721690: started thread for crypto helper 6 Sep 21 07:16:29.721691: | starting up helper thread 6 Sep 21 07:16:29.721696: | checking IKEv1 state table Sep 21 07:16:29.721696: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:16:29.721702: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:29.721702: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721705: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:16:29.721707: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721709: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:16:29.721710: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:16:29.721712: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:16:29.721713: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:29.721715: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:29.721716: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:16:29.721718: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:16:29.721719: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:29.721720: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:29.721722: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:16:29.721723: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:29.721725: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:29.721726: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:29.721728: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:16:29.721729: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:29.721730: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:29.721732: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:29.721733: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:16:29.721735: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721736: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:16:29.721738: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721739: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721741: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:16:29.721742: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721744: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:29.721745: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:29.721747: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:16:29.721748: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:29.721749: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:29.721751: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:16:29.721752: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721754: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:16:29.721755: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721757: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:16:29.721761: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:16:29.721763: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:16:29.721764: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:16:29.721766: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:16:29.721767: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:16:29.721769: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:16:29.721770: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721772: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:16:29.721773: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721775: | INFO: category: informational flags: 0: Sep 21 07:16:29.721776: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721778: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:16:29.721779: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721781: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:16:29.721782: | -> XAUTH_R1 EVENT_NULL Sep 21 07:16:29.721792: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:16:29.721793: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:29.721795: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:16:29.721796: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:16:29.721798: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:16:29.721799: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:16:29.721801: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:16:29.721802: | -> UNDEFINED EVENT_NULL Sep 21 07:16:29.721804: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:16:29.721805: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:29.721807: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:16:29.721808: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:16:29.721823: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:16:29.721824: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:16:29.721829: | checking IKEv2 state table Sep 21 07:16:29.721833: | PARENT_I0: category: ignore flags: 0: Sep 21 07:16:29.721835: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:16:29.721837: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721838: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:16:29.721840: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:16:29.721842: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:16:29.721843: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:16:29.721845: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:16:29.721847: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:16:29.721848: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:16:29.721850: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:16:29.721851: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:16:29.721853: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:16:29.721855: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:16:29.721856: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:16:29.721857: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:16:29.721859: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721861: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:16:29.721862: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:16:29.721864: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:16:29.721865: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:16:29.721867: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:16:29.721870: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:16:29.721872: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:16:29.721873: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:16:29.721875: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:16:29.721876: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:16:29.721878: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:16:29.721880: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:16:29.721881: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:16:29.721883: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:16:29.721885: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:29.721886: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:16:29.721888: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:16:29.721890: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:16:29.721891: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:16:29.721893: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:16:29.721895: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:16:29.721896: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:16:29.721898: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:16:29.721899: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:29.721901: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:16:29.721903: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:16:29.721904: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:16:29.721906: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:16:29.721907: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:16:29.721909: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:16:29.721947: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:16:29.721996: | Hard-wiring algorithms Sep 21 07:16:29.721999: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:16:29.722001: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:16:29.722003: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:16:29.722004: | adding 3DES_CBC to kernel algorithm db Sep 21 07:16:29.722006: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:16:29.722007: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:16:29.722008: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:16:29.722010: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:16:29.722011: | adding AES_CTR to kernel algorithm db Sep 21 07:16:29.722013: | adding AES_CBC to kernel algorithm db Sep 21 07:16:29.722014: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:16:29.722015: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:16:29.722017: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:16:29.722018: | adding NULL to kernel algorithm db Sep 21 07:16:29.722020: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:16:29.722021: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:16:29.722023: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:16:29.722024: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:16:29.722026: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:16:29.722027: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:16:29.722029: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:16:29.722030: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:16:29.722032: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:16:29.722033: | adding NONE to kernel algorithm db Sep 21 07:16:29.722049: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:16:29.722052: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:16:29.722053: | setup kernel fd callback Sep 21 07:16:29.722068: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5633dba8af30 Sep 21 07:16:29.722071: | libevent_malloc: new ptr-libevent@0x5633dba92400 size 128 Sep 21 07:16:29.722073: | libevent_malloc: new ptr-libevent@0x5633dba80cc0 size 16 Sep 21 07:16:29.722078: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5633dba857d0 Sep 21 07:16:29.722079: | libevent_malloc: new ptr-libevent@0x5633dba92490 size 128 Sep 21 07:16:29.722081: | libevent_malloc: new ptr-libevent@0x5633dba85720 size 16 Sep 21 07:16:29.722228: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:16:29.722233: selinux support is enabled. Sep 21 07:16:29.722288: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:16:29.722408: | unbound context created - setting debug level to 5 Sep 21 07:16:29.722430: | /etc/hosts lookups activated Sep 21 07:16:29.722441: | /etc/resolv.conf usage activated Sep 21 07:16:29.722472: | outgoing-port-avoid set 0-65535 Sep 21 07:16:29.722489: | outgoing-port-permit set 32768-60999 Sep 21 07:16:29.722491: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:16:29.722493: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:16:29.722495: | Setting up events, loop start Sep 21 07:16:29.722497: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5633dba85520 Sep 21 07:16:29.722499: | libevent_malloc: new ptr-libevent@0x5633dba9ca00 size 128 Sep 21 07:16:29.722501: | libevent_malloc: new ptr-libevent@0x5633dba9ca90 size 16 Sep 21 07:16:29.722504: | libevent_realloc: new ptr-libevent@0x5633dba025b0 size 256 Sep 21 07:16:29.722506: | libevent_malloc: new ptr-libevent@0x5633dba9cab0 size 8 Sep 21 07:16:29.722508: | libevent_realloc: new ptr-libevent@0x5633dba91700 size 144 Sep 21 07:16:29.722510: | libevent_malloc: new ptr-libevent@0x5633dba9cad0 size 152 Sep 21 07:16:29.722512: | libevent_malloc: new ptr-libevent@0x5633dba9cb70 size 16 Sep 21 07:16:29.722514: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:16:29.722516: | libevent_malloc: new ptr-libevent@0x5633dba9cb90 size 8 Sep 21 07:16:29.722517: | libevent_malloc: new ptr-libevent@0x5633dba9cbb0 size 152 Sep 21 07:16:29.722519: | signal event handler PLUTO_SIGTERM installed Sep 21 07:16:29.722521: | libevent_malloc: new ptr-libevent@0x5633dba9cc50 size 8 Sep 21 07:16:29.722522: | libevent_malloc: new ptr-libevent@0x5633dba9cc70 size 152 Sep 21 07:16:29.722524: | signal event handler PLUTO_SIGHUP installed Sep 21 07:16:29.722525: | libevent_malloc: new ptr-libevent@0x5633dba9cd10 size 8 Sep 21 07:16:29.722527: | libevent_realloc: release ptr-libevent@0x5633dba91700 Sep 21 07:16:29.722529: | libevent_realloc: new ptr-libevent@0x5633dba9cd30 size 256 Sep 21 07:16:29.722530: | libevent_malloc: new ptr-libevent@0x5633dba91700 size 152 Sep 21 07:16:29.722532: | signal event handler PLUTO_SIGSYS installed Sep 21 07:16:29.722744: | created addconn helper (pid:11541) using fork+execve Sep 21 07:16:29.722755: | forked child 11541 Sep 21 07:16:29.722788: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:29.722818: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:29.722823: listening for IKE messages Sep 21 07:16:29.722853: | Inspecting interface lo Sep 21 07:16:29.722858: | found lo with address 127.0.0.1 Sep 21 07:16:29.722859: | Inspecting interface eth0 Sep 21 07:16:29.722862: | found eth0 with address 192.0.2.254 Sep 21 07:16:29.722864: | Inspecting interface eth1 Sep 21 07:16:29.722866: | found eth1 with address 192.1.2.23 Sep 21 07:16:29.722905: Kernel supports NIC esp-hw-offload Sep 21 07:16:29.722917: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:16:29.722953: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:29.722960: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:29.722964: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:29.722994: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:16:29.723014: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:29.723018: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:29.723022: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:29.723045: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:16:29.723065: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:29.723069: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:29.723072: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:16:29.723117: | no interfaces to sort Sep 21 07:16:29.723121: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:29.723129: | add_fd_read_event_handler: new ethX-pe@0x5633dba862a0 Sep 21 07:16:29.723133: | libevent_malloc: new ptr-libevent@0x5633dba9d0a0 size 128 Sep 21 07:16:29.723136: | libevent_malloc: new ptr-libevent@0x5633dba9d130 size 16 Sep 21 07:16:29.723143: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:29.723146: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d150 Sep 21 07:16:29.723148: | libevent_malloc: new ptr-libevent@0x5633dba9d190 size 128 Sep 21 07:16:29.723150: | libevent_malloc: new ptr-libevent@0x5633dba9d220 size 16 Sep 21 07:16:29.723154: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:29.723156: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d240 Sep 21 07:16:29.723159: | libevent_malloc: new ptr-libevent@0x5633dba9d280 size 128 Sep 21 07:16:29.723161: | libevent_malloc: new ptr-libevent@0x5633dba9d310 size 16 Sep 21 07:16:29.723165: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:16:29.723167: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d330 Sep 21 07:16:29.723170: | libevent_malloc: new ptr-libevent@0x5633dba9d370 size 128 Sep 21 07:16:29.723173: | libevent_malloc: new ptr-libevent@0x5633dba9d400 size 16 Sep 21 07:16:29.723176: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:16:29.723179: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d420 Sep 21 07:16:29.723181: | libevent_malloc: new ptr-libevent@0x5633dba9d460 size 128 Sep 21 07:16:29.723184: | libevent_malloc: new ptr-libevent@0x5633dba9d4f0 size 16 Sep 21 07:16:29.723188: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:29.723191: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d510 Sep 21 07:16:29.723193: | libevent_malloc: new ptr-libevent@0x5633dba9d550 size 128 Sep 21 07:16:29.723196: | libevent_malloc: new ptr-libevent@0x5633dba9d5e0 size 16 Sep 21 07:16:29.723200: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:29.723204: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:29.723206: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:29.723225: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:29.723236: | Processing PSK at line 1: passed Sep 21 07:16:29.723239: | certs and keys locked by 'process_secret' Sep 21 07:16:29.723242: | certs and keys unlocked by 'process_secret' Sep 21 07:16:29.723248: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:29.723257: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:29.723264: | spent 0.483 milliseconds in whack Sep 21 07:16:29.745836: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:29.745859: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:29.745867: listening for IKE messages Sep 21 07:16:29.745912: | Inspecting interface lo Sep 21 07:16:29.745917: | found lo with address 127.0.0.1 Sep 21 07:16:29.745919: | Inspecting interface eth0 Sep 21 07:16:29.745922: | found eth0 with address 