Sep 21 07:16:35.531714: FIPS Product: YES Sep 21 07:16:35.531756: FIPS Kernel: NO Sep 21 07:16:35.531759: FIPS Mode: NO Sep 21 07:16:35.531762: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:16:35.531950: Initializing NSS Sep 21 07:16:35.531958: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:16:35.577930: NSS initialized Sep 21 07:16:35.577942: NSS crypto library initialized Sep 21 07:16:35.577945: FIPS HMAC integrity support [enabled] Sep 21 07:16:35.577947: FIPS mode disabled for pluto daemon Sep 21 07:16:35.642851: FIPS HMAC integrity verification self-test FAILED Sep 21 07:16:35.643000: libcap-ng support [enabled] Sep 21 07:16:35.643013: Linux audit support [enabled] Sep 21 07:16:35.643042: Linux audit activated Sep 21 07:16:35.643051: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:16168 Sep 21 07:16:35.643055: core dump dir: /tmp Sep 21 07:16:35.643058: secrets file: /etc/ipsec.secrets Sep 21 07:16:35.643061: leak-detective disabled Sep 21 07:16:35.643063: NSS crypto [enabled] Sep 21 07:16:35.643065: XAUTH PAM support [enabled] Sep 21 07:16:35.643152: | libevent is using pluto's memory allocator Sep 21 07:16:35.643162: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:16:35.643176: | libevent_malloc: new ptr-libevent@0x55bba94424d0 size 40 Sep 21 07:16:35.643180: | libevent_malloc: new ptr-libevent@0x55bba9443780 size 40 Sep 21 07:16:35.643184: | libevent_malloc: new ptr-libevent@0x55bba94437b0 size 40 Sep 21 07:16:35.643186: | creating event base Sep 21 07:16:35.643190: | libevent_malloc: new ptr-libevent@0x55bba9443740 size 56 Sep 21 07:16:35.643193: | libevent_malloc: new ptr-libevent@0x55bba94437e0 size 664 Sep 21 07:16:35.643205: | libevent_malloc: new ptr-libevent@0x55bba9443a80 size 24 Sep 21 07:16:35.643210: | libevent_malloc: new ptr-libevent@0x55bba9435250 size 384 Sep 21 07:16:35.643220: | libevent_malloc: new ptr-libevent@0x55bba9443aa0 size 16 Sep 21 07:16:35.643224: | libevent_malloc: new ptr-libevent@0x55bba9443ac0 size 40 Sep 21 07:16:35.643227: | libevent_malloc: new ptr-libevent@0x55bba9443af0 size 48 Sep 21 07:16:35.643234: | libevent_realloc: new ptr-libevent@0x55bba93c7370 size 256 Sep 21 07:16:35.643237: | libevent_malloc: new ptr-libevent@0x55bba9443b30 size 16 Sep 21 07:16:35.643243: | libevent_free: release ptr-libevent@0x55bba9443740 Sep 21 07:16:35.643247: | libevent initialized Sep 21 07:16:35.643252: | libevent_realloc: new ptr-libevent@0x55bba9443b50 size 64 Sep 21 07:16:35.643256: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:16:35.643277: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:16:35.643280: NAT-Traversal support [enabled] Sep 21 07:16:35.643283: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:16:35.643291: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:16:35.643296: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:16:35.643341: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:16:35.643345: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:16:35.643349: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:16:35.643406: Encryption algorithms: Sep 21 07:16:35.643416: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:16:35.643420: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:16:35.643424: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:16:35.643428: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:16:35.643431: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:16:35.643441: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:16:35.643445: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:16:35.643448: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:16:35.643452: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:16:35.643455: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:16:35.643458: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:16:35.643462: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:16:35.643465: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:16:35.643468: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:16:35.643472: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:16:35.643475: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:16:35.643478: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:16:35.643485: Hash algorithms: Sep 21 07:16:35.643488: MD5 IKEv1: IKE IKEv2: Sep 21 07:16:35.643491: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:16:35.643494: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:16:35.643497: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:16:35.643500: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:16:35.643514: PRF algorithms: Sep 21 07:16:35.643517: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:16:35.643521: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:16:35.643524: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:16:35.643528: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:16:35.643531: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:16:35.643534: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:16:35.643550: Integrity algorithms: Sep 21 07:16:35.643552: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:16:35.643555: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:16:35.643557: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:16:35.643560: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:16:35.643562: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:16:35.643564: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:16:35.643566: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:16:35.643568: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:16:35.643570: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:16:35.643578: DH algorithms: Sep 21 07:16:35.643580: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:16:35.643582: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:16:35.643583: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:16:35.643587: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:16:35.643589: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:16:35.643591: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:16:35.643593: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:16:35.643595: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:16:35.643597: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:16:35.643598: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:16:35.643600: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:16:35.643602: testing CAMELLIA_CBC: Sep 21 07:16:35.643604: Camellia: 16 bytes with 128-bit key Sep 21 07:16:35.643698: Camellia: 16 bytes with 128-bit key Sep 21 07:16:35.643718: Camellia: 16 bytes with 256-bit key Sep 21 07:16:35.643738: Camellia: 16 bytes with 256-bit key Sep 21 07:16:35.643755: testing AES_GCM_16: Sep 21 07:16:35.643758: empty string Sep 21 07:16:35.643775: one block Sep 21 07:16:35.643807: two blocks Sep 21 07:16:35.643830: two blocks with associated data Sep 21 07:16:35.643846: testing AES_CTR: Sep 21 07:16:35.643848: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:16:35.643864: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:16:35.643881: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:16:35.643897: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:16:35.643913: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:16:35.643931: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:16:35.643948: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:16:35.643963: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:16:35.643980: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:16:35.643997: testing AES_CBC: Sep 21 07:16:35.643998: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:16:35.644015: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:16:35.644032: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:16:35.644049: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:16:35.644070: testing AES_XCBC: Sep 21 07:16:35.644071: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:16:35.644148: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:16:35.644227: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:16:35.644301: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:16:35.644376: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:16:35.644453: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:16:35.644532: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:16:35.644700: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:16:35.644778: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:16:35.644891: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:16:35.645038: testing HMAC_MD5: Sep 21 07:16:35.645040: RFC 2104: MD5_HMAC test 1 Sep 21 07:16:35.645147: RFC 2104: MD5_HMAC test 2 Sep 21 07:16:35.645241: RFC 2104: MD5_HMAC test 3 Sep 21 07:16:35.645354: 8 CPU cores online Sep 21 07:16:35.645356: starting up 7 crypto helpers Sep 21 07:16:35.645386: started thread for crypto helper 0 Sep 21 07:16:35.645403: started thread for crypto helper 1 Sep 21 07:16:35.645418: started thread for crypto helper 2 Sep 21 07:16:35.645432: started thread for crypto helper 3 Sep 21 07:16:35.645447: started thread for crypto helper 4 Sep 21 07:16:35.645454: | starting up helper thread 4 Sep 21 07:16:35.645461: started thread for crypto helper 5 Sep 21 07:16:35.645476: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:16:35.645466: | starting up helper thread 2 Sep 21 07:16:35.645479: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:35.645483: | starting up helper thread 5 Sep 21 07:16:35.645492: | starting up helper thread 3 Sep 21 07:16:35.645496: | starting up helper thread 1 Sep 21 07:16:35.645508: started thread for crypto helper 6 Sep 21 07:16:35.645514: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:16:35.645517: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:16:35.645522: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:16:35.645531: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:16:35.645537: | checking IKEv1 state table Sep 21 07:16:35.645542: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:35.645568: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645570: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:35.645573: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:16:35.645582: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645584: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:16:35.645587: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:16:35.645589: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:16:35.645592: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:35.645594: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:35.645597: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:16:35.645599: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:16:35.645601: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:35.645604: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:35.645606: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:16:35.645609: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:35.645611: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:35.645613: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:35.645616: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:16:35.645618: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:35.645620: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:35.645623: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:35.645625: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:16:35.645628: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645630: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:16:35.645633: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645636: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645638: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:16:35.645641: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645644: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:35.645647: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:35.645650: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:16:35.645653: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:35.645655: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:35.645658: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:16:35.645660: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645663: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:16:35.645666: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645668: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:16:35.645671: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:16:35.645673: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:16:35.645676: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:16:35.645679: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:16:35.645681: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:16:35.645683: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:16:35.645686: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645689: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:16:35.645691: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645696: | INFO: category: informational flags: 0: Sep 21 07:16:35.645698: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645701: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:16:35.645703: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645705: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:16:35.645707: | -> XAUTH_R1 EVENT_NULL Sep 21 07:16:35.645709: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:16:35.645712: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:35.645714: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:16:35.645717: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:16:35.645719: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:16:35.645722: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:16:35.645724: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:16:35.645727: | -> UNDEFINED EVENT_NULL Sep 21 07:16:35.645730: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:16:35.645732: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:35.645735: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:16:35.645737: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:16:35.645740: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:16:35.645742: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:16:35.645748: | checking IKEv2 state table Sep 21 07:16:35.645754: | PARENT_I0: category: ignore flags: 0: Sep 21 07:16:35.645757: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:16:35.645759: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645761: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:16:35.645764: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:16:35.645766: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:16:35.645768: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:16:35.645770: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:16:35.645773: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:16:35.645775: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:16:35.645777: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:16:35.645779: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:16:35.645782: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:16:35.645792: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:16:35.645794: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:16:35.645796: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:16:35.645799: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645801: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:16:35.645804: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:16:35.645807: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:16:35.645809: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:16:35.645812: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:16:35.645814: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:16:35.645817: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:16:35.645820: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:16:35.645827: | starting up helper thread 6 Sep 21 07:16:35.645831: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:35.645836: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:16:35.645820: | starting up helper thread 0 Sep 21 07:16:35.645828: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:16:35.645840: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:35.645847: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:16:35.645858: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:16:35.645871: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:16:35.645874: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:16:35.645876: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:35.645877: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:16:35.645886: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:16:35.645889: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:35.645892: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:16:35.645894: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:16:35.645896: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:16:35.645899: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:16:35.645901: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:16:35.645904: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:16:35.645906: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:16:35.645909: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:16:35.645911: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:35.645914: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:16:35.645917: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:16:35.645919: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:16:35.645922: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:16:35.645924: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:16:35.645927: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:16:35.645979: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:16:35.646044: | Hard-wiring algorithms Sep 21 07:16:35.646048: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:16:35.646052: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:16:35.646055: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:16:35.646058: | adding 3DES_CBC to kernel algorithm db Sep 21 07:16:35.646060: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:16:35.646063: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:16:35.646065: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:16:35.646068: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:16:35.646070: | adding AES_CTR to kernel algorithm db Sep 21 07:16:35.646072: | adding AES_CBC to kernel algorithm db Sep 21 07:16:35.646074: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:16:35.646077: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:16:35.646080: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:16:35.646082: | adding NULL to kernel algorithm db Sep 21 07:16:35.646085: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:16:35.646088: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:16:35.646091: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:16:35.646093: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:16:35.646095: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:16:35.646097: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:16:35.646100: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:16:35.646102: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:16:35.646110: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:16:35.646113: | adding NONE to kernel algorithm db Sep 21 07:16:35.646136: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:16:35.646149: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:16:35.646154: | setup kernel fd callback Sep 21 07:16:35.646158: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55bba944df00 Sep 21 07:16:35.646161: | libevent_malloc: new ptr-libevent@0x55bba9455350 size 128 Sep 21 07:16:35.646165: | libevent_malloc: new ptr-libevent@0x55bba9443c90 size 16 Sep 21 07:16:35.646171: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55bba94487a0 Sep 21 07:16:35.646174: | libevent_malloc: new ptr-libevent@0x55bba94553e0 size 128 Sep 21 07:16:35.646177: | libevent_malloc: new ptr-libevent@0x55bba94486f0 size 16 Sep 21 07:16:35.646420: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:16:35.646430: selinux support is enabled. Sep 21 07:16:35.646630: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:16:35.646711: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:35.646782: | unbound context created - setting debug level to 5 Sep 21 07:16:35.646820: | /etc/hosts lookups activated Sep 21 07:16:35.646833: | /etc/resolv.conf usage activated Sep 21 07:16:35.646867: | outgoing-port-avoid set 0-65535 Sep 21 07:16:35.646884: | outgoing-port-permit set 32768-60999 Sep 21 07:16:35.646886: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:16:35.646888: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:16:35.646890: | Setting up events, loop start Sep 21 07:16:35.646892: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55bba94484f0 Sep 21 07:16:35.646895: | libevent_malloc: new ptr-libevent@0x55bba945f950 size 128 Sep 21 07:16:35.646897: | libevent_malloc: new ptr-libevent@0x55bba945f9e0 size 16 Sep 21 07:16:35.646903: | libevent_realloc: new ptr-libevent@0x55bba93c55b0 size 256 Sep 21 07:16:35.646905: | libevent_malloc: new ptr-libevent@0x55bba945fa00 size 8 Sep 21 07:16:35.646907: | libevent_realloc: new ptr-libevent@0x55bba94546d0 size 144 Sep 21 07:16:35.646909: | libevent_malloc: new ptr-libevent@0x55bba945fa20 size 152 Sep 21 07:16:35.646911: | libevent_malloc: new ptr-libevent@0x55bba945fac0 size 16 Sep 21 07:16:35.646914: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:16:35.646916: | libevent_malloc: new ptr-libevent@0x55bba945fae0 size 8 Sep 21 07:16:35.646918: | libevent_malloc: new ptr-libevent@0x55bba945fb00 size 152 Sep 21 07:16:35.646919: | signal event handler PLUTO_SIGTERM installed Sep 21 07:16:35.646921: | libevent_malloc: new ptr-libevent@0x55bba945fba0 size 8 Sep 21 07:16:35.646923: | libevent_malloc: new ptr-libevent@0x55bba945fbc0 size 152 Sep 21 07:16:35.646925: | signal event handler PLUTO_SIGHUP installed Sep 21 07:16:35.646926: | libevent_malloc: new ptr-libevent@0x55bba945fc60 size 8 Sep 21 07:16:35.646928: | libevent_realloc: release ptr-libevent@0x55bba94546d0 Sep 21 07:16:35.646930: | libevent_realloc: new ptr-libevent@0x55bba945fc80 size 256 Sep 21 07:16:35.646931: | libevent_malloc: new ptr-libevent@0x55bba94546d0 size 152 Sep 21 07:16:35.646933: | signal event handler PLUTO_SIGSYS installed Sep 21 07:16:35.647187: | created addconn helper (pid:16271) using fork+execve Sep 21 07:16:35.647197: | forked child 16271 Sep 21 07:16:35.647229: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:35.647241: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:35.647248: listening for IKE messages Sep 21 07:16:35.647284: | Inspecting interface lo Sep 21 07:16:35.647292: | found lo with address 127.0.0.1 Sep 21 07:16:35.647295: | Inspecting interface eth0 Sep 21 07:16:35.647299: | found eth0 with address 192.0.2.254 Sep 21 07:16:35.647302: | Inspecting interface eth1 Sep 21 07:16:35.647306: | found eth1 with address 192.1.2.23 Sep 21 07:16:35.647355: Kernel supports NIC esp-hw-offload Sep 21 07:16:35.647366: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:16:35.647388: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:35.647395: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:35.647398: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:35.647429: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:16:35.647452: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:35.647456: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:35.647460: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:35.647486: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:16:35.647506: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:35.647510: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:35.647514: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:16:35.647561: | no interfaces to sort Sep 21 07:16:35.647565: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:35.647574: | add_fd_read_event_handler: new ethX-pe@0x55bba9449270 Sep 21 07:16:35.647577: | libevent_malloc: new ptr-libevent@0x55bba945fff0 size 128 Sep 21 07:16:35.647579: | libevent_malloc: new ptr-libevent@0x55bba9460080 size 16 Sep 21 07:16:35.647586: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:35.647589: | add_fd_read_event_handler: new ethX-pe@0x55bba94600a0 Sep 21 07:16:35.647591: | libevent_malloc: new ptr-libevent@0x55bba94600e0 size 128 Sep 21 07:16:35.647594: | libevent_malloc: new ptr-libevent@0x55bba9460170 size 16 Sep 21 07:16:35.647598: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:35.647600: | add_fd_read_event_handler: new ethX-pe@0x55bba9460190 Sep 21 07:16:35.647603: | libevent_malloc: new ptr-libevent@0x55bba94601d0 size 128 Sep 21 07:16:35.647605: | libevent_malloc: new ptr-libevent@0x55bba9460260 size 16 Sep 21 07:16:35.647609: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:16:35.647612: | add_fd_read_event_handler: new ethX-pe@0x55bba9460280 Sep 21 07:16:35.647615: | libevent_malloc: new ptr-libevent@0x55bba94602c0 size 128 Sep 21 07:16:35.647617: | libevent_malloc: new ptr-libevent@0x55bba9460350 size 16 Sep 21 07:16:35.647621: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:16:35.647624: | add_fd_read_event_handler: new ethX-pe@0x55bba9460370 Sep 21 07:16:35.647626: | libevent_malloc: new ptr-libevent@0x55bba94603b0 size 128 Sep 21 07:16:35.647629: | libevent_malloc: new ptr-libevent@0x55bba9460440 size 16 Sep 21 07:16:35.647633: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:35.647635: | add_fd_read_event_handler: new ethX-pe@0x55bba9460460 Sep 21 07:16:35.647638: | libevent_malloc: new ptr-libevent@0x55bba94604a0 size 128 Sep 21 07:16:35.647640: | libevent_malloc: new ptr-libevent@0x55bba9460530 size 16 Sep 21 07:16:35.647644: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:35.647648: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:35.647651: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:35.647670: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:35.647678: | id type added to secret(0x55bba9455530) PKK_PSK: @east Sep 21 07:16:35.647682: | id type added to secret(0x55bba9455530) PKK_PSK: %any Sep 21 07:16:35.647686: | Processing PSK at line 1: passed Sep 21 07:16:35.647688: | certs and keys locked by 'process_secret' Sep 21 07:16:35.647691: | certs and keys unlocked by 'process_secret' Sep 21 07:16:35.647696: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:35.647703: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:35.647710: | spent 0.483 milliseconds in whack Sep 21 07:16:35.676054: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:35.676083: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:35.676089: listening for IKE messages Sep 21 07:16:35.684050: | Inspecting interface lo Sep 21 07:16:35.684072: | found lo with address 127.0.0.1 Sep 21 07:16:35.684076: | Inspecting interface eth0 Sep 21 07:16:35.684081: | found eth0 with address 192.0.2.254 Sep 21 07:16:35.684083: | Inspecting interface eth1 Sep 21 07:16:35.684087: | found eth1 with address 192.1.2.23 Sep 21 07:16:35.684146: | no interfaces to sort Sep 21 07:16:35.684157: | libevent_free: release ptr-libevent@0x55bba945fff0 Sep 21 07:16:35.684160: | free_event_entry: release EVENT_NULL-pe@0x55bba9449270 Sep 21 07:16:35.684163: | add_fd_read_event_handler: new ethX-pe@0x55bba9449270 Sep 21 07:16:35.684166: | libevent_malloc: new ptr-libevent@0x55bba945fff0 size 128 Sep 21 07:16:35.684174: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:16:35.684178: | libevent_free: release ptr-libevent@0x55bba94600e0 Sep 21 07:16:35.684180: | free_event_entry: release EVENT_NULL-pe@0x55bba94600a0 Sep 21 07:16:35.684182: | add_fd_read_event_handler: new ethX-pe@0x55bba94600a0 Sep 21 07:16:35.684184: | libevent_malloc: new ptr-libevent@0x55bba94600e0 size 128 Sep 21 07:16:35.684189: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:16:35.684193: | libevent_free: release ptr-libevent@0x55bba94601d0 Sep 21 07:16:35.684196: | free_event_entry: release EVENT_NULL-pe@0x55bba9460190 Sep 21 07:16:35.684198: | add_fd_read_event_handler: new ethX-pe@0x55bba9460190 Sep 21 07:16:35.684201: | libevent_malloc: new ptr-libevent@0x55bba94601d0 size 128 Sep 21 07:16:35.684206: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:16:35.684210: | libevent_free: release ptr-libevent@0x55bba94602c0 Sep 21 07:16:35.684212: | free_event_entry: release EVENT_NULL-pe@0x55bba9460280 Sep 21 07:16:35.684214: | add_fd_read_event_handler: new ethX-pe@0x55bba9460280 Sep 21 07:16:35.684217: | libevent_malloc: new ptr-libevent@0x55bba94602c0 size 128 Sep 21 07:16:35.684222: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:16:35.684225: | libevent_free: release ptr-libevent@0x55bba94603b0 Sep 21 07:16:35.684228: | free_event_entry: release EVENT_NULL-pe@0x55bba9460370 Sep 21 07:16:35.684230: | add_fd_read_event_handler: new ethX-pe@0x55bba9460370 Sep 21 07:16:35.684233: | libevent_malloc: new ptr-libevent@0x55bba94603b0 size 128 Sep 21 07:16:35.684238: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:35.684241: | libevent_free: release ptr-libevent@0x55bba94604a0 Sep 21 07:16:35.684244: | free_event_entry: release EVENT_NULL-pe@0x55bba9460460 Sep 21 07:16:35.684246: | add_fd_read_event_handler: new ethX-pe@0x55bba9460460 Sep 21 07:16:35.684249: | libevent_malloc: new ptr-libevent@0x55bba94604a0 size 128 Sep 21 07:16:35.684254: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:35.684257: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:35.684259: forgetting secrets Sep 21 07:16:35.684269: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:35.684284: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:35.684293: | id type added to secret(0x55bba9455530) PKK_PSK: @east Sep 21 07:16:35.684297: | id type added to secret(0x55bba9455530) PKK_PSK: %any Sep 21 07:16:35.684301: | Processing PSK at line 1: passed Sep 21 07:16:35.684303: | certs and keys locked by 'process_secret' Sep 21 07:16:35.684306: | certs and keys unlocked by 'process_secret' Sep 21 07:16:35.684311: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:35.684322: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:35.684331: | spent 0.4 milliseconds in whack Sep 21 07:16:35.684816: | processing signal PLUTO_SIGCHLD Sep 21 07:16:35.684831: | waitpid returned pid 16271 (exited with status 0) Sep 21 07:16:35.684836: | reaped addconn helper child (status 0) Sep 21 07:16:35.684840: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:35.684845: | spent 0.0164 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:35.744548: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:35.744584: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:35.744588: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:35.744591: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:35.744593: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:35.744597: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:35.744605: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:35.744657: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:16:35.744663: | from whack: got --esp= Sep 21 07:16:35.744697: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:16:35.744701: | counting wild cards for (none) is 15 Sep 21 07:16:35.744705: | counting wild cards for @east is 0 Sep 21 07:16:35.744710: | based upon policy, the connection is a template. Sep 21 07:16:35.744716: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:16:35.744720: | new hp@0x55bba942c960 Sep 21 07:16:35.744725: added connection description "eastnet-any" Sep 21 07:16:35.744733: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:35.744743: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Sep 21 07:16:35.744749: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:35.744756: | spent 0.21 milliseconds in whack Sep 21 07:16:37.910466: | spent 0.00303 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:37.910500: | *received 828 bytes from 192.1.2.254:500 on eth1 (192.1.2.23:500) Sep 21 07:16:37.910505: | e2 89 18 1d 52 8d ca 70 00 00 00 00 00 00 00 00 Sep 21 07:16:37.910508: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:16:37.910510: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:16:37.910513: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:16:37.910515: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:16:37.910518: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:16:37.910520: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:16:37.910522: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:16:37.910524: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:16:37.910527: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:16:37.910529: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:16:37.910532: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:16:37.910534: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:16:37.910536: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:16:37.910539: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:16:37.910541: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:16:37.910543: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:37.910546: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:16:37.910548: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:16:37.910551: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:16:37.910553: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:16:37.910555: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:16:37.910558: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:16:37.910560: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:16:37.910566: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:16:37.910569: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:16:37.910571: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:16:37.910574: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:16:37.910576: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:16:37.910578: | 28 00 01 08 00 0e 00 00 fb 04 9e 57 3a 91 a0 50 Sep 21 07:16:37.910581: | ae 5e d8 13 fb d4 3b f1 de 5b 32 81 85 20 55 08 Sep 21 07:16:37.910583: | 29 e1 fb d5 04 82 c5 a5 d6 09 49 f6 59 7b de ca Sep 21 07:16:37.910586: | 68 2d 85 ca 98 d8 57 3e ab 46 78 51 48 64 96 86 Sep 21 07:16:37.910588: | 77 bd 85 a9 10 42 16 63 59 e4 24 37 6a 1e e1 49 Sep 21 07:16:37.910590: | 96 1e c3 df 57 c1 35 dd 25 2c 1d e0 81 34 