192.0.2.254 Sep 21 07:16:29.745928: | Inspecting interface eth1 Sep 21 07:16:29.745930: | found eth1 with address 192.1.2.23 Sep 21 07:16:29.745974: | no interfaces to sort Sep 21 07:16:29.745980: | libevent_free: release ptr-libevent@0x5633dba9d0a0 Sep 21 07:16:29.745982: | free_event_entry: release EVENT_NULL-pe@0x5633dba862a0 Sep 21 07:16:29.745984: | add_fd_read_event_handler: new ethX-pe@0x5633dba862a0 Sep 21 07:16:29.745987: | libevent_malloc: new ptr-libevent@0x5633dba9d0a0 size 128 Sep 21 07:16:29.745992: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:29.745994: | libevent_free: release ptr-libevent@0x5633dba9d190 Sep 21 07:16:29.745996: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d150 Sep 21 07:16:29.745997: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d150 Sep 21 07:16:29.745999: | libevent_malloc: new ptr-libevent@0x5633dba9d190 size 128 Sep 21 07:16:29.746002: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:29.746004: | libevent_free: release ptr-libevent@0x5633dba9d280 Sep 21 07:16:29.746006: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d240 Sep 21 07:16:29.746007: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d240 Sep 21 07:16:29.746009: | libevent_malloc: new ptr-libevent@0x5633dba9d280 size 128 Sep 21 07:16:29.746012: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:16:29.746014: | libevent_free: release ptr-libevent@0x5633dba9d370 Sep 21 07:16:29.746015: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d330 Sep 21 07:16:29.746017: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d330 Sep 21 07:16:29.746018: | libevent_malloc: new ptr-libevent@0x5633dba9d370 size 128 Sep 21 07:16:29.746021: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:16:29.746023: | libevent_free: release ptr-libevent@0x5633dba9d460 Sep 21 07:16:29.746025: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d420 Sep 21 07:16:29.746026: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d420 Sep 21 07:16:29.746028: | libevent_malloc: new ptr-libevent@0x5633dba9d460 size 128 Sep 21 07:16:29.746031: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:29.746033: | libevent_free: release ptr-libevent@0x5633dba9d550 Sep 21 07:16:29.746034: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d510 Sep 21 07:16:29.746036: | add_fd_read_event_handler: new ethX-pe@0x5633dba9d510 Sep 21 07:16:29.746037: | libevent_malloc: new ptr-libevent@0x5633dba9d550 size 128 Sep 21 07:16:29.746041: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:29.746043: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:29.746045: forgetting secrets Sep 21 07:16:29.746051: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:29.746061: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:29.746067: | Processing PSK at line 1: passed Sep 21 07:16:29.746068: | certs and keys locked by 'process_secret' Sep 21 07:16:29.746070: | certs and keys unlocked by 'process_secret' Sep 21 07:16:29.746073: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:29.746078: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:29.746083: | spent 0.255 milliseconds in whack Sep 21 07:16:29.746552: | processing signal PLUTO_SIGCHLD Sep 21 07:16:29.746562: | waitpid returned pid 11541 (exited with status 0) Sep 21 07:16:29.746565: | reaped addconn helper child (status 0) Sep 21 07:16:29.746568: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:29.746571: | spent 0.0119 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:29.810729: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:29.810745: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:29.810748: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:29.810750: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:29.810751: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:29.810754: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:29.810765: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:29.810807: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:16:29.810814: | from whack: got --esp= Sep 21 07:16:29.810836: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:16:29.810839: | counting wild cards for (none) is 15 Sep 21 07:16:29.810842: | counting wild cards for @east is 0 Sep 21 07:16:29.810845: | based upon policy, the connection is a template. Sep 21 07:16:29.810850: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:16:29.810853: | new hp@0x5633dba69a30 Sep 21 07:16:29.810857: added connection description "eastnet-any" Sep 21 07:16:29.810877: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:29.810884: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Sep 21 07:16:29.810889: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:29.810909: | spent 0.168 milliseconds in whack Sep 21 07:16:30.993094: | spent 0.00263 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:30.993120: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:16:30.993124: | 27 05 f8 c2 9e 79 31 87 00 00 00 00 00 00 00 00 Sep 21 07:16:30.993126: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:16:30.993129: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:16:30.993131: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:16:30.993133: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:16:30.993135: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:16:30.993137: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:16:30.993139: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:16:30.993140: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:16:30.993142: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:16:30.993143: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:16:30.993144: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:16:30.993146: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:16:30.993147: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:16:30.993149: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:16:30.993150: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:16:30.993151: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.993153: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:16:30.993154: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:16:30.993155: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:16:30.993157: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:16:30.993158: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:16:30.993159: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:16:30.993161: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:16:30.993162: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:16:30.993164: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:16:30.993165: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:16:30.993166: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:16:30.993170: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:16:30.993172: | 28 00 01 08 00 0e 00 00 8c 8d e3 f4 3c 1e 60 82 Sep 21 07:16:30.993173: | 3e f0 30 81 18 8f c0 84 e0 46 22 4e 8f d2 e3 aa Sep 21 07:16:30.993174: | 99 79 71 54 66 59 e7 b5 78 5d 1c af c4 31 81 fa Sep 21 07:16:30.993176: | eb ae 1a 71 36 2f 80 f2 24 e7 2e ba e1 c8 62 dd Sep 21 07:16:30.993177: | 36 2c 37 bd af e9 3e 51 f3 81 7f 1c 13 4e a0 b6 Sep 21 07:16:30.993179: | 21 25 99 dc 5a 13 97 7b ca fd ac c1 9f d5 65 64 Sep 21 07:16:30.993180: | 60 6f 0a 52 4f ac 10 fa 25 9a f0 2b 7a 0b 4b 8a Sep 21 07:16:30.993181: | cc 2f c3 ee c3 6a fa 32 45 9e 94 f3 cc 9d 04 3d Sep 21 07:16:30.993183: | ae 7c 8f 80 58 f1 e4 aa 8d 3c b9 38 30 56 72 a1 Sep 21 07:16:30.993184: | ce 87 57 56 4e 7c 3c f6 9b 3f db 8d 7f 50 42 8b Sep 21 07:16:30.993185: | bf 87 6b 95 55 25 95 9f d1 41 84 a6 d9 3e d1 fd Sep 21 07:16:30.993187: | 4b a6 bd 33 31 b8 fb a1 76 cb 1d 9d 64 9b ec 25 Sep 21 07:16:30.993188: | c0 72 0e 1c 40 f5 1a ab 71 1f f5 ef 42 39 85 7c Sep 21 07:16:30.993190: | 9c e4 86 ad 16 e5 65 f3 a5 15 dc 03 42 e3 eb ee Sep 21 07:16:30.993191: | 3f 56 58 04 50 ca 8d 56 b8 fe 42 9c 7c 59 0c eb Sep 21 07:16:30.993192: | 59 ac 5d 06 e3 ab af f9 d5 59 70 0e 3b d9 aa e9 Sep 21 07:16:30.993194: | 30 62 95 a9 74 8c 14 cc 29 00 00 24 fa 59 92 b4 Sep 21 07:16:30.993195: | 8e b3 d4 c1 ea 8a e2 71 6f bb 82 b0 fa 16 f2 92 Sep 21 07:16:30.993196: | 5c d1 60 53 b1 e4 9c a0 a8 6e a4 af 29 00 00 08 Sep 21 07:16:30.993202: | 00 00 40 2e 29 00 00 1c 00 00 40 04 45 16 23 55 Sep 21 07:16:30.993203: | a8 b8 79 77 4a 4a 9e 8d 5d 1c b8 a5 ee 63 e1 8a Sep 21 07:16:30.993205: | 00 00 00 1c 00 00 40 05 90 1b 27 6a 2c d4 dd d2 Sep 21 07:16:30.993207: | c3 b2 15 c8 10 cd c7 75 4b e6 d1 77 Sep 21 07:16:30.993214: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:16:30.993217: | **parse ISAKMP Message: Sep 21 07:16:30.993220: | initiator cookie: Sep 21 07:16:30.993222: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.993225: | responder cookie: Sep 21 07:16:30.993227: | 00 00 00 00 00 00 00 00 Sep 21 07:16:30.993229: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:30.993232: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:30.993235: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:30.993237: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:30.993239: | Message ID: 0 (0x0) Sep 21 07:16:30.993242: | length: 828 (0x33c) Sep 21 07:16:30.993245: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:30.993248: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:16:30.993251: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:30.993254: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:30.993257: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:30.993260: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:30.993262: | flags: none (0x0) Sep 21 07:16:30.993264: | length: 436 (0x1b4) Sep 21 07:16:30.993267: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:16:30.993269: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:30.993271: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:30.993274: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:30.993276: | flags: none (0x0) Sep 21 07:16:30.993279: | length: 264 (0x108) Sep 21 07:16:30.993281: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.993284: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:30.993286: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:30.993288: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:30.993291: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.993293: | flags: none (0x0) Sep 21 07:16:30.993295: | length: 36 (0x24) Sep 21 07:16:30.993300: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:30.993303: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:30.993306: | ***parse IKEv2 Notify Payload: Sep 21 07:16:30.993308: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.993310: | flags: none (0x0) Sep 21 07:16:30.993312: | length: 8 (0x8) Sep 21 07:16:30.993314: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.993316: | SPI size: 0 (0x0) Sep 21 07:16:30.993318: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:30.993319: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:30.993321: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:30.993322: | ***parse IKEv2 Notify Payload: Sep 21 07:16:30.993324: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.993325: | flags: none (0x0) Sep 21 07:16:30.993327: | length: 28 (0x1c) Sep 21 07:16:30.993328: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.993330: | SPI size: 0 (0x0) Sep 21 07:16:30.993331: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:30.993333: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:30.993334: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:30.993335: | ***parse IKEv2 Notify Payload: Sep 21 07:16:30.993337: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.993338: | flags: none (0x0) Sep 21 07:16:30.993340: | length: 28 (0x1c) Sep 21 07:16:30.993341: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.993343: | SPI size: 0 (0x0) Sep 21 07:16:30.993344: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:30.993346: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:30.993347: | DDOS disabled and no cookie sent, continuing Sep 21 07:16:30.993351: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993353: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:30.993355: | find_next_host_connection returns empty Sep 21 07:16:30.993357: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993361: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:30.993363: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:30.993365: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:30.993367: | find_next_host_connection returns empty Sep 21 07:16:30.993369: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:16:30.993372: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993374: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:30.993375: | find_next_host_connection returns empty Sep 21 07:16:30.993377: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993380: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:30.993381: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:30.993383: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:30.993385: | find_next_host_connection returns empty Sep 21 07:16:30.993387: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:16:30.993390: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993391: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:30.993393: | find_next_host_connection returns empty Sep 21 07:16:30.993395: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:16:30.993399: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:30.993401: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:30.993403: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:30.993404: | find_next_host_connection returns eastnet-any Sep 21 07:16:30.993406: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:30.993407: | find_next_host_connection returns empty Sep 21 07:16:30.993408: | rw_instantiate Sep 21 07:16:30.993413: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Sep 21 07:16:30.993417: | new hp@0x5633dba2fe20 Sep 21 07:16:30.993420: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.45 for 192.1.2.45 Sep 21 07:16:30.993423: | found connection: eastnet-any[1] 192.1.2.45 with policy PSK+IKEV2_ALLOW Sep 21 07:16:30.993425: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:30.993446: | creating state object #1 at 0x5633dbaa0d10 Sep 21 07:16:30.993448: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:16:30.993454: | pstats #1 ikev2.ike started Sep 21 07:16:30.993456: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:30.993459: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:16:30.993464: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:30.993473: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:30.993476: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:30.993482: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:30.993485: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:30.993489: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:16:30.993493: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:30.993496: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:16:30.993498: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:16:30.993500: | Now let's proceed with state specific processing Sep 21 07:16:30.993501: | calling processor Respond to IKE_SA_INIT Sep 21 07:16:30.993509: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:30.993511: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Sep 21 07:16:30.993516: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:30.993521: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:30.993524: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:30.993527: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:30.993530: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:30.993533: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:30.993535: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:30.993540: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:30.993547: "eastnet-any"[1] 192.1.2.45: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:30.993550: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:16:30.993552: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:30.993553: | local proposal 1 type PRF has 2 transforms Sep 21 07:16:30.993555: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:30.993556: | local proposal 1 type DH has 8 transforms Sep 21 07:16:30.993558: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:30.993560: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:16:30.993562: | local proposal 2 type ENCR has 1 transforms Sep 21 07:16:30.993563: | local proposal 2 type PRF has 2 transforms Sep 21 07:16:30.993565: | local proposal 2 type INTEG has 1 transforms Sep 21 07:16:30.993566: | local proposal 2 type DH has 8 transforms Sep 21 07:16:30.993568: | local proposal 2 type ESN has 0 transforms Sep 21 07:16:30.993569: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:16:30.993571: | local proposal 3 type ENCR has 1 transforms Sep 21 07:16:30.993572: | local proposal 3 type PRF has 2 transforms Sep 21 07:16:30.993574: | local proposal 3 type INTEG has 2 transforms Sep 21 07:16:30.993575: | local proposal 3 type DH has 8 transforms Sep 21 07:16:30.993577: | local proposal 3 type ESN has 0 transforms Sep 21 07:16:30.993578: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:30.993580: | local proposal 4 type ENCR has 1 transforms Sep 21 07:16:30.993581: | local proposal 4 type PRF has 2 transforms Sep 21 07:16:30.993583: | local proposal 4 type INTEG has 2 transforms Sep 21 07:16:30.993584: | local proposal 4 type DH has 8 transforms Sep 21 07:16:30.993586: | local proposal 4 type ESN has 0 transforms Sep 21 07:16:30.993588: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:30.993590: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.993591: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:30.993593: | length: 100 (0x64) Sep 21 07:16:30.993594: | prop #: 1 (0x1) Sep 21 07:16:30.993596: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.993597: | spi size: 0 (0x0) Sep 21 07:16:30.993599: | # transforms: 11 (0xb) Sep 21 07:16:30.993601: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:16:30.993603: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993605: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993606: | length: 12 (0xc) Sep 21 07:16:30.993608: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.993609: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:30.993611: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.993613: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.993614: | length/value: 256 (0x100) Sep 21 07:16:30.993617: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:30.993620: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993622: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993623: | length: 8 (0x8) Sep 21 07:16:30.993624: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993626: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:30.993628: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:30.993630: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:16:30.993632: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:16:30.993634: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:16:30.993635: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993637: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993638: | length: 8 (0x8) Sep 21 07:16:30.993640: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993641: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.993643: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993644: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993646: | length: 8 (0x8) Sep 21 07:16:30.993647: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993649: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.993651: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:30.993653: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:16:30.993655: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:16:30.993656: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:16:30.993658: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993659: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993661: | length: 8 (0x8) Sep 21 07:16:30.993662: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993664: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:30.993665: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993667: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993668: | length: 8 (0x8) Sep 21 07:16:30.993670: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993671: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:30.993673: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993674: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993676: | length: 8 (0x8) Sep 21 07:16:30.993677: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993679: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:30.993680: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993682: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993683: | length: 8 (0x8) Sep 21 07:16:30.993685: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993686: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:30.993688: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993691: | length: 8 (0x8) Sep 21 07:16:30.993692: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993694: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:30.993695: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993697: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993698: | length: 8 (0x8) Sep 21 07:16:30.993700: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993701: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:30.993704: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993705: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.993707: | length: 8 (0x8) Sep 21 07:16:30.993708: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993710: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:30.993712: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:16:30.993715: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:16:30.993716: | remote proposal 1 matches local proposal 1 Sep 21 07:16:30.993718: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.993720: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:30.993721: | length: 100 (0x64) Sep 21 07:16:30.993723: | prop #: 2 (0x2) Sep 21 07:16:30.993724: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.993725: | spi size: 0 (0x0) Sep 21 07:16:30.993727: | # transforms: 11 (0xb) Sep 21 07:16:30.993729: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:30.993731: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993733: | length: 12 (0xc) Sep 21 07:16:30.993735: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.993736: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:30.993738: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.993740: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.993741: | length/value: 128 (0x80) Sep 21 07:16:30.993743: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993744: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993746: | length: 8 (0x8) Sep 21 07:16:30.993747: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993749: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:30.993750: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993752: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993753: | length: 8 (0x8) Sep 21 07:16:30.993755: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993756: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.993758: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993759: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993761: | length: 8 (0x8) Sep 21 07:16:30.993762: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993764: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.993765: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993768: | length: 8 (0x8) Sep 21 07:16:30.993769: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993771: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:30.993773: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993774: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993775: | length: 8 (0x8) Sep 21 07:16:30.993777: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993778: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:30.993780: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993781: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993803: | length: 8 (0x8) Sep 21 07:16:30.993807: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993808: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:30.993810: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993811: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993813: | length: 8 (0x8) Sep 21 07:16:30.993814: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993816: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:30.993820: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993821: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993823: | length: 8 (0x8) Sep 21 07:16:30.993824: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993826: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:30.993827: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993829: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993830: | length: 8 (0x8) Sep 21 07:16:30.993831: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993833: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:30.993835: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993836: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.993837: | length: 8 (0x8) Sep 21 07:16:30.993839: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993840: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:30.993843: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:16:30.993844: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:16:30.993846: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.993848: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:30.993849: | length: 116 (0x74) Sep 21 07:16:30.993850: | prop #: 3 (0x3) Sep 21 07:16:30.993852: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.993853: | spi size: 0 (0x0) Sep 21 07:16:30.993855: | # transforms: 13 (0xd) Sep 21 07:16:30.993857: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:30.993858: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993861: | length: 12 (0xc) Sep 21 07:16:30.993863: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.993864: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:30.993866: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.993867: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.993869: | length/value: 256 (0x100) Sep 21 07:16:30.993870: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993872: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993873: | length: 8 (0x8) Sep 21 07:16:30.993875: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993876: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:30.993878: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993879: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993881: | length: 8 (0x8) Sep 21 07:16:30.993882: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993884: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.993885: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993887: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993888: | length: 8 (0x8) Sep 21 07:16:30.993890: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.993891: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:30.993893: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993894: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993896: | length: 8 (0x8) Sep 21 07:16:30.993897: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.993899: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:30.993900: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993903: | length: 8 (0x8) Sep 21 07:16:30.993904: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993906: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.993908: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993910: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993911: | length: 8 (0x8) Sep 21 07:16:30.993913: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993914: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:30.993916: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993919: | length: 8 (0x8) Sep 21 07:16:30.993920: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993922: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:30.993923: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993925: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993926: | length: 8 (0x8) Sep 21 07:16:30.993927: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993929: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:30.993931: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993932: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993933: | length: 8 (0x8) Sep 21 07:16:30.993935: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993936: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:30.993938: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993939: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993941: | length: 8 (0x8) Sep 21 07:16:30.993942: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993944: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:30.993945: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993947: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993948: | length: 8 (0x8) Sep 21 07:16:30.993950: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993951: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:30.993953: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993954: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.993956: | length: 8 (0x8) Sep 21 07:16:30.993957: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.993959: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:30.993961: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:16:30.993963: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:16:30.993964: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.993966: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:30.993967: | length: 116 (0x74) Sep 21 07:16:30.993968: | prop #: 4 (0x4) Sep 21 07:16:30.993970: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.993971: | spi size: 0 (0x0) Sep 21 07:16:30.993973: | # transforms: 13 (0xd) Sep 21 07:16:30.993975: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:30.993976: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993978: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993979: | length: 12 (0xc) Sep 21 07:16:30.993980: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.993982: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:30.993983: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.993985: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.993986: | length/value: 128 (0x80) Sep 21 07:16:30.993988: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993990: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993991: | length: 8 (0x8) Sep 21 07:16:30.993992: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.993994: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:30.993995: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.993997: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.993999: | length: 8 (0x8) Sep 21 07:16:30.994001: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.994002: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.994004: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994005: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994007: | length: 8 (0x8) Sep 21 07:16:30.994008: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.994010: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:30.994011: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994013: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994014: | length: 8 (0x8) Sep 21 07:16:30.994015: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.994017: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:30.994019: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994020: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994021: | length: 8 (0x8) Sep 21 07:16:30.994023: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994024: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.994026: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994027: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994029: | length: 8 (0x8) Sep 21 07:16:30.994030: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994032: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:30.994033: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994035: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994036: | length: 8 (0x8) Sep 21 07:16:30.994038: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994039: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:30.994041: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994042: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994043: | length: 8 (0x8) Sep 21 07:16:30.994045: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994046: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:30.994048: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994051: | length: 8 (0x8) Sep 21 