51 00 Sep 21 07:16:37.910593: | 75 16 44 be 22 6e b6 60 fc 76 26 14 97 0f a2 b3 Sep 21 07:16:37.910595: | 89 a8 3a ae 5f c4 3f e5 38 8c 26 17 8c e9 fc d9 Sep 21 07:16:37.910597: | b5 18 aa 36 40 aa 3b 3e 79 4b c5 de 02 d0 d7 38 Sep 21 07:16:37.910600: | bc 8a 88 bb a0 13 b5 1a 64 d7 66 71 84 4f 8d 1e Sep 21 07:16:37.910602: | b0 31 72 bc e6 a1 9d 02 f9 1d 48 f2 34 bc 79 68 Sep 21 07:16:37.910604: | 17 1b c7 6b 74 fc 4b 8d 1d ff 5c f3 63 01 50 94 Sep 21 07:16:37.910607: | 88 b6 50 41 aa cb 87 d1 48 16 30 c8 22 34 bc 04 Sep 21 07:16:37.910609: | 79 34 dc 6e 4a e8 1c 5c 78 9b ea 62 a5 db 3a 1a Sep 21 07:16:37.910612: | 41 8e e1 c7 83 dd 09 a1 5f 12 6e 7b 7b c1 d3 64 Sep 21 07:16:37.910614: | ac d6 b1 70 4e d8 ae e2 f8 bc 68 65 02 f0 b5 65 Sep 21 07:16:37.910616: | 6c 8b e7 05 50 f3 ad e5 29 00 00 24 fb 8f 0e 4e Sep 21 07:16:37.910619: | bc 5b 54 e7 b4 4f a4 a7 70 f6 27 50 db c8 36 bc Sep 21 07:16:37.910621: | 95 95 80 e4 9d df 1c 12 e8 8c 89 1d 29 00 00 08 Sep 21 07:16:37.910623: | 00 00 40 2e 29 00 00 1c 00 00 40 04 e4 7b a2 62 Sep 21 07:16:37.910626: | 0e b7 6a a4 0f 3e 51 29 cf fe 01 98 c3 b0 8a 99 Sep 21 07:16:37.910628: | 00 00 00 1c 00 00 40 05 11 21 79 0c 5d 5e dc 5c Sep 21 07:16:37.910630: | 53 48 27 75 84 00 9a d0 28 be e7 3d Sep 21 07:16:37.910637: | start processing: from 192.1.2.254:500 (in process_md() at demux.c:378) Sep 21 07:16:37.910641: | **parse ISAKMP Message: Sep 21 07:16:37.910644: | initiator cookie: Sep 21 07:16:37.910646: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.910649: | responder cookie: Sep 21 07:16:37.910651: | 00 00 00 00 00 00 00 00 Sep 21 07:16:37.910654: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:37.910657: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:37.910660: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:37.910662: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:37.910665: | Message ID: 0 (0x0) Sep 21 07:16:37.910667: | length: 828 (0x33c) Sep 21 07:16:37.910670: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:37.910674: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:16:37.910678: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:37.910681: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:37.910684: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:37.910687: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:37.910690: | flags: none (0x0) Sep 21 07:16:37.910692: | length: 436 (0x1b4) Sep 21 07:16:37.910695: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:16:37.910697: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:37.910700: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:37.910703: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:37.910705: | flags: none (0x0) Sep 21 07:16:37.910707: | length: 264 (0x108) Sep 21 07:16:37.910710: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.910713: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:37.910718: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:37.910721: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:37.910724: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:37.910726: | flags: none (0x0) Sep 21 07:16:37.910729: | length: 36 (0x24) Sep 21 07:16:37.910731: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:37.910733: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:37.910736: | ***parse IKEv2 Notify Payload: Sep 21 07:16:37.910738: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:37.910741: | flags: none (0x0) Sep 21 07:16:37.910743: | length: 8 (0x8) Sep 21 07:16:37.910746: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.910748: | SPI size: 0 (0x0) Sep 21 07:16:37.910751: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:37.910754: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:37.910756: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:37.910759: | ***parse IKEv2 Notify Payload: Sep 21 07:16:37.910761: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:37.910764: | flags: none (0x0) Sep 21 07:16:37.910766: | length: 28 (0x1c) Sep 21 07:16:37.910768: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.910771: | SPI size: 0 (0x0) Sep 21 07:16:37.910773: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:37.910776: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:37.910778: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:37.910781: | ***parse IKEv2 Notify Payload: Sep 21 07:16:37.910787: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.910792: | flags: none (0x0) Sep 21 07:16:37.910794: | length: 28 (0x1c) Sep 21 07:16:37.910797: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.910799: | SPI size: 0 (0x0) Sep 21 07:16:37.910801: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:37.910804: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:37.910807: | DDOS disabled and no cookie sent, continuing Sep 21 07:16:37.910813: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910816: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:37.910819: | find_next_host_connection returns empty Sep 21 07:16:37.910823: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910829: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:37.910832: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:37.910836: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:37.910838: | find_next_host_connection returns empty Sep 21 07:16:37.910842: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:16:37.910848: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910851: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:37.910853: | find_next_host_connection returns empty Sep 21 07:16:37.910857: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910862: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:37.910865: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:37.910868: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:37.910871: | find_next_host_connection returns empty Sep 21 07:16:37.910874: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:16:37.910879: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910885: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:37.910888: | find_next_host_connection returns empty Sep 21 07:16:37.910892: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:16:37.910897: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:37.910899: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:37.910902: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:16:37.910905: | find_next_host_connection returns eastnet-any Sep 21 07:16:37.910908: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:16:37.910910: | find_next_host_connection returns empty Sep 21 07:16:37.910912: | rw_instantiate Sep 21 07:16:37.910920: | connect_to_host_pair: 192.1.2.23:500 192.1.2.254:500 -> hp@(nil): none Sep 21 07:16:37.910923: | new hp@0x55bba93f2dc0 Sep 21 07:16:37.910931: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.254 for 192.1.2.254 Sep 21 07:16:37.910935: | found connection: eastnet-any[1] 192.1.2.254 with policy PSK+IKEV2_ALLOW Sep 21 07:16:37.910940: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:37.910968: | creating state object #1 at 0x55bba9463c80 Sep 21 07:16:37.910972: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:16:37.910980: | pstats #1 ikev2.ike started Sep 21 07:16:37.910984: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:37.910988: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:16:37.910993: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:37.911003: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:37.911007: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:37.911013: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:37.911016: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:37.911024: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:16:37.911030: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:37.911033: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:16:37.911036: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:16:37.911038: | Now let's proceed with state specific processing Sep 21 07:16:37.911041: | calling processor Respond to IKE_SA_INIT Sep 21 07:16:37.911047: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:37.911051: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Sep 21 07:16:37.911059: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:37.911069: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:37.911073: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:37.911079: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:37.911083: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:37.911092: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:37.911096: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:16:37.911102: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:37.911114: "eastnet-any"[1] 192.1.2.254: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:16:37.911118: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:16:37.911122: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:37.911125: | local proposal 1 type PRF has 2 transforms Sep 21 07:16:37.911127: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:37.911130: | local proposal 1 type DH has 8 transforms Sep 21 07:16:37.911133: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:37.911136: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:16:37.911138: | local proposal 2 type ENCR has 1 transforms Sep 21 07:16:37.911141: | local proposal 2 type PRF has 2 transforms Sep 21 07:16:37.911143: | local proposal 2 type INTEG has 1 transforms Sep 21 07:16:37.911146: | local proposal 2 type DH has 8 transforms Sep 21 07:16:37.911148: | local proposal 2 type ESN has 0 transforms Sep 21 07:16:37.911151: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:16:37.911154: | local proposal 3 type ENCR has 1 transforms Sep 21 07:16:37.911156: | local proposal 3 type PRF has 2 transforms Sep 21 07:16:37.911159: | local proposal 3 type INTEG has 2 transforms Sep 21 07:16:37.911161: | local proposal 3 type DH has 8 transforms Sep 21 07:16:37.911164: | local proposal 3 type ESN has 0 transforms Sep 21 07:16:37.911166: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:37.911169: | local proposal 4 type ENCR has 1 transforms Sep 21 07:16:37.911172: | local proposal 4 type PRF has 2 transforms Sep 21 07:16:37.911174: | local proposal 4 type INTEG has 2 transforms Sep 21 07:16:37.911177: | local proposal 4 type DH has 8 transforms Sep 21 07:16:37.911179: | local proposal 4 type ESN has 0 transforms Sep 21 07:16:37.911182: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:37.911185: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.911188: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.911190: | length: 100 (0x64) Sep 21 07:16:37.911193: | prop #: 1 (0x1) Sep 21 07:16:37.911195: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:37.911198: | spi size: 0 (0x0) Sep 21 07:16:37.911200: | # transforms: 11 (0xb) Sep 21 07:16:37.911204: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:16:37.911207: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911210: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911212: | length: 12 (0xc) Sep 21 07:16:37.911215: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.911217: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.911226: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.911229: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.911232: | length/value: 256 (0x100) Sep 21 07:16:37.911236: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:37.911240: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911242: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911245: | length: 8 (0x8) Sep 21 07:16:37.911247: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911250: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:37.911253: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:37.911256: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:16:37.911260: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:16:37.911263: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:16:37.911266: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911268: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911271: | length: 8 (0x8) Sep 21 07:16:37.911273: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911276: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:37.911279: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911281: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911284: | length: 8 (0x8) Sep 21 07:16:37.911286: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911289: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.911292: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:37.911296: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:16:37.911299: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:16:37.911302: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:16:37.911305: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911307: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911310: | length: 8 (0x8) Sep 21 07:16:37.911312: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911315: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:37.911318: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911320: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911322: | length: 8 (0x8) Sep 21 07:16:37.911325: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911327: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:37.911330: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911333: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911335: | length: 8 (0x8) Sep 21 07:16:37.911337: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911340: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:37.911343: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911345: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911348: | length: 8 (0x8) Sep 21 07:16:37.911350: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911353: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:37.911355: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911358: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911360: | length: 8 (0x8) Sep 21 07:16:37.911363: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911365: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:37.911368: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911373: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911375: | length: 8 (0x8) Sep 21 07:16:37.911378: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911381: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:37.911384: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911386: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.911388: | length: 8 (0x8) Sep 21 07:16:37.911391: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911393: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:37.911397: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:16:37.911402: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:16:37.911404: | remote proposal 1 matches local proposal 1 Sep 21 07:16:37.911408: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.911410: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.911412: | length: 100 (0x64) Sep 21 07:16:37.911415: | prop #: 2 (0x2) Sep 21 07:16:37.911417: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:37.911420: | spi size: 0 (0x0) Sep 21 07:16:37.911422: | # transforms: 11 (0xb) Sep 21 07:16:37.911426: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.911428: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911431: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911433: | length: 12 (0xc) Sep 21 07:16:37.911436: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.911438: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.911441: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.911443: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.911446: | length/value: 128 (0x80) Sep 21 07:16:37.911449: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911452: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911454: | length: 8 (0x8) Sep 21 07:16:37.911457: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911459: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:37.911462: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911464: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911466: | length: 8 (0x8) Sep 21 07:16:37.911469: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911471: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:37.911474: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911477: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911479: | length: 8 (0x8) Sep 21 07:16:37.911482: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911484: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.911487: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911490: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911492: | length: 8 (0x8) Sep 21 07:16:37.911494: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911497: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:37.911500: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911502: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911505: | length: 8 (0x8) Sep 21 07:16:37.911507: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911509: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:37.911512: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911515: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911517: | length: 8 (0x8) Sep 21 07:16:37.911520: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911522: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:37.911528: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911530: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911533: | length: 8 (0x8) Sep 21 07:16:37.911535: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911537: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:37.911540: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911543: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911545: | length: 8 (0x8) Sep 21 07:16:37.911547: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911550: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:37.911553: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911556: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911558: | length: 8 (0x8) Sep 21 07:16:37.911560: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911563: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:37.911566: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911568: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.911570: | length: 8 (0x8) Sep 21 07:16:37.911573: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911575: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:37.911579: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:16:37.911582: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:16:37.911585: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.911588: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.911590: | length: 116 (0x74) Sep 21 07:16:37.911593: | prop #: 3 (0x3) Sep 21 07:16:37.911595: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:37.911597: | spi size: 0 (0x0) Sep 21 07:16:37.911600: | # transforms: 13 (0xd) Sep 21 07:16:37.911603: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.911606: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911608: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911611: | length: 12 (0xc) Sep 21 07:16:37.911613: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.911616: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:37.911618: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.911621: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.911623: | length/value: 256 (0x100) Sep 21 07:16:37.911627: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911629: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911631: | length: 8 (0x8) Sep 21 07:16:37.911634: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911636: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:37.911639: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911642: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911644: | length: 8 (0x8) Sep 21 07:16:37.911646: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911649: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:37.911652: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911654: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911657: | length: 8 (0x8) Sep 21 07:16:37.911659: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.911662: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:37.911665: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911667: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911670: | length: 8 (0x8) Sep 21 07:16:37.911672: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.911675: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:37.911677: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911682: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911684: | length: 8 (0x8) Sep 21 07:16:37.911687: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911689: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.911692: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911694: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911697: | length: 8 (0x8) Sep 21 07:16:37.911699: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911702: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:37.911704: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911707: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911709: | length: 8 (0x8) Sep 21 07:16:37.911712: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911714: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:37.911717: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911720: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911722: | length: 8 (0x8) Sep 21 07:16:37.911724: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911727: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:37.911730: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911735: | length: 8 (0x8) Sep 21 07:16:37.911737: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911740: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:37.911742: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911745: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911747: | length: 8 (0x8) Sep 21 07:16:37.911750: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911752: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:37.911755: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911758: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911760: | length: 8 (0x8) Sep 21 07:16:37.911762: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911765: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:37.911768: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911770: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.911773: | length: 8 (0x8) Sep 21 