07:16:30.994052: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994054: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:30.994055: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994057: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994058: | length: 8 (0x8) Sep 21 07:16:30.994060: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994061: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:30.994063: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994064: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.994066: | length: 8 (0x8) Sep 21 07:16:30.994067: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994068: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:30.994070: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:30.994072: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.994073: | length: 8 (0x8) Sep 21 07:16:30.994074: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.994076: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:30.994078: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:16:30.994080: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:16:30.994083: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:16:30.994087: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:16:30.994088: | converting proposal to internal trans attrs Sep 21 07:16:30.994091: | natd_hash: rcookie is zero Sep 21 07:16:30.994107: | natd_hash: hasher=0x5633db5d97a0(20) Sep 21 07:16:30.994112: | natd_hash: icookie= 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.994115: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.994117: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:30.994120: | natd_hash: port= 01 f4 Sep 21 07:16:30.994123: | natd_hash: hash= 90 1b 27 6a 2c d4 dd d2 c3 b2 15 c8 10 cd c7 75 Sep 21 07:16:30.994125: | natd_hash: hash= 4b e6 d1 77 Sep 21 07:16:30.994127: | natd_hash: rcookie is zero Sep 21 07:16:30.994133: | natd_hash: hasher=0x5633db5d97a0(20) Sep 21 07:16:30.994135: | natd_hash: icookie= 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.994136: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.994138: | natd_hash: ip= c0 01 02 2d Sep 21 07:16:30.994139: | natd_hash: port= 01 f4 Sep 21 07:16:30.994140: | natd_hash: hash= 45 16 23 55 a8 b8 79 77 4a 4a 9e 8d 5d 1c b8 a5 Sep 21 07:16:30.994142: | natd_hash: hash= ee 63 e1 8a Sep 21 07:16:30.994143: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:30.994145: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:30.994146: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:30.994148: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Sep 21 07:16:30.994152: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:16:30.994154: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5633dbaa2e80 Sep 21 07:16:30.994157: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:30.994159: | libevent_malloc: new ptr-libevent@0x5633dbaa2ec0 size 128 Sep 21 07:16:30.994167: | #1 spent 0.644 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:16:30.994172: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:30.994175: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:30.994177: | suspending state #1 and saving MD Sep 21 07:16:30.994178: | #1 is busy; has a suspended MD Sep 21 07:16:30.994179: | crypto helper 0 resuming Sep 21 07:16:30.994197: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:16:30.994204: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:16:30.994181: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:30.994255: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:30.994260: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:30.994265: | #1 spent 1.13 milliseconds in ikev2_process_packet() Sep 21 07:16:30.994268: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:16:30.994270: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:30.994271: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:30.994274: | spent 1.14 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:30.995592: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001387 seconds Sep 21 07:16:30.995608: | (#1) spent 1.4 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:16:30.995613: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:16:30.995617: | scheduling resume sending helper answer for #1 Sep 21 07:16:30.995622: | libevent_malloc: new ptr-libevent@0x7fb7cc006900 size 128 Sep 21 07:16:30.995633: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.995644: | processing resume sending helper answer for #1 Sep 21 07:16:30.995657: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:16:30.995663: | crypto helper 0 replies to request ID 1 Sep 21 07:16:30.995666: | calling continuation function 0x5633db503630 Sep 21 07:16:30.995669: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:16:30.995700: | **emit ISAKMP Message: Sep 21 07:16:30.995704: | initiator cookie: Sep 21 07:16:30.995706: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.995709: | responder cookie: Sep 21 07:16:30.995711: | 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.995714: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:30.995717: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:30.995719: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:30.995722: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:30.995725: | Message ID: 0 (0x0) Sep 21 07:16:30.995727: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:30.995730: | Emitting ikev2_proposal ... Sep 21 07:16:30.995733: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:30.995736: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.995738: | flags: none (0x0) Sep 21 07:16:30.995742: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:30.995745: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.995748: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.995750: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:30.995753: | prop #: 1 (0x1) Sep 21 07:16:30.995755: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.995758: | spi size: 0 (0x0) Sep 21 07:16:30.995760: | # transforms: 3 (0x3) Sep 21 07:16:30.995763: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:30.995766: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.995769: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.995771: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.995774: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:30.995777: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.995780: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.995790: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.995793: | length/value: 256 (0x100) Sep 21 07:16:30.995796: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:30.995799: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.995801: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.995804: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.995806: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:30.995810: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.995813: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.995818: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.995821: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.995824: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.995826: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.995829: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.995831: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.995834: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.995836: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.995838: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:16:30.995841: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:30.995844: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:16:30.995847: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:30.995850: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:30.995853: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.995855: | flags: none (0x0) Sep 21 07:16:30.995857: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.995860: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:30.995863: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.995867: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:30.995870: | ikev2 g^x a3 25 0f 8c a8 e5 dd 5b f6 a7 bd 6c ce 14 93 93 Sep 21 07:16:30.995872: | ikev2 g^x e8 41 ba 83 10 86 06 69 e2 83 a3 23 dd 76 da 73 Sep 21 07:16:30.995875: | ikev2 g^x 04 33 92 48 14 c6 5e 3b 60 19 16 52 65 5c b9 88 Sep 21 07:16:30.995877: | ikev2 g^x 4b a3 a0 72 c5 fb 16 0c 81 bd 13 d7 d8 49 97 c2 Sep 21 07:16:30.995879: | ikev2 g^x 7e 1c 63 82 43 6a 6b f9 27 46 a7 ca 67 6e 9b 3e Sep 21 07:16:30.995882: | ikev2 g^x 23 cb 07 d4 a0 ec 9a ba e0 df ed f8 20 8f 7e b6 Sep 21 07:16:30.995884: | ikev2 g^x e7 28 e7 c5 96 1d b4 f5 2b c1 65 66 53 3a b5 bb Sep 21 07:16:30.995886: | ikev2 g^x 87 7c 16 46 80 77 94 a3 b4 89 d2 63 65 b4 34 70 Sep 21 07:16:30.995889: | ikev2 g^x 0b f7 1c 77 8e 81 4e f7 8d d8 1a a0 db a6 20 d2 Sep 21 07:16:30.995891: | ikev2 g^x 0a bc 2a bf 4a b8 8a e7 c3 93 9d 46 15 64 d1 31 Sep 21 07:16:30.995894: | ikev2 g^x cf ca 14 30 d3 1a e2 f2 e0 13 1d 3a 8c b4 66 08 Sep 21 07:16:30.995896: | ikev2 g^x 72 cc 7f b7 7d 3d 72 21 12 ec 00 a9 2f c9 97 84 Sep 21 07:16:30.995898: | ikev2 g^x 50 82 62 30 ba 13 74 39 79 9b 0f fa a4 c9 9c 1e Sep 21 07:16:30.995900: | ikev2 g^x 2c 74 6f ef 47 6d 85 1e e2 33 a7 2c cf 72 45 71 Sep 21 07:16:30.995903: | ikev2 g^x 04 c5 a5 8f 06 f6 dd f8 e1 88 cd e5 26 75 1e eb Sep 21 07:16:30.995905: | ikev2 g^x 5e 88 b7 e4 ad d0 97 d8 c5 f1 b7 f9 ee b3 7c 71 Sep 21 07:16:30.995908: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:30.995910: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:30.995913: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.995916: | flags: none (0x0) Sep 21 07:16:30.995919: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:30.995922: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:30.995924: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.995929: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:30.995932: | IKEv2 nonce ff d7 80 c2 a1 16 f8 61 91 9b f3 96 02 cd e2 a0 Sep 21 07:16:30.995934: | IKEv2 nonce 50 ea 83 f6 83 9f cb 97 42 63 ba 64 c4 94 72 24 Sep 21 07:16:30.995937: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:30.995939: | Adding a v2N Payload Sep 21 07:16:30.995941: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.995944: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.995946: | flags: none (0x0) Sep 21 07:16:30.995948: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.995950: | SPI size: 0 (0x0) Sep 21 07:16:30.995953: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:30.995956: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.995958: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.995961: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:30.995964: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:30.995977: | natd_hash: hasher=0x5633db5d97a0(20) Sep 21 07:16:30.995980: | natd_hash: icookie= 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.995982: | natd_hash: rcookie= 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.995985: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:30.995987: | natd_hash: port= 01 f4 Sep 21 07:16:30.995989: | natd_hash: hash= 76 56 72 f0 f0 d6 27 85 5e 56 d2 76 6c 74 7c 52 Sep 21 07:16:30.995991: | natd_hash: hash= 70 63 cf f3 Sep 21 07:16:30.995993: | Adding a v2N Payload Sep 21 07:16:30.995996: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.995998: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.996000: | flags: none (0x0) Sep 21 07:16:30.996003: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.996005: | SPI size: 0 (0x0) Sep 21 07:16:30.996008: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:30.996010: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.996013: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.996016: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.996018: | Notify data 76 56 72 f0 f0 d6 27 85 5e 56 d2 76 6c 74 7c 52 Sep 21 07:16:30.996021: | Notify data 70 63 cf f3 Sep 21 07:16:30.996023: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.996030: | natd_hash: hasher=0x5633db5d97a0(20) Sep 21 07:16:30.996033: | natd_hash: icookie= 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.996035: | natd_hash: rcookie= 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.996037: | natd_hash: ip= c0 01 02 2d Sep 21 07:16:30.996039: | natd_hash: port= 01 f4 Sep 21 07:16:30.996042: | natd_hash: hash= 1b 18 b8 00 81 fc ef 08 ab 5b 73 5f 03 59 79 6d Sep 21 07:16:30.996044: | natd_hash: hash= 30 5f f5 09 Sep 21 07:16:30.996046: | Adding a v2N Payload Sep 21 07:16:30.996049: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.996051: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.996053: | flags: none (0x0) Sep 21 07:16:30.996056: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.996058: | SPI size: 0 (0x0) Sep 21 07:16:30.996061: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:30.996064: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.996066: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.996069: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.996072: | Notify data 1b 18 b8 00 81 fc ef 08 ab 5b 73 5f 03 59 79 6d Sep 21 07:16:30.996074: | Notify data 30 5f f5 09 Sep 21 07:16:30.996077: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.996081: | emitting length of ISAKMP Message: 432 Sep 21 07:16:30.996090: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:30.996094: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:16:30.996097: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:16:30.996101: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:16:30.996104: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:16:30.996109: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:30.996114: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:30.996120: "eastnet-any"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:16:30.996125: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:16:30.996134: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:16:30.996137: | 27 05 f8 c2 9e 79 31 87 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.996139: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:16:30.996141: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:16:30.996144: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:16:30.996146: | 04 00 00 0e 28 00 01 08 00 0e 00 00 a3 25 0f 8c Sep 21 07:16:30.996148: | a8 e5 dd 5b f6 a7 bd 6c ce 14 93 93 e8 41 ba 83 Sep 21 07:16:30.996150: | 10 86 06 69 e2 83 a3 23 dd 76 da 73 04 33 92 48 Sep 21 07:16:30.996153: | 14 c6 5e 3b 60 19 16 52 65 5c b9 88 4b a3 a0 72 Sep 21 07:16:30.996155: | c5 fb 16 0c 81 bd 13 d7 d8 49 97 c2 7e 1c 63 82 Sep 21 07:16:30.996157: | 43 6a 6b f9 27 46 a7 ca 67 6e 9b 3e 23 cb 07 d4 Sep 21 07:16:30.996160: | a0 ec 9a ba e0 df ed f8 20 8f 7e b6 e7 28 e7 c5 Sep 21 07:16:30.996162: | 96 1d b4 f5 2b c1 65 66 53 3a b5 bb 87 7c 16 46 Sep 21 07:16:30.996164: | 80 77 94 a3 b4 89 d2 63 65 b4 34 70 0b f7 1c 77 Sep 21 07:16:30.996166: | 8e 81 4e f7 8d d8 1a a0 db a6 20 d2 0a bc 2a bf Sep 21 07:16:30.996169: | 4a b8 8a e7 c3 93 9d 46 15 64 d1 31 cf ca 14 30 Sep 21 07:16:30.996171: | d3 1a e2 f2 e0 13 1d 3a 8c b4 66 08 72 cc 7f b7 Sep 21 07:16:30.996173: | 7d 3d 72 21 12 ec 00 a9 2f c9 97 84 50 82 62 30 Sep 21 07:16:30.996175: | ba 13 74 39 79 9b 0f fa a4 c9 9c 1e 2c 74 6f ef Sep 21 07:16:30.996178: | 47 6d 85 1e e2 33 a7 2c cf 72 45 71 04 c5 a5 8f Sep 21 07:16:30.996180: | 06 f6 dd f8 e1 88 cd e5 26 75 1e eb 5e 88 b7 e4 Sep 21 07:16:30.996182: | ad d0 97 d8 c5 f1 b7 f9 ee b3 7c 71 29 00 00 24 Sep 21 07:16:30.996185: | ff d7 80 c2 a1 16 f8 61 91 9b f3 96 02 cd e2 a0 Sep 21 07:16:30.996187: | 50 ea 83 f6 83 9f cb 97 42 63 ba 64 c4 94 72 24 Sep 21 07:16:30.996189: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:16:30.996191: | 76 56 72 f0 f0 d6 27 85 5e 56 d2 76 6c 74 7c 52 Sep 21 07:16:30.996193: | 70 63 cf f3 00 00 00 1c 00 00 40 05 1b 18 b8 00 Sep 21 07:16:30.996195: | 81 fc ef 08 ab 5b 73 5f 03 59 79 6d 30 5f f5 09 Sep 21 07:16:30.996232: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:30.996237: | libevent_free: release ptr-libevent@0x5633dbaa2ec0 Sep 21 07:16:30.996240: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5633dbaa2e80 Sep 21 07:16:30.996243: | event_schedule: new EVENT_SO_DISCARD-pe@0x5633dbaa2e80 Sep 21 07:16:30.996247: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:16:30.996250: | libevent_malloc: new ptr-libevent@0x5633dbaa2ec0 size 128 Sep 21 07:16:30.996254: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:30.996262: | #1 spent 0.576 milliseconds in resume sending helper answer Sep 21 07:16:30.996268: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:16:30.996272: | libevent_free: release ptr-libevent@0x7fb7cc006900 Sep 21 07:16:30.999365: | spent 0.00269 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:30.999382: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:16:30.999386: | 27 05 f8 c2 9e 79 31 87 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.999389: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Sep 21 07:16:30.999391: | f3 c1 4e c2 1b 38 61 0b ee 5f b4 5f 38 1c 83 db Sep 21 07:16:30.999393: | 70 47 5e 20 81 76 4c e2 21 60 4b db 44 a8 1e bb Sep 21 07:16:30.999395: | 43 f1 1a 72 f3 79 5d 2c 80 9d f3 2b 35 a3 ad 52 Sep 21 07:16:30.999398: | d7 ee 65 70 11 8a 70 dd d4 60 b1 05 be 65 a9 2a Sep 21 07:16:30.999400: | 23 b7 99 b8 1e db 68 4d 5e 7f b2 4e d6 12 01 8f Sep 21 07:16:30.999402: | fd 76 5d 45 59 3f d1 f6 0c 89 a4 a5 de cd 65 bc Sep 21 07:16:30.999404: | 49 4e aa 51 b3 6b 12 7e 97 44 34 6d 14 c4 9c 45 Sep 21 07:16:30.999407: | 18 9c 66 13 e7 68 37 f5 61 53 22 8b bf 34 8c 59 Sep 21 07:16:30.999409: | b6 8b 50 6e 5d 88 fa 1b 0a 09 1d 1f 6c a5 66 03 Sep 21 07:16:30.999411: | d8 6a b4 5b f3 37 26 83 0e 1a a4 7b 6b 34 63 a6 Sep 21 07:16:30.999413: | 06 10 60 bd 3f c1 25 fe 1f 26 55 c5 92 b9 ae de Sep 21 07:16:30.999416: | 34 a9 79 35 1e 13 2f d9 68 71 43 e9 32 71 f1 f1 Sep 21 07:16:30.999418: | d4 62 e4 a3 03 97 60 d4 48 74 09 d5 d7 0a 74 44 Sep 21 07:16:30.999420: | 86 16 a3 72 2a b0 1b 6f 27 ed 9c 53 6f d5 ed 36 Sep 21 07:16:30.999422: | 6f 8d 6f 21 0f ed fd 14 ec 29 a6 6c 29 10 19 de Sep 21 07:16:30.999425: | 96 e9 05 94 b7 ad 47 14 92 25 7a 03 98 46 ee 88 Sep 21 07:16:30.999427: | 7a 71 7e fe 0a 6d 27 72 bc 51 c5 8f 74 75 66 00 Sep 21 07:16:30.999429: | 34 f2 e1 0f 3e 2f 78 10 5c 3a 72 ea ed d4 76 72 Sep 21 07:16:30.999431: | cf 58 53 db a4 b0 8f 3d 28 dd eb f4 e1 dd 59 36 Sep 21 07:16:30.999433: | 47 4a 07 a4 33 de 24 d9 a2 ed bd 7c 2c 58 26 85 Sep 21 07:16:30.999436: | 65 e7 96 ef 58 4a 99 d0 38 22 17 1b ac Sep 21 07:16:30.999441: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:16:30.999444: | **parse ISAKMP Message: Sep 21 07:16:30.999447: | initiator cookie: Sep 21 07:16:30.999449: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:30.999451: | responder cookie: Sep 21 07:16:30.999454: | 05 73 37 e3 bb e0 55 cf Sep 21 07:16:30.999456: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:30.999460: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:30.999462: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:30.999465: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:30.999468: | Message ID: 1 (0x1) Sep 21 07:16:30.999470: | length: 365 (0x16d) Sep 21 07:16:30.999473: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:30.999476: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:16:30.999480: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:16:30.999487: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:30.999491: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:30.999496: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:30.999499: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:30.999504: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:16:30.999506: | unpacking clear payload Sep 21 07:16:30.999509: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:30.999515: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:30.999518: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:16:30.999520: | flags: none (0x0) Sep 21 07:16:30.999523: | length: 337 (0x151) Sep 21 07:16:30.999525: | processing payload: ISAKMP_NEXT_v2SK (len=333) Sep 21 07:16:30.999530: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:30.999533: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:30.999536: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:30.999538: | Now let's proceed with state specific processing Sep 21 07:16:30.999541: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:30.999544: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:16:30.999547: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:16:30.999551: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:16:30.999554: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:16:30.999557: | libevent_free: release ptr-libevent@0x5633dbaa2ec0 Sep 21 07:16:30.999560: | free_event_entry: release EVENT_SO_DISCARD-pe@0x5633dbaa2e80 Sep 21 07:16:30.999563: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5633dbaa2e80 Sep 21 07:16:30.999567: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:30.999570: | libevent_malloc: new ptr-libevent@0x5633dbaa2ec0 size 128 Sep 21 07:16:30.999580: | #1 spent 0.0339 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:16:30.999584: | crypto helper 5 resuming Sep 21 07:16:30.999586: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:30.999594: | crypto helper 5 starting work-order 2 for state #1 Sep 21 07:16:30.999601: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:30.999606: | crypto helper 5 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:16:30.999611: | suspending state #1 and saving MD Sep 21 07:16:30.999620: | #1 is busy; has a suspended MD Sep 21 07:16:30.999626: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:30.999631: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:30.999636: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:30.999641: | #1 spent 0.258 milliseconds in ikev2_process_packet() Sep 21 07:16:30.999645: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:16:30.999648: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:30.999651: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:30.999655: | spent 0.273 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.000555: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:16:31.000989: | crypto helper 5 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001383 seconds Sep 21 07:16:31.000999: | (#1) spent 1.38 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:16:31.001002: | crypto helper 5 sending results from work-order 2 for state #1 to event queue Sep 21 07:16:31.001005: | scheduling resume sending helper answer for #1 Sep 21 07:16:31.001008: | libevent_malloc: new ptr-libevent@0x7fb7c4006b90 size 128 Sep 21 07:16:31.001016: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:31.001028: | processing resume sending helper answer for #1 Sep 21 07:16:31.001042: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.001047: | crypto helper 5 replies to request ID 2 Sep 21 07:16:31.001050: | calling continuation function 0x5633db503630 Sep 21 07:16:31.001053: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:16:31.001056: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:31.001071: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:31.001075: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:16:31.001078: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:16:31.001081: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:31.001084: | flags: none (0x0) Sep 21 07:16:31.001087: | length: 12 (0xc) Sep 21 07:16:31.001089: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:16:31.001092: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:16:31.001095: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.001097: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.001100: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.001102: | flags: none (0x0) Sep 21 07:16:31.001105: | length: 12 (0xc) Sep 21 07:16:31.001107: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.001110: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:16:31.001112: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.001115: | **parse IKEv2 Authentication Payload: Sep 21 07:16:31.001117: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.001120: | flags: none (0x0) Sep 21 07:16:31.001122: | length: 72 (0x48) Sep 21 07:16:31.001125: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:16:31.001127: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:16:31.001129: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.001132: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.001135: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.001137: | flags: none (0x0) Sep 21 07:16:31.001140: | length: 164 (0xa4) Sep 21 07:16:31.001142: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:16:31.001144: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.001147: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.001149: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.001152: | flags: none (0x0) Sep 21 07:16:31.001154: | length: 24 (0x18) Sep 21 07:16:31.001157: | number of TS: 1 (0x1) Sep 21 07:16:31.001159: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.001162: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.001164: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.001167: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.001169: | flags: none (0x0) Sep 21 07:16:31.001171: | length: 24 (0x18) Sep 21 07:16:31.001174: | number of TS: 1 (0x1) Sep 21 07:16:31.001176: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.001179: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:16:31.001181: | Now let's proceed with state specific processing Sep 21 07:16:31.001184: | calling processor Responder: process IKE_AUTH request Sep 21 07:16:31.001191: "eastnet-any"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:16:31.001198: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.001202: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:16:31.001204: | peer ID c0 01 02 2d Sep 21 07:16:31.001207: | received IDr payload - extracting our alleged ID Sep 21 07:16:31.001211: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.45 Sep 21 07:16:31.001216: | match_id a=192.1.2.45 Sep 21 07:16:31.001219: | b=192.1.2.45 Sep 21 07:16:31.001223: | results matched Sep 21 07:16:31.001229: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:31.001232: | Warning: not switching back to template of current instance Sep 21 07:16:31.001235: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:31.001238: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:31.001244: | refine_host_connection: checked eastnet-any[1] 192.1.2.45 against eastnet-any[1] 192.1.2.45, now for see if best Sep 21 07:16:31.001249: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001253: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001257: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:31.001261: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001265: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001268: | line 1: match=002 Sep 21 07:16:31.001271: | match 002 beats previous best_match 000 match=0x5633dba925e0 (line=1) Sep 21 07:16:31.001274: | concluding with best_match=002 best=0x5633dba925e0 (lineno=1) Sep 21 07:16:31.001276: | returning because exact peer id match Sep 21 07:16:31.001279: | offered CA: '%none' Sep 21 07:16:31.001284: "eastnet-any"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' Sep 21 07:16:31.001306: | verifying AUTH payload Sep 21 07:16:31.001311: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:16:31.001315: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001319: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001322: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:31.001327: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001331: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001333: | line 1: match=002 Sep 21 07:16:31.001336: | match 002 beats previous best_match 000 match=0x5633dba925e0 (line=1) Sep 21 07:16:31.001339: | concluding with best_match=002 best=0x5633dba925e0 (lineno=1) Sep 21 07:16:31.001407: "eastnet-any"[1] 192.1.2.45 #1: Authenticated using authby=secret Sep 21 07:16:31.001413: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:16:31.001418: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.001421: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.001425: | libevent_free: release ptr-libevent@0x5633dbaa2ec0 Sep 21 07:16:31.001428: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5633dbaa2e80 Sep 21 07:16:31.001431: | event_schedule: new EVENT_SA_REKEY-pe@0x5633dbaa2e80 Sep 21 07:16:31.001435: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:16:31.001438: | libevent_malloc: new ptr-libevent@0x5633dbaa2ec0 size 128 Sep 21 07:16:31.001546: | pstats #1 ikev2.ike established Sep 21 07:16:31.001556: | **emit ISAKMP Message: Sep 21 07:16:31.001559: | initiator cookie: Sep 21 07:16:31.001561: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:31.001564: | responder cookie: Sep 21 07:16:31.001566: | 05 73 37 e3 bb e0 55 cf Sep 21 07:16:31.001569: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.001571: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.001574: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.001576: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.001579: | Message ID: 1 (0x1) Sep 21 07:16:31.001582: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.001584: | IKEv2 CERT: send a certificate? Sep 21 07:16:31.001588: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:16:31.001590: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.001593: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.001598: | flags: none (0x0) Sep 21 07:16:31.001601: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.001604: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.001607: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.001615: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.001630: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.001633: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.001636: | flags: none (0x0) Sep 21 07:16:31.001638: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.001641: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.001644: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.001648: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:16:31.001650: | my identity 65 61 73 74 Sep 21 07:16:31.001653: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:16:31.001661: | assembled IDr payload Sep 21 07:16:31.001664: | CHILD SA proposals received Sep 21 07:16:31.001666: | going to assemble AUTH payload Sep 21 07:16:31.001669: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:31.001672: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.001674: | flags: none (0x0) Sep 21 07:16:31.001677: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:16:31.001680: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:16:31.001683: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.001686: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.001689: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:16:31.001693: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001697: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:16:31.001700: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:31.001705: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001709: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:16:31.001711: | line 1: match=002 Sep 21 07:16:31.001714: | match 002 beats previous best_match 000 match=0x5633dba925e0 (line=1) Sep 21 07:16:31.001717: | concluding with best_match=002 best=0x5633dba925e0 (lineno=1) Sep 21 07:16:31.001775: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:16:31.001779: | PSK auth 1d aa f9 7e 2a 62 31 e1 28 dc a8 a1 5c 2f a3 b4 Sep 21 07:16:31.001782: | PSK auth dc 11 cd 4f 74 87 f3 05 c0 1b f3 be 0e 4e d9 e2 Sep 21 07:16:31.001791: | PSK auth 0f 24 db f3 af 6d 52 45 1e 0a f7 4d 45 e9 2b 75 Sep 21 07:16:31.001793: | PSK auth a9 2a 10 a3 1b b7 45 de 30 67 87 c0 01 dc 97 d0 Sep 21 07:16:31.001796: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:16:31.001801: | creating state object #2 at 0x5633dbaa4390 Sep 21 07:16:31.001804: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:16:31.001809: | pstats #2 ikev2.child started Sep 21 07:16:31.001813: | duplicating state object #1 "eastnet-any"[1] 192.1.2.45 as #2 for IPSEC SA Sep 21 07:16:31.001818: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.001825: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.001831: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.001836: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:31.001840: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:16:31.001843: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.001846: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.001848: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.001851: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.001854: | length: 16 (0x10) Sep 21 07:16:31.001856: | start port: 0 (0x0) Sep 21 07:16:31.001859: | end port: 65535 (0xffff) Sep 21 07:16:31.001862: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.001864: | TS low c0 00 01 00 Sep 21 07:16:31.001867: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.001869: | TS high c0 00 01 ff Sep 21 07:16:31.001872: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.001875: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.001877: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.001880: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.001882: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.001885: | length: 16 (0x10) Sep 21 07:16:31.001887: | start port: 0 (0x0) Sep 21 07:16:31.001890: | end port: 65535 (0xffff) Sep 21 07:16:31.001893: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.001895: | TS low c0 00 02 00 Sep 21 07:16:31.001897: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.001900: | TS high c0 00 02 ff Sep 21 07:16:31.001902: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.001905: | looking for best SPD in current connection Sep 21 07:16:31.001912: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:31.001917: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.001924: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:16:31.001927: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.001930: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.001933: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.001936: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.001941: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.001947: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.001950: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.001952: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.001955: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.001958: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.001960: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.001963: | found better spd route for TSi[0],TSr[0] Sep 21 07:16:31.001965: | looking for better host pair Sep 21 07:16:31.001971: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:16:31.001976: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Sep 21 07:16:31.001978: | investigating connection "eastnet-any" as a better match Sep 21 07:16:31.001982: | match_id a=192.1.2.45 Sep 21 07:16:31.001985: | b=192.1.2.45 Sep 21 07:16:31.001987: | results matched Sep 21 07:16:31.001993: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:31.001998: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.002003: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:16:31.002009: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.002011: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.002014: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.002017: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.002022: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.002027: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.002030: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.002032: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.002035: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.002038: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.002041: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.002043: | did not find a better connection using host pair Sep 21 07:16:31.002046: | printing contents struct traffic_selector Sep 21 07:16:31.002049: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.002051: | ipprotoid: 0 Sep 21 07:16:31.002054: | port range: 0-65535 Sep 21 07:16:31.002058: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:31.002060: | printing contents struct traffic_selector Sep 21 07:16:31.002062: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.002065: | ipprotoid: 0 Sep 21 07:16:31.002067: | port range: 0-65535 Sep 21 07:16:31.002071: | ip range: 192.0.1.0-192.0.1.255 Sep 21 07:16:31.002075: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:16:31.002082: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:16:31.002088: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:16:31.002091: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:16:31.002095: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:16:31.002099: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:16:31.002103: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:31.002107: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:16:31.002111: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:31.002120: "eastnet-any"[1] 192.1.2.45: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:31.002124: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:16:31.002133: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.002135: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.002138: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.002140: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.002143: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.002146: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:16:31.002148: | local proposal 2 type ENCR has 1 transforms Sep 21 07:16:31.002151: | local proposal 2 type PRF has 0 transforms Sep 21 07:16:31.002153: | local proposal 2 type INTEG has 1 transforms Sep 21 07:16:31.002156: | local proposal 2 type DH has 1 transforms Sep 21 07:16:31.002158: | local proposal 2 type ESN has 1 transforms Sep 21 07:16:31.002161: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:16:31.002165: | local proposal 3 type ENCR has 1 transforms Sep 21 07:16:31.002168: | local proposal 3 type PRF has 0 transforms Sep 21 07:16:31.002170: | local proposal 3 type INTEG has 2 transforms Sep 21 07:16:31.002173: | local proposal 3 type DH has 1 transforms Sep 21 07:16:31.002175: | local proposal 3 type ESN has 1 transforms Sep 21 07:16:31.002178: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.002181: | local proposal 4 type ENCR has 1 transforms Sep 21 07:16:31.002183: | local proposal 4 type PRF has 0 transforms Sep 21 07:16:31.002185: | local proposal 4 type INTEG has 2 transforms Sep 21 07:16:31.002187: | local proposal 4 type DH has 1 transforms Sep 21 07:16:31.002190: | local proposal 4 type ESN has 1 transforms Sep 21 07:16:31.002192: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.002195: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.002198: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:31.002200: | length: 32 (0x20) Sep 21 07:16:31.002203: | prop #: 1 (0x1) Sep 21 07:16:31.002205: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.002207: | spi size: 4 (0x4) Sep 21 07:16:31.002210: | # transforms: 2 (0x2) Sep 21 07:16:31.002213: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.002216: | remote SPI 9a 64 22 4d Sep 21 07:16:31.002219: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:16:31.002222: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002225: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002227: | length: 12 (0xc) Sep 21 07:16:31.002230: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.002232: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:31.002235: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.002238: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.002240: | length/value: 256 (0x100) Sep 21 07:16:31.002245: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.002247: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002250: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.002253: | length: 8 (0x8) Sep 21 07:16:31.002255: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.002258: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.002261: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.002264: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:16:31.002268: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:16:31.002271: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:16:31.002274: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:16:31.002278: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:16:31.002280: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.002283: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.002285: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:31.002288: | length: 32 (0x20) Sep 21 07:16:31.002290: | prop #: 2 (0x2) Sep 21 07:16:31.002292: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.002295: | spi size: 4 (0x4) Sep 21 07:16:31.002297: | # transforms: 2 (0x2) Sep 21 07:16:31.002300: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.002302: | remote SPI 9a 64 22 4d Sep 21 07:16:31.002305: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:31.002308: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002313: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002315: | length: 12 (0xc) Sep 21 07:16:31.002318: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.002321: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:31.002323: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.002326: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.002329: | length/value: 128 (0x80) Sep 21 07:16:31.002332: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002335: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.002337: | length: 8 (0x8) Sep 21 07:16:31.002340: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.002342: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.002346: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:16:31.002349: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:16:31.002352: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.002354: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:31.002357: | length: 48 (0x30) Sep 21 07:16:31.002359: | prop #: 3 (0x3) Sep 21 07:16:31.002362: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.002364: | spi size: 4 (0x4) Sep 21 07:16:31.002367: | # transforms: 4 (0x4) Sep 21 07:16:31.002370: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.002372: | remote SPI 9a 64 22 4d Sep 21 07:16:31.002375: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:31.002378: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002381: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002383: | length: 12 (0xc) Sep 21 07:16:31.002386: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.002388: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.002391: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.002394: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.002396: | length/value: 256 (0x100) Sep 21 07:16:31.002399: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002402: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002404: | length: 8 (0x8) Sep 21 07:16:31.002407: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.002410: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.002413: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002415: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002418: | length: 8 (0x8) Sep 21 07:16:31.002420: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.002423: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.002426: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002428: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.002431: | length: 8 (0x8) Sep 21 07:16:31.002433: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.002436: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.002439: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:16:31.002442: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:16:31.002445: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.002447: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.002450: | length: 48 (0x30) Sep 21 07:16:31.002452: | prop #: 4 (0x4) Sep 21 07:16:31.002454: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.002457: | spi size: 4 (0x4) Sep 21 07:16:31.002459: | # transforms: 4 (0x4) Sep 21 07:16:31.002462: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.002464: | remote SPI 9a 64 22 4d Sep 21 07:16:31.002467: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:31.002472: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002476: | length: 12 (0xc) Sep 21 07:16:31.002479: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.002481: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.002484: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.002486: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.002488: | length/value: 128 (0x80) Sep 21 07:16:31.002491: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002494: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002496: | length: 8 (0x8) Sep 21 07:16:31.002498: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.002501: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.002504: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002506: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002508: | length: 8 (0x8) Sep 21 07:16:31.002511: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.002513: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.002516: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002518: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.002521: | length: 8 (0x8) Sep 21 07:16:31.002523: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.002526: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.002530: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:16:31.002532: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:16:31.002539: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:ESP:SPI=9a64224d;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:16:31.002544: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=9a64224d;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:16:31.002547: | converting proposal to internal trans attrs Sep 21 07:16:31.002566: | netlink_get_spi: allocated 0x530ea426 for esp.0@192.1.2.23 Sep 21 07:16:31.002569: | Emitting ikev2_proposal ... Sep 21 07:16:31.002572: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.002575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.002578: | flags: none (0x0) Sep 21 07:16:31.002581: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.002584: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.002588: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.002590: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.002593: | prop #: 1 (0x1) Sep 21 07:16:31.002595: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.002598: | spi size: 4 (0x4) Sep 21 07:16:31.002600: | # transforms: 2 (0x2) Sep 21 07:16:31.002603: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.002607: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.002609: | our spi 53 0e a4 26 Sep 21 07:16:31.002612: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002617: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.002620: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:31.002623: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.002628: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.002631: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.002633: | length/value: 256 (0x100) Sep 21 07:16:31.002636: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.002639: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.002642: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.002644: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.002647: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.002650: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.002653: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.002656: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.002659: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:16:31.002661: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.002664: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:16:31.002667: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.002670: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.002673: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.002675: | flags: none (0x0) Sep 21 07:16:31.002678: | number of TS: 1 (0x1) Sep 21 07:16:31.002681: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.002684: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.002687: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.002690: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.002692: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.002695: | start port: 0 (0x0) Sep 21 07:16:31.002697: | end port: 65535 (0xffff) Sep 21 07:16:31.002700: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.002703: | IP start c0 00 01 00 Sep 21 07:16:31.002706: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.002708: | IP end c0 00 01 ff Sep 21 07:16:31.002710: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.002713: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.002716: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.002718: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.002721: | flags: none (0x0) Sep 21 07:16:31.002723: | number of TS: 1 (0x1) Sep 21 07:16:31.002727: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.002729: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.002732: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.002735: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.002737: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.002740: | start port: 0 (0x0) Sep 21 07:16:31.002742: | end port: 65535 (0xffff) Sep 21 07:16:31.002745: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.002747: | IP start c0 00 02 00 Sep 21 07:16:31.002750: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.002752: | IP end c0 00 02 ff Sep 21 07:16:31.002755: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.002759: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.002762: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.002766: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:16:31.002936: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:16:31.002946: | #1 spent 1.75 milliseconds Sep 21 07:16:31.002950: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:16:31.002953: | could_route called for eastnet-any (kind=CK_INSTANCE) Sep 21 07:16:31.002955: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.002958: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.002961: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:31.002964: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.002967: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:31.002974: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.002978: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:16:31.002981: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:16:31.002984: | AES_GCM_16 requires 4 salt bytes Sep 21 07:16:31.002987: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:16:31.002991: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.002994: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:16:31.002997: | netlink: enabling tunnel mode Sep 21 07:16:31.003000: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.003003: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.003083: | netlink response for Add SA esp.9a64224d@192.1.2.45 included non-error error Sep 21 07:16:31.003088: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.003091: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:16:31.003094: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:16:31.003097: | AES_GCM_16 requires 4 salt bytes Sep 21 07:16:31.003100: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:16:31.003104: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.003106: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:16:31.003109: | netlink: enabling tunnel mode Sep 21 07:16:31.003112: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.003114: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.003166: | netlink response for Add SA esp.530ea426@192.1.2.23 included non-error error Sep 21 07:16:31.003171: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:31.003178: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:31.003182: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.003229: | raw_eroute result=success Sep 21 07:16:31.003233: | set up incoming SA, ref=0/0 Sep 21 07:16:31.003235: | sr for #2: unrouted Sep 21 07:16:31.003238: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.003241: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.003244: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.003247: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:31.003250: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.003252: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:31.003257: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.003261: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:16:31.003265: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:31.003272: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Sep 21 07:16:31.003277: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.003303: | raw_eroute result=success Sep 21 07:16:31.003306: | running updown command "ipsec _updown" for verb up Sep 21 07:16:31.003309: | command executing up-client Sep 21 07:16:31.003336: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9a64224d SP Sep 21 07:16:31.003341: | popen cmd is 1031 chars long Sep 21 07:16:31.003344: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Sep 21 07:16:31.003347: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': Sep 21 07:16:31.003350: | cmd( 160):@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_C: Sep 21 07:16:31.003353: | cmd( 240):LIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQI: Sep 21 07:16:31.003355: | cmd( 320):D='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45': Sep 21 07:16:31.003358: | cmd( 400): PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_C: Sep 21 07:16:31.003361: | cmd( 480):LIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEE: Sep 21 07:16:31.003363: | cmd( 560):R_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TU: Sep 21 07:16:31.003366: | cmd( 640):NNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INST: Sep 21 07:16:31.003369: | cmd( 720):ANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Sep 21 07:16:31.003371: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Sep 21 07:16:31.003374: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Sep 21 07:16:31.003376: | cmd( 960):VTI_SHARED='no' SPI_IN=0x9a64224d SPI_OUT=0x530ea426 ipsec _updown 2>&1: Sep 21 07:16:31.014480: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.014494: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:31.014497: | command executing prepare-client Sep 21 07:16:31.014528: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9 Sep 21 07:16:31.014535: | popen cmd is 1036 chars long Sep 21 07:16:31.014538: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:16:31.014541: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:16:31.014543: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Sep 21 07:16:31.014546: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Sep 21 07:16:31.014548: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.: Sep 21 07:16:31.014551: | cmd( 400):2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Sep 21 07:16:31.014553: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:31.014556: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Sep 21 07:16:31.014558: | cmd( 640):PT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK: Sep 21 07:16:31.014561: | cmd( 720):_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Sep 21 07:16:31.014563: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Sep 21 07:16:31.014566: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Sep 21 07:16:31.014568: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x9a64224d SPI_OUT=0x530ea426 ipsec _updown 2>&1: Sep 21 07:16:31.025426: | running updown command "ipsec _updown" for verb route Sep 21 07:16:31.025441: | command executing route-client Sep 21 07:16:31.025474: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9a642 Sep 21 07:16:31.025478: | popen cmd is 1034 chars long Sep 21 07:16:31.025481: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Sep 21 07:16:31.025484: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Sep 21 07:16:31.025487: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Sep 21 07:16:31.025490: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Sep 21 07:16:31.025492: | cmd( 320):EQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.: Sep 21 07:16:31.025495: | cmd( 400):45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Sep 21 07:16:31.025497: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:16:31.025500: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Sep 21 07:16:31.025503: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Sep 21 07:16:31.025505: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Sep 21 07:16:31.025508: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Sep 21 07:16:31.025514: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Sep 21 07:16:31.025517: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0x9a64224d SPI_OUT=0x530ea426 ipsec _updown 2>&1: Sep 21 07:16:31.036758: | route_and_eroute: instance "eastnet-any"[1] 192.1.2.45, setting eroute_owner {spd=0x5633dbaa05d0,sr=0x5633dbaa05d0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:31.036856: | #1 spent 0.891 milliseconds in install_ipsec_sa() Sep 21 07:16:31.036867: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:16:31.036872: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.036876: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.036880: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.036883: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:16:31.036886: | emitting length of ISAKMP Message: 225 Sep 21 07:16:31.036908: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:16:31.036915: | #1 spent 2.7 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:16:31.036924: | suspend processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.036932: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.036937: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:16:31.036941: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:16:31.036945: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:31.036948: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:16:31.036954: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.036960: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.036963: | pstats #2 ikev2.child established Sep 21 07:16:31.036972: "eastnet-any"[1] 192.1.2.45 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Sep 21 07:16:31.036978: | NAT-T: encaps is 'auto' Sep 21 07:16:31.036981: "eastnet-any"[1] 192.1.2.45 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x9a64224d <0x530ea426 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.036985: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:16:31.036989: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:16:31.036990: | 27 05 f8 c2 9e 79 31 87 05 73 37 e3 bb e0 55 cf Sep 21 07:16:31.036992: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Sep 21 07:16:31.036993: | d5 46 f8 f2 0c 6c 2e 9d 00 b7 e8 ac 55 e5 68 ab Sep 21 07:16:31.036995: | 46 5a 05 0c 0c ce 42 d7 d0 32 ee ae 18 7f 05 5f Sep 21 07:16:31.036996: | 24 ea 8e 84 a4 b3 24 c5 cc 30 a0 cd 7c 68 f9 93 Sep 21 07:16:31.036998: | fb 5b 1d 1f 4a 86 d1 22 11 7e cc a4 94 65 27 76 Sep 21 07:16:31.036999: | 7c 21 91 4a 56 4f 95 8e 24 de 05 be 8e ab 73 bb Sep 21 07:16:31.037001: | d4 ca 75 03 57 38 86 0b ea 10 56 a4 28 6a 63 4e Sep 21 07:16:31.037002: | 55 6d ca 33 db 64 7f 14 a4 f4 e3 a9 6b 6b 34 fc Sep 21 07:16:31.037003: | ff d1 2a bf 9e d7 31 97 6f cd a5 24 9f b5 30 b3 Sep 21 07:16:31.037005: | b9 77 47 d8 0a 62 52 e1 6b 2e f3 20 5d 80 20 e3 Sep 21 07:16:31.037006: | e2 07 9b 64 75 7e 80 d2 45 c3 d4 f3 28 8a d5 cc Sep 21 07:16:31.037010: | 4b 9c 03 1b f6 93 ee 79 4d 79 4e 0a f2 a3 4f 0c Sep 21 07:16:31.037012: | ea 3a 54 cb 8c 0b c4 57 8b 1f ca dc 91 b2 2b 3f Sep 21 07:16:31.037013: | 49 Sep 21 07:16:31.037046: | releasing whack for #2 (sock=fd@-1) Sep 21 07:16:31.037051: | releasing whack and unpending for parent #1 Sep 21 07:16:31.037055: | unpending state #1 connection "eastnet-any"[1] 192.1.2.45 Sep 21 07:16:31.037060: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.037063: | event_schedule: new EVENT_SA_REKEY-pe@0x7fb7cc002b20 Sep 21 07:16:31.037066: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:16:31.037069: | libevent_malloc: new ptr-libevent@0x5633dbaa7d80 size 128 Sep 21 07:16:31.037075: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:31.037080: | #1 spent 2.99 milliseconds in resume sending helper answer Sep 21 07:16:31.037087: | stop processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.037091: | libevent_free: release ptr-libevent@0x7fb7c4006b90 Sep 21 07:16:31.037101: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.037106: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.037111: | spent 0.00518 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.037113: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.037117: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.037121: | spent 0.00358 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.037123: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.037127: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.037130: | spent 0.00355 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:32.392986: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:32.393008: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:16:32.393011: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:32.393018: | get_sa_info esp.530ea426@192.1.2.23 Sep 21 07:16:32.393030: | get_sa_info esp.9a64224d@192.1.2.45 Sep 21 07:16:32.393044: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:32.393050: | spent 0.0717 milliseconds in whack Sep 21 07:16:32.503492: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:32.503691: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:32.503696: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:32.503770: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:16:32.503773: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:32.503789: | get_sa_info esp.530ea426@192.1.2.23 Sep 21 07:16:32.503808: | get_sa_info esp.9a64224d@192.1.2.45 Sep 21 07:16:32.503828: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:32.503834: | spent 0.357 milliseconds in whack Sep 21 07:16:33.243185: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:33.243204: shutting down Sep 21 07:16:33.243212: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:16:33.243214: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:16:33.243219: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:33.243221: forgetting secrets Sep 21 07:16:33.243228: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:33.243234: | start processing: connection "eastnet-any"[1] 192.1.2.45 (in delete_connection() at connections.c:189) Sep 21 07:16:33.243240: "eastnet-any"[1] 192.1.2.45: deleting connection "eastnet-any"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#1/ipsec=#2} Sep 21 07:16:33.243243: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:33.243246: | pass 0 Sep 21 07:16:33.243248: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.243254: | state #2 Sep 21 07:16:33.243258: | suspend processing: connection "eastnet-any"[1] 192.1.2.45 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.243264: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.243267: | pstats #2 ikev2.child deleted completed Sep 21 07:16:33.243273: | [RE]START processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:16:33.243278: "eastnet-any"[1] 192.1.2.45 #2: deleting state (STATE_V2_IPSEC_R) aged 2.241s and sending notification Sep 21 07:16:33.243281: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:33.243285: | get_sa_info esp.9a64224d@192.1.2.45 Sep 21 07:16:33.243297: | get_sa_info esp.530ea426@192.1.2.23 Sep 21 07:16:33.243303: "eastnet-any"[1] 192.1.2.45 #2: ESP traffic information: in=168B out=168B Sep 21 07:16:33.243306: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:16:33.243308: | Opening output PBS informational exchange delete request Sep 21 07:16:33.243310: | **emit ISAKMP Message: Sep 21 07:16:33.243312: | initiator cookie: Sep 21 07:16:33.243313: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:33.243315: | responder cookie: Sep 21 07:16:33.243316: | 05 73 37 e3 bb e0 55 cf Sep 21 07:16:33.243318: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.243320: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.243322: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.243323: | flags: none (0x0) Sep 21 07:16:33.243325: | Message ID: 0 (0x0) Sep 21 07:16:33.243327: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.243329: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.243331: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.243332: | flags: none (0x0) Sep 21 07:16:33.243334: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.243336: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.243338: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.243346: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.243348: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.243350: | flags: none (0x0) Sep 21 07:16:33.243351: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.243353: | SPI size: 4 (0x4) Sep 21 07:16:33.243354: | number of SPIs: 1 (0x1) Sep 21 07:16:33.243356: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.243358: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.243360: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:16:33.243361: | local spis 53 0e a4 26 Sep 21 07:16:33.243363: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.243365: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.243367: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.243369: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.243370: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:16:33.243372: | emitting length of ISAKMP Message: 69 Sep 21 07:16:33.243394: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Sep 21 07:16:33.243396: | 27 05 f8 c2 9e 79 31 87 05 73 37 e3 bb e0 55 cf Sep 21 07:16:33.243398: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:16:33.243401: | c8 bc d8 60 27 42 75 e9 74 51 92 d0 c8 b0 26 a4 Sep 21 07:16:33.243402: | 44 a6 fc f9 7e 72 e8 98 a6 a3 30 39 81 13 af 37 Sep 21 07:16:33.243404: | fd 30 fd 68 d1 Sep 21 07:16:33.243437: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:16:33.243439: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:16:33.243443: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:33.243445: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.243448: | libevent_free: release ptr-libevent@0x5633dbaa7d80 Sep 21 07:16:33.243450: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fb7cc002b20 Sep 21 07:16:33.243633: | running updown command "ipsec _updown" for verb down Sep 21 07:16:33.243639: | command executing down-client Sep 21 07:16:33.243657: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Sep 21 07:16:33.243660: | popen cmd is 1044 chars long Sep 21 07:16:33.243662: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Sep 21 07:16:33.243664: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Sep 21 07:16:33.243665: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Sep 21 07:16:33.243667: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Sep 21 07:16:33.243669: | cmd( 320):QID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.4: Sep 21 07:16:33.243670: | cmd( 400):5' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER: Sep 21 07:16:33.243672: | cmd( 480):_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_P: Sep 21 07:16:33.243673: | cmd( 560):EER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='PSK: Sep 21 07:16:33.243675: | cmd( 640):+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Sep 21 07:16:33.243677: | cmd( 720):ND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Sep 21 07:16:33.243678: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Sep 21 07:16:33.243680: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Sep 21 07:16:33.243682: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x9a64224d SPI_OUT=0x530ea426 ipsec _updown : Sep 21 07:16:33.243683: | cmd(1040):2>&1: Sep 21 07:16:33.254698: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:16:33.254711: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:16:33.254715: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:33.254719: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:33.254773: | delete esp.9a64224d@192.1.2.45 Sep 21 07:16:33.254811: | netlink response for Del SA esp.9a64224d@192.1.2.45 included non-error error Sep 21 07:16:33.254817: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:33.254824: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:33.254866: | raw_eroute result=success Sep 21 07:16:33.254870: | delete esp.530ea426@192.1.2.23 Sep 21 07:16:33.254895: | netlink response for Del SA esp.530ea426@192.1.2.23 included non-error error Sep 21 07:16:33.254903: | stop processing: connection "eastnet-any"[1] 192.1.2.45 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:16:33.254907: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:16:33.254910: | in connection_discard for connection eastnet-any Sep 21 07:16:33.254913: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:16:33.254917: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:16:33.254923: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.254929: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.254931: | state #1 Sep 21 07:16:33.254933: | pass 1 Sep 21 07:16:33.254936: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.254938: | state #1 Sep 21 07:16:33.254944: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.254947: | pstats #1 ikev2.ike deleted completed Sep 21 07:16:33.254952: | #1 spent 7.74 milliseconds in total Sep 21 07:16:33.254958: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:16:33.254964: "eastnet-any"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R2) aged 2.261s and sending notification Sep 21 07:16:33.254967: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:16:33.255023: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:16:33.255027: | Opening output PBS informational exchange delete request Sep 21 07:16:33.255030: | **emit ISAKMP Message: Sep 21 07:16:33.255033: | initiator cookie: Sep 21 07:16:33.255035: | 27 05 f8 c2 9e 79 31 87 Sep 21 07:16:33.255038: | responder cookie: Sep 21 07:16:33.255040: | 05 73 37 e3 bb e0 55 cf Sep 21 07:16:33.255043: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.255046: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.255048: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.255051: | flags: none (0x0) Sep 21 07:16:33.255053: | Message ID: 1 (0x1) Sep 21 07:16:33.255056: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.255059: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.255062: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.255064: | flags: none (0x0) Sep 21 07:16:33.255067: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.255070: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.255073: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.255083: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.255086: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.255088: | flags: none (0x0) Sep 21 07:16:33.255091: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:33.255093: | SPI size: 0 (0x0) Sep 21 07:16:33.255096: | number of SPIs: 0 (0x0) Sep 21 07:16:33.255098: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.255104: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.255106: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:16:33.255109: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.255112: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.255115: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.255118: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:16:33.255120: | emitting length of ISAKMP Message: 65 Sep 21 07:16:33.255142: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:16:33.255145: | 27 05 f8 c2 9e 79 31 87 05 73 37 e3 bb e0 55 cf Sep 21 07:16:33.255147: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:16:33.255149: | 8c ac 5d e7 3f 5c 62 f5 b5 1d a3 21 f4 66 dd fc Sep 21 07:16:33.255152: | 79 23 f0 f0 fd 55 e5 2c 3e d5 ed 0f 71 9f a8 89 Sep 21 07:16:33.255154: | f6 Sep 21 07:16:33.255193: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:16:33.255197: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:16:33.255202: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Sep 21 07:16:33.255207: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Sep 21 07:16:33.255209: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.255214: | libevent_free: release ptr-libevent@0x5633dbaa2ec0 Sep 21 07:16:33.255217: | free_event_entry: release EVENT_SA_REKEY-pe@0x5633dbaa2e80 Sep 21 07:16:33.255220: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:33.255223: | in connection_discard for connection eastnet-any Sep 21 07:16:33.255226: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:16:33.255229: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:33.255246: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.255259: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.255265: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:16:33.255270: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:16:33.255273: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:33.255300: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:33.255309: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:33.255312: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:33.255315: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:33.255318: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:33.255320: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:33.255323: | route owner of "eastnet-any" unrouted: NULL Sep 21 07:16:33.255326: | running updown command "ipsec _updown" for verb unroute Sep 21 07:16:33.255329: | command executing unroute-client Sep 21 07:16:33.255356: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Sep 21 07:16:33.255362: | popen cmd is 1025 chars long Sep 21 07:16:33.255365: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:16:33.255367: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:16:33.255370: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Sep 21 07:16:33.255372: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Sep 21 07:16:33.255375: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1: Sep 21 07:16:33.255377: | cmd( 400):.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Sep 21 07:16:33.255380: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Sep 21 07:16:33.255382: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Sep 21 07:16:33.255385: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Sep 21 07:16:33.255388: | cmd( 720):K_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Sep 21 07:16:33.255390: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Sep 21 07:16:33.255393: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Sep 21 07:16:33.255395: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:33.268214: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268229: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268239: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268253: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268267: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268279: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268294: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268307: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268319: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268332: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268358: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268409: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268444: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268479: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268493: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268506: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268522: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268535: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268548: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268561: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268940: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.268979: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.269010: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.280662: | free hp@0x5633dba2fe20 Sep 21 07:16:33.280676: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:16:33.280679: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:16:33.280684: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Sep 21 07:16:33.280686: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:33.280688: | pass 0 Sep 21 07:16:33.280689: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.280691: | pass 1 Sep 21 07:16:33.280692: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.280694: | free hp@0x5633dba69a30 Sep 21 07:16:33.280695: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:16:33.280698: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Sep 21 07:16:33.280702: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:16:33.280703: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:16:33.280713: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:16:33.280715: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:16:33.280717: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:33.280719: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:16:33.280721: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:33.280722: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:16:33.280725: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:16:33.280732: | libevent_free: release ptr-libevent@0x5633dba9d0a0 Sep 21 07:16:33.280734: | free_event_entry: release EVENT_NULL-pe@0x5633dba862a0 Sep 21 07:16:33.280741: | libevent_free: release ptr-libevent@0x5633dba9d190 Sep 21 07:16:33.280742: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d150 Sep 21 07:16:33.280747: | libevent_free: release ptr-libevent@0x5633dba9d280 Sep 21 07:16:33.280748: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d240 Sep 21 07:16:33.280753: | libevent_free: release ptr-libevent@0x5633dba9d370 Sep 21 07:16:33.280754: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d330 Sep 21 07:16:33.280759: | libevent_free: release ptr-libevent@0x5633dba9d460 Sep 21 07:16:33.280760: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d420 Sep 21 07:16:33.280764: | libevent_free: release ptr-libevent@0x5633dba9d550 Sep 21 07:16:33.280766: | free_event_entry: release EVENT_NULL-pe@0x5633dba9d510 Sep 21 07:16:33.280769: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:33.281358: | libevent_free: release ptr-libevent@0x5633dba9ca00 Sep 21 07:16:33.281366: | free_event_entry: release EVENT_NULL-pe@0x5633dba85520 Sep 21 07:16:33.281370: | libevent_free: release ptr-libevent@0x5633dba92490 Sep 21 07:16:33.281371: | free_event_entry: release EVENT_NULL-pe@0x5633dba857d0 Sep 21 07:16:33.281374: | libevent_free: release ptr-libevent@0x5633dba92400 Sep 21 07:16:33.281375: | free_event_entry: release EVENT_NULL-pe@0x5633dba8af30 Sep 21 07:16:33.281378: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:16:33.281379: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:16:33.281381: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:16:33.281382: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:16:33.281384: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:16:33.281385: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:16:33.281387: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:16:33.281388: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:16:33.281390: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:16:33.281393: | libevent_free: release ptr-libevent@0x5633dba9cad0 Sep 21 07:16:33.281395: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:16:33.281397: | libevent_free: release ptr-libevent@0x5633dba9cbb0 Sep 21 07:16:33.281398: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:16:33.281403: | libevent_free: release ptr-libevent@0x5633dba9cc70 Sep 21 07:16:33.281405: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:16:33.281407: | libevent_free: release ptr-libevent@0x5633dba91700 Sep 21 07:16:33.281408: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:16:33.281409: | releasing event base Sep 21 07:16:33.281420: | libevent_free: release ptr-libevent@0x5633dba9cd30 Sep 21 07:16:33.281422: | libevent_free: release ptr-libevent@0x5633dba72270 Sep 21 07:16:33.281425: | libevent_free: release ptr-libevent@0x5633dba80ab0 Sep 21 07:16:33.281426: | libevent_free: release ptr-libevent@0x5633dba80b80 Sep 21 07:16:33.281428: | libevent_free: release ptr-libevent@0x5633dba80ad0 Sep 21 07:16:33.281429: | libevent_free: release ptr-libevent@0x5633dba9ca90 Sep 21 07:16:33.281431: | libevent_free: release ptr-libevent@0x5633dba9cb70 Sep 21 07:16:33.281432: | libevent_free: release ptr-libevent@0x5633dba80b60 Sep 21 07:16:33.281434: | libevent_free: release ptr-libevent@0x5633dba80cc0 Sep 21 07:16:33.281435: | libevent_free: release ptr-libevent@0x5633dba85720 Sep 21 07:16:33.281437: | libevent_free: release ptr-libevent@0x5633dba9d5e0 Sep 21 07:16:33.281438: | libevent_free: release ptr-libevent@0x5633dba9d4f0 Sep 21 07:16:33.281439: | libevent_free: release ptr-libevent@0x5633dba9d400 Sep 21 07:16:33.281441: | libevent_free: release ptr-libevent@0x5633dba9d310 Sep 21 07:16:33.281442: | libevent_free: release ptr-libevent@0x5633dba9d220 Sep 21 07:16:33.281444: | libevent_free: release ptr-libevent@0x5633dba9d130 Sep 21 07:16:33.281445: | libevent_free: release ptr-libevent@0x5633dba04370 Sep 21 07:16:33.281447: | libevent_free: release ptr-libevent@0x5633dba9cc50 Sep 21 07:16:33.281448: | libevent_free: release ptr-libevent@0x5633dba9cb90 Sep 21 07:16:33.281449: | libevent_free: release ptr-libevent@0x5633dba9cab0 Sep 21 07:16:33.281451: | libevent_free: release ptr-libevent@0x5633dba9cd10 Sep 21 07:16:33.281452: | libevent_free: release ptr-libevent@0x5633dba025b0 Sep 21 07:16:33.281454: | libevent_free: release ptr-libevent@0x5633dba80af0 Sep 21 07:16:33.281456: | libevent_free: release ptr-libevent@0x5633dba80b20 Sep 21 07:16:33.281457: | libevent_free: release ptr-libevent@0x5633dba80810 Sep 21 07:16:33.281458: | releasing global libevent data Sep 21 07:16:33.281461: | libevent_free: release ptr-libevent@0x5633dba7f500 Sep 21 07:16:33.281462: | libevent_free: release ptr-libevent@0x5633dba807b0 Sep 21 07:16:33.281464: | libevent_free: release ptr-libevent@0x5633dba807e0