07:16:37.911775: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911778: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:37.911781: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:16:37.911790: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:16:37.911793: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.911795: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:37.911798: | length: 116 (0x74) Sep 21 07:16:37.911800: | prop #: 4 (0x4) Sep 21 07:16:37.911802: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:37.911805: | spi size: 0 (0x0) Sep 21 07:16:37.911807: | # transforms: 13 (0xd) Sep 21 07:16:37.911810: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.911813: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911816: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911818: | length: 12 (0xc) Sep 21 07:16:37.911821: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.911823: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:37.911826: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.911828: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.911831: | length/value: 128 (0x80) Sep 21 07:16:37.911834: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911836: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911841: | length: 8 (0x8) Sep 21 07:16:37.911843: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911846: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:37.911848: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911851: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911853: | length: 8 (0x8) Sep 21 07:16:37.911856: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.911858: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:37.911861: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911864: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911866: | length: 8 (0x8) Sep 21 07:16:37.911868: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.911871: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:37.911874: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911876: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911879: | length: 8 (0x8) Sep 21 07:16:37.911881: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.911884: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:37.911886: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911889: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911891: | length: 8 (0x8) Sep 21 07:16:37.911893: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911896: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.911899: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911901: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911904: | length: 8 (0x8) Sep 21 07:16:37.911906: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911909: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:37.911911: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911914: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911916: | length: 8 (0x8) Sep 21 07:16:37.911919: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911921: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:16:37.911924: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911929: | length: 8 (0x8) Sep 21 07:16:37.911931: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911934: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:16:37.911937: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911939: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911942: | length: 8 (0x8) Sep 21 07:16:37.911944: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911947: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:16:37.911949: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911952: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911954: | length: 8 (0x8) Sep 21 07:16:37.911956: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911959: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:16:37.911962: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.911967: | length: 8 (0x8) Sep 21 07:16:37.911969: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911971: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:16:37.911975: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.911977: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.911979: | length: 8 (0x8) Sep 21 07:16:37.911982: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.911984: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:16:37.911988: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:16:37.911991: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:16:37.911998: "eastnet-any"[1] 192.1.2.254 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:16:37.912003: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:16:37.912006: | converting proposal to internal trans attrs Sep 21 07:16:37.912011: | natd_hash: rcookie is zero Sep 21 07:16:37.912026: | natd_hash: hasher=0x55bba8afd7a0(20) Sep 21 07:16:37.912029: | natd_hash: icookie= e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.912032: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:37.912034: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:37.912036: | natd_hash: port= 01 f4 Sep 21 07:16:37.912039: | natd_hash: hash= 11 21 79 0c 5d 5e dc 5c 53 48 27 75 84 00 9a d0 Sep 21 07:16:37.912041: | natd_hash: hash= 28 be e7 3d Sep 21 07:16:37.912044: | natd_hash: rcookie is zero Sep 21 07:16:37.912052: | natd_hash: hasher=0x55bba8afd7a0(20) Sep 21 07:16:37.912055: | natd_hash: icookie= e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.912058: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:37.912060: | natd_hash: ip= c0 01 02 fe Sep 21 07:16:37.912062: | natd_hash: port= 01 f4 Sep 21 07:16:37.912064: | natd_hash: hash= 44 3a fd bb 78 45 77 d8 92 5f 28 2b 84 b9 54 a2 Sep 21 07:16:37.912067: | natd_hash: hash= d7 2e a6 df Sep 21 07:16:37.912069: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:37.912071: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:37.912075: | NAT_TRAVERSAL that end is behind NAT 192.1.2.254 Sep 21 07:16:37.912078: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.254 Sep 21 07:16:37.912084: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:16:37.912088: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55bba9465df0 Sep 21 07:16:37.912091: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:37.912095: | libevent_malloc: new ptr-libevent@0x55bba9465e30 size 128 Sep 21 07:16:37.912107: | #1 spent 1.06 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:16:37.912116: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:37.912120: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:37.912122: | suspending state #1 and saving MD Sep 21 07:16:37.912125: | #1 is busy; has a suspended MD Sep 21 07:16:37.912130: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:37.912135: | "eastnet-any"[1] 192.1.2.254 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:37.912141: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:37.912146: | #1 spent 1.66 milliseconds in ikev2_process_packet() Sep 21 07:16:37.912150: | stop processing: from 192.1.2.254:500 (in process_md() at demux.c:380) Sep 21 07:16:37.912153: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:37.912156: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:37.912162: | spent 1.68 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:37.912174: | crypto helper 4 resuming Sep 21 07:16:37.912181: | crypto helper 4 starting work-order 1 for state #1 Sep 21 07:16:37.912185: | crypto helper 4 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:16:37.913161: | crypto helper 4 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000975 seconds Sep 21 07:16:37.913172: | (#1) spent 0.983 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:16:37.913176: | crypto helper 4 sending results from work-order 1 for state #1 to event queue Sep 21 07:16:37.913179: | scheduling resume sending helper answer for #1 Sep 21 07:16:37.913182: | libevent_malloc: new ptr-libevent@0x7f02f8006900 size 128 Sep 21 07:16:37.913190: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:37.913201: | processing resume sending helper answer for #1 Sep 21 07:16:37.913209: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:797) Sep 21 07:16:37.913213: | crypto helper 4 replies to request ID 1 Sep 21 07:16:37.913215: | calling continuation function 0x55bba8a27630 Sep 21 07:16:37.913218: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:16:37.913250: | **emit ISAKMP Message: Sep 21 07:16:37.913253: | initiator cookie: Sep 21 07:16:37.913256: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.913258: | responder cookie: Sep 21 07:16:37.913261: | 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.913263: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:37.913266: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:37.913269: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:37.913272: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:37.913275: | Message ID: 0 (0x0) Sep 21 07:16:37.913278: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:37.913281: | Emitting ikev2_proposal ... Sep 21 07:16:37.913283: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:37.913286: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.913288: | flags: none (0x0) Sep 21 07:16:37.913292: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:37.913295: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913298: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.913300: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:37.913303: | prop #: 1 (0x1) Sep 21 07:16:37.913306: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:37.913308: | spi size: 0 (0x0) Sep 21 07:16:37.913311: | # transforms: 3 (0x3) Sep 21 07:16:37.913314: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:37.913317: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:37.913319: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.913322: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.913324: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.913327: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:37.913330: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.913333: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.913335: | length/value: 256 (0x100) Sep 21 07:16:37.913338: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:37.913341: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:37.913344: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.913346: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:37.913351: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:16:37.913354: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.913357: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:37.913360: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:37.913363: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:37.913365: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.913368: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:37.913370: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.913373: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.913376: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:37.913379: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:37.913381: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:16:37.913384: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:37.913387: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:16:37.913389: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:37.913393: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:37.913396: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.913398: | flags: none (0x0) Sep 21 07:16:37.913401: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:37.913404: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:37.913407: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913410: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:37.913413: | ikev2 g^x 1b e1 f5 c8 08 18 a4 dc 17 b7 ad 2e a8 38 c7 49 Sep 21 07:16:37.913415: | ikev2 g^x 71 a7 e4 f0 59 79 0d 06 f5 34 fb 26 e4 12 78 5e Sep 21 07:16:37.913418: | ikev2 g^x fd cc 25 e2 95 9b 18 1f c6 ef 6d 67 07 01 74 da Sep 21 07:16:37.913420: | ikev2 g^x 62 34 83 69 72 0a c1 92 be 01 c3 06 da 15 05 68 Sep 21 07:16:37.913422: | ikev2 g^x ee 1d 74 b0 c7 61 f1 f2 4b f9 83 06 31 00 dc 24 Sep 21 07:16:37.913425: | ikev2 g^x 25 ea 33 87 1e a0 32 e8 ac f8 b2 06 c7 a8 85 49 Sep 21 07:16:37.913427: | ikev2 g^x aa 6d 9c 60 59 dd 3c f9 7c d6 c0 f2 3d fa e7 41 Sep 21 07:16:37.913429: | ikev2 g^x 19 07 b2 a5 e6 72 d2 9e 31 62 c3 f3 0d 7a 9c 6f Sep 21 07:16:37.913432: | ikev2 g^x ae 59 fe 2b bb 2c c3 61 45 b8 a9 36 0f c2 c1 ad Sep 21 07:16:37.913434: | ikev2 g^x 28 6b ea 55 f7 c4 8c 03 6a 66 b7 0f a1 76 dc a6 Sep 21 07:16:37.913437: | ikev2 g^x 58 03 08 7c 1a 78 69 6b ac 0d 78 21 9e 59 24 7b Sep 21 07:16:37.913439: | ikev2 g^x 07 80 53 48 34 91 08 25 ed 6a d6 81 bc fc 43 cf Sep 21 07:16:37.913441: | ikev2 g^x 4f fe 82 c2 54 25 40 cc e7 56 32 e5 93 12 64 3e Sep 21 07:16:37.913444: | ikev2 g^x da b9 1c c7 9b 5c fc ac b8 b5 a3 bf e5 1f aa ba Sep 21 07:16:37.913446: | ikev2 g^x 92 a5 e1 ab 84 a6 3b 02 e2 e0 32 15 88 2d 52 1e Sep 21 07:16:37.913449: | ikev2 g^x e0 a2 94 41 6b 1e 76 d9 cb 76 c7 40 fb cf 5a 5a Sep 21 07:16:37.913451: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:37.913454: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:37.913456: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:37.913459: | flags: none (0x0) Sep 21 07:16:37.913462: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:37.913467: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:37.913470: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913473: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:37.913475: | IKEv2 nonce 4b 0a ad 8d b6 bb 21 59 84 78 2e 6d c9 ab bb 0e Sep 21 07:16:37.913478: | IKEv2 nonce 3c 78 6d 18 62 ef 1c 91 cc a1 44 17 f5 09 8b ca Sep 21 07:16:37.913481: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:37.913483: | Adding a v2N Payload Sep 21 07:16:37.913486: | ***emit IKEv2 Notify Payload: Sep 21 07:16:37.913488: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.913491: | flags: none (0x0) Sep 21 07:16:37.913493: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.913495: | SPI size: 0 (0x0) Sep 21 07:16:37.913498: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:37.913501: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:37.913504: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913507: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:37.913510: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:37.913519: | natd_hash: hasher=0x55bba8afd7a0(20) Sep 21 07:16:37.913523: | natd_hash: icookie= e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.913525: | natd_hash: rcookie= 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.913527: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:37.913530: | natd_hash: port= 01 f4 Sep 21 07:16:37.913532: | natd_hash: hash= 1d 84 4d ac f0 43 98 42 44 3f 4a fc d2 cc f7 c3 Sep 21 07:16:37.913534: | natd_hash: hash= 32 da a5 61 Sep 21 07:16:37.913537: | Adding a v2N Payload Sep 21 07:16:37.913539: | ***emit IKEv2 Notify Payload: Sep 21 07:16:37.913542: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.913544: | flags: none (0x0) Sep 21 07:16:37.913547: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.913549: | SPI size: 0 (0x0) Sep 21 07:16:37.913552: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:37.913555: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:37.913558: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913561: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:37.913563: | Notify data 1d 84 4d ac f0 43 98 42 44 3f 4a fc d2 cc f7 c3 Sep 21 07:16:37.913565: | Notify data 32 da a5 61 Sep 21 07:16:37.913568: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:37.913575: | natd_hash: hasher=0x55bba8afd7a0(20) Sep 21 07:16:37.913578: | natd_hash: icookie= e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.913580: | natd_hash: rcookie= 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.913583: | natd_hash: ip= c0 01 02 fe Sep 21 07:16:37.913585: | natd_hash: port= 01 f4 Sep 21 07:16:37.913587: | natd_hash: hash= e9 16 48 a7 38 f8 f3 e1 36 09 d5 fe 52 9f a0 5b Sep 21 07:16:37.913590: | natd_hash: hash= 80 44 7c 06 Sep 21 07:16:37.913592: | Adding a v2N Payload Sep 21 07:16:37.913594: | ***emit IKEv2 Notify Payload: Sep 21 07:16:37.913597: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.913599: | flags: none (0x0) Sep 21 07:16:37.913602: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:37.913604: | SPI size: 0 (0x0) Sep 21 07:16:37.913607: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:37.913610: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:37.913612: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.913618: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:37.913621: | Notify data e9 16 48 a7 38 f8 f3 e1 36 09 d5 fe 52 9f a0 5b Sep 21 07:16:37.913623: | Notify data 80 44 7c 06 Sep 21 07:16:37.913625: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:37.913628: | emitting length of ISAKMP Message: 432 Sep 21 07:16:37.913637: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:37.913641: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:16:37.913644: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:16:37.913648: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:16:37.913651: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:16:37.913656: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:37.913660: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:37.913666: "eastnet-any"[1] 192.1.2.254 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:16:37.913672: | sending V2 new request packet to 192.1.2.254:500 (from 192.1.2.23:500) Sep 21 07:16:37.913680: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.254:500 (using #1) Sep 21 07:16:37.913683: | e2 89 18 1d 52 8d ca 70 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.913686: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:16:37.913688: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:16:37.913691: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:16:37.913693: | 04 00 00 0e 28 00 01 08 00 0e 00 00 1b e1 f5 c8 Sep 21 07:16:37.913695: | 08 18 a4 dc 17 b7 ad 2e a8 38 c7 49 71 a7 e4 f0 Sep 21 07:16:37.913697: | 59 79 0d 06 f5 34 fb 26 e4 12 78 5e fd cc 25 e2 Sep 21 07:16:37.913700: | 95 9b 18 1f c6 ef 6d 67 07 01 74 da 62 34 83 69 Sep 21 07:16:37.913702: | 72 0a c1 92 be 01 c3 06 da 15 05 68 ee 1d 74 b0 Sep 21 07:16:37.913704: | c7 61 f1 f2 4b f9 83 06 31 00 dc 24 25 ea 33 87 Sep 21 07:16:37.913707: | 1e a0 32 e8 ac f8 b2 06 c7 a8 85 49 aa 6d 9c 60 Sep 21 07:16:37.913709: | 59 dd 3c f9 7c d6 c0 f2 3d fa e7 41 19 07 b2 a5 Sep 21 07:16:37.913711: | e6 72 d2 9e 31 62 c3 f3 0d 7a 9c 6f ae 59 fe 2b Sep 21 07:16:37.913714: | bb 2c c3 61 45 b8 a9 36 0f c2 c1 ad 28 6b ea 55 Sep 21 07:16:37.913716: | f7 c4 8c 03 6a 66 b7 0f a1 76 dc a6 58 03 08 7c Sep 21 07:16:37.913718: | 1a 78 69 6b ac 0d 78 21 9e 59 24 7b 07 80 53 48 Sep 21 07:16:37.913720: | 34 91 08 25 ed 6a d6 81 bc fc 43 cf 4f fe 82 c2 Sep 21 07:16:37.913723: | 54 25 40 cc e7 56 32 e5 93 12 64 3e da b9 1c c7 Sep 21 07:16:37.913725: | 9b 5c fc ac b8 b5 a3 bf e5 1f aa ba 92 a5 e1 ab Sep 21 07:16:37.913728: | 84 a6 3b 02 e2 e0 32 15 88 2d 52 1e e0 a2 94 41 Sep 21 07:16:37.913730: | 6b 1e 76 d9 cb 76 c7 40 fb cf 5a 5a 29 00 00 24 Sep 21 07:16:37.913732: | 4b 0a ad 8d b6 bb 21 59 84 78 2e 6d c9 ab bb 0e Sep 21 07:16:37.913735: | 3c 78 6d 18 62 ef 1c 91 cc a1 44 17 f5 09 8b ca Sep 21 07:16:37.913737: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:16:37.913739: | 1d 84 4d ac f0 43 98 42 44 3f 4a fc d2 cc f7 c3 Sep 21 07:16:37.913741: | 32 da a5 61 00 00 00 1c 00 00 40 05 e9 16 48 a7 Sep 21 07:16:37.913744: | 38 f8 f3 e1 36 09 d5 fe 52 9f a0 5b 80 44 7c 06 Sep 21 07:16:37.913786: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:37.913793: | libevent_free: release ptr-libevent@0x55bba9465e30 Sep 21 07:16:37.913797: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55bba9465df0 Sep 21 07:16:37.913802: | event_schedule: new EVENT_SO_DISCARD-pe@0x55bba9465df0 Sep 21 07:16:37.913806: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:16:37.913809: | libevent_malloc: new ptr-libevent@0x55bba9465e30 size 128 Sep 21 07:16:37.913813: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:37.913818: | #1 spent 0.58 milliseconds in resume sending helper answer Sep 21 07:16:37.913824: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:833) Sep 21 07:16:37.913828: | libevent_free: release ptr-libevent@0x7f02f8006900 Sep 21 07:16:37.917049: | spent 0.00272 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:37.917068: | *received 365 bytes from 192.1.2.254:4500 on eth1 (192.1.2.23:4500) Sep 21 07:16:37.917072: | e2 89 18 1d 52 8d ca 70 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.917075: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Sep 21 07:16:37.917077: | 2e 89 0c 1d b9 58 90 eb 81 25 88 c4 65 63 5d 87 Sep 21 07:16:37.917080: | 5a da 68 41 91 f3 02 df 09 09 e7 97 70 b0 03 9c Sep 21 07:16:37.917082: | 16 d7 9c cf 3c f9 f0 da 76 d1 a6 af ad bc 32 ea Sep 21 07:16:37.917084: | 0d 07 2c c4 ce d6 19 0c 37 c5 a6 7c e8 1f 89 05 Sep 21 07:16:37.917087: | 13 8d 2d a0 ff 0e 9e 7c 7e 4d 3a 87 84 12 1b ad Sep 21 07:16:37.917089: | 24 6b ef 85 38 06 70 21 5d d1 3f f7 1c d6 d6 ef Sep 21 07:16:37.917091: | 6b f4 b7 ee 6f 99 53 e4 b0 ec df 3f b8 72 43 96 Sep 21 07:16:37.917093: | 2f b4 9a 44 fd 5a 0d a1 ff 6c bf 39 47 5a c0 41 Sep 21 07:16:37.917096: | 13 55 34 cb 71 30 60 0f 87 d4 6b 6b 60 11 ae 0f Sep 21 07:16:37.917098: | 44 52 d1 43 d8 1e be b5 3b 44 bc 19 96 e2 d2 7d Sep 21 07:16:37.917101: | 8a 6f 1d 77 a4 f7 a7 3c b6 16 33 64 03 6e 53 cf Sep 21 07:16:37.917103: | d6 3c de 90 29 a8 ca 51 92 a3 eb ac 83 c1 5c 37 Sep 21 07:16:37.917105: | ba 82 a2 d2 d2 b4 4a 15 87 73 98 af 90 6d 86 21 Sep 21 07:16:37.917108: | d8 77 f6 38 e1 10 bf 02 cd 5a 5c 60 c7 99 f6 13 Sep 21 07:16:37.917110: | 56 65 23 7f e6 0e e1 f2 5d cc 59 1b 97 a1 57 6e Sep 21 07:16:37.917112: | 5a 0b 82 9b 34 72 4e 06 6c fe 57 c8 b7 68 cc 88 Sep 21 07:16:37.917115: | 78 1d f1 da c5 5d ba c8 97 34 29 86 99 31 cd 8d Sep 21 07:16:37.917117: | ef 3a b9 35 3f 7a dc f2 0d ee 8d 24 0c d6 83 19 Sep 21 07:16:37.917119: | 1a 5c 87 ea 81 67 2a 06 d8 5f 62 de df 0e b1 1c Sep 21 07:16:37.917122: | c7 aa 73 16 cc 7b 54 79 17 1e 15 8c bf 17 ca f5 Sep 21 07:16:37.917124: | d4 ed e3 c0 0e 9e bf cd 11 92 d0 1a 23 Sep 21 07:16:37.917129: | start processing: from 192.1.2.254:4500 (in process_md() at demux.c:378) Sep 21 07:16:37.917133: | **parse ISAKMP Message: Sep 21 07:16:37.917135: | initiator cookie: Sep 21 07:16:37.917138: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.917140: | responder cookie: Sep 21 07:16:37.917143: | 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.917146: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:37.917149: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:37.917151: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:37.917154: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:37.917157: | Message ID: 1 (0x1) Sep 21 07:16:37.917159: | length: 365 (0x16d) Sep 21 07:16:37.917162: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:37.917165: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:16:37.917169: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:16:37.917177: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:37.917181: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:37.917186: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:37.917193: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:37.917197: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:16:37.917199: | unpacking clear payload Sep 21 07:16:37.917202: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:37.917205: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:37.917208: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:16:37.917210: | flags: none (0x0) Sep 21 07:16:37.917213: | length: 337 (0x151) Sep 21 07:16:37.917216: | processing payload: ISAKMP_NEXT_v2SK (len=333) Sep 21 07:16:37.917220: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:37.917223: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:37.917226: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:37.917229: | Now let's proceed with state specific processing Sep 21 07:16:37.917231: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:37.917235: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:16:37.917239: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:16:37.917242: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:16:37.917245: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:16:37.917248: | libevent_free: release ptr-libevent@0x55bba9465e30 Sep 21 07:16:37.917252: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55bba9465df0 Sep 21 07:16:37.917255: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55bba9465df0 Sep 21 07:16:37.917258: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:37.917261: | libevent_malloc: new ptr-libevent@0x55bba9465e30 size 128 Sep 21 07:16:37.917272: | #1 spent 0.0353 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:16:37.917279: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:37.917283: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:37.917286: | suspending state #1 and saving MD Sep 21 07:16:37.917288: | #1 is busy; has a suspended MD Sep 21 07:16:37.917294: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:37.917298: | "eastnet-any"[1] 192.1.2.254 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:37.917304: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:37.917309: | #1 spent 0.249 milliseconds in ikev2_process_packet() Sep 21 07:16:37.917313: | stop processing: from 192.1.2.254:4500 (in process_md() at demux.c:380) Sep 21 07:16:37.917316: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:37.917319: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:37.917324: | spent 0.264 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:37.917336: | crypto helper 5 resuming Sep 21 07:16:37.917341: | crypto helper 5 starting work-order 2 for state #1 Sep 21 07:16:37.917345: | crypto helper 5 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:16:37.918242: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:16:37.918697: | crypto helper 5 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001351 seconds Sep 21 07:16:37.918705: | (#1) spent 1.36 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:16:37.918711: | crypto helper 5 sending results from work-order 2 for state #1 to event queue Sep 21 07:16:37.918714: | scheduling resume sending helper answer for #1 Sep 21 07:16:37.918717: | libevent_malloc: new ptr-libevent@0x7f02f0006b90 size 128 Sep 21 07:16:37.918725: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:37.918735: | processing resume sending helper answer for #1 Sep 21 07:16:37.918742: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:797) Sep 21 07:16:37.918746: | crypto helper 5 replies to request ID 2 Sep 21 07:16:37.918749: | calling continuation function 0x55bba8a27630 Sep 21 07:16:37.918751: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:16:37.918754: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:37.918766: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:37.918770: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:16:37.918774: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:16:37.918776: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:37.918779: | flags: none (0x0) Sep 21 07:16:37.918781: | length: 12 (0xc) Sep 21 07:16:37.918789: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:16:37.918792: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:16:37.918794: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:37.918797: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:37.918799: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:37.918802: | flags: none (0x0) Sep 21 07:16:37.918804: | length: 12 (0xc) Sep 21 07:16:37.918806: | ID type: ID_FQDN (0x2) Sep 21 07:16:37.918809: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:16:37.918812: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:37.918814: | **parse IKEv2 Authentication Payload: Sep 21 07:16:37.918817: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:37.918819: | flags: none (0x0) Sep 21 07:16:37.918822: | length: 72 (0x48) Sep 21 07:16:37.918824: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:16:37.918826: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:16:37.918829: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:37.918831: | **parse IKEv2 Security Association Payload: Sep 21 07:16:37.918834: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:37.918836: | flags: none (0x0) Sep 21 07:16:37.918839: | length: 164 (0xa4) Sep 21 07:16:37.918841: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:16:37.918844: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:37.918846: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:37.918849: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:37.918851: | flags: none (0x0) Sep 21 07:16:37.918854: | length: 24 (0x18) Sep 21 07:16:37.918856: | number of TS: 1 (0x1) Sep 21 07:16:37.918859: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:37.918861: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:37.918864: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:37.918866: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.918869: | flags: none (0x0) Sep 21 07:16:37.918871: | length: 24 (0x18) Sep 21 07:16:37.918873: | number of TS: 1 (0x1) Sep 21 07:16:37.918876: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:37.918879: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:16:37.918881: | Now let's proceed with state specific processing Sep 21 07:16:37.918883: | calling processor Responder: process IKE_AUTH request Sep 21 07:16:37.918890: "eastnet-any"[1] 192.1.2.254 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:16:37.918897: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:4500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:37.918901: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:16:37.918908: | peer ID c0 01 03 d1 Sep 21 07:16:37.918911: | received IDr payload - extracting our alleged ID Sep 21 07:16:37.918915: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.254 Sep 21 07:16:37.918920: | match_id a=192.1.3.209 Sep 21 07:16:37.918923: | b=192.1.2.254 Sep 21 07:16:37.918926: | results fail Sep 21 07:16:37.918931: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.254 against "eastnet-any"[1] 192.1.2.254, best=(none) with match=0(id=0(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:37.918934: | Warning: not switching back to template of current instance Sep 21 07:16:37.918937: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:37.918940: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:37.918943: | skipping because peer_id does not match Sep 21 07:16:37.918945: | refine going into 2nd loop allowing instantiated conns as well Sep 21 07:16:37.918951: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:16:37.918955: | match_id a=192.1.3.209 Sep 21 07:16:37.918958: | b=(none) Sep 21 07:16:37.918960: | results matched Sep 21 07:16:37.918965: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.254 against "eastnet-any", best=(none) with match=1(id=1(15)/ca=1(0)/reqca=1(0)) Sep 21 07:16:37.918967: | Warning: not switching back to template of current instance Sep 21 07:16:37.918970: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:37.918973: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:37.918977: | refine_host_connection: checked eastnet-any[1] 192.1.2.254 against eastnet-any, now for see if best Sep 21 07:16:37.918981: | started looking for secret for @east->(none) of kind PKK_PSK Sep 21 07:16:37.918984: | instantiating him to %ANYADDR Sep 21 07:16:37.918986: | actually looking for secret for @east->%any of kind PKK_PSK Sep 21 07:16:37.918990: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:37.918993: | 1: compared key %any to @east / %any -> 002 Sep 21 07:16:37.918997: | 2: compared key @east to @east / %any -> 012 Sep 21 07:16:37.919000: | line 1: match=012 Sep 21 07:16:37.919003: | match 012 beats previous best_match 000 match=0x55bba9455530 (line=1) Sep 21 07:16:37.919006: | concluding with best_match=012 best=0x55bba9455530 (lineno=1) Sep 21 07:16:37.919009: | refine_host_connection: picking new best "eastnet-any" (wild=15, peer_pathlen=0/our=0) Sep 21 07:16:37.919011: | returning since no better match than original best_found Sep 21 07:16:37.919016: "eastnet-any"[1] 192.1.2.254 #1: switched from "eastnet-any"[1] 192.1.2.254 to "eastnet-any" Sep 21 07:16:37.919021: | match_id a=192.1.3.209 Sep 21 07:16:37.919023: | b=(none) Sep 21 07:16:37.919026: | results matched Sep 21 07:16:37.919033: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.254:500 but ignoring ports Sep 21 07:16:37.919039: | connect_to_host_pair: 192.1.2.23:500 192.1.2.254:500 -> hp@0x55bba93f2dc0: eastnet-any Sep 21 07:16:37.919044: | rw_instantiate() instantiated "eastnet-any"[2] 192.1.2.254 for 192.1.2.254 Sep 21 07:16:37.919049: | in connection_discard for connection eastnet-any Sep 21 07:16:37.919051: | connection is instance Sep 21 07:16:37.919053: | not in pending use Sep 21 07:16:37.919056: | State DB: state not found (connection_discard) Sep 21 07:16:37.919058: | no states use this connection instance, deleting Sep 21 07:16:37.919063: | start processing: connection "eastnet-any"[1] 192.1.2.254 (BACKGROUND) (in delete_connection() at connections.c:189) Sep 21 07:16:37.919069: "eastnet-any"[2] 192.1.2.254 #1: deleting connection "eastnet-any"[1] 192.1.2.254 instance with peer 192.1.2.254 {isakmp=#0/ipsec=#0} Sep 21 07:16:37.919072: | Deleting states for connection - not including other IPsec SA's Sep 21 07:16:37.919075: | pass 0 Sep 21 07:16:37.919077: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:37.919082: | state #1 Sep 21 07:16:37.919084: | pass 1 Sep 21 07:16:37.919087: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:37.919089: | state #1 Sep 21 07:16:37.919092: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:16:37.919097: | stop processing: connection "eastnet-any"[1] 192.1.2.254 (BACKGROUND) (in discard_connection() at connections.c:249) Sep 21 07:16:37.919100: | retrying ikev2_decode_peer_id_and_certs() with new conn Sep 21 07:16:37.919103: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:16:37.919106: | peer ID c0 01 03 d1 Sep 21 07:16:37.919108: | received IDr payload - extracting our alleged ID Sep 21 07:16:37.919112: | refine_host_connection for IKEv2: starting with "eastnet-any"[2] 192.1.2.254 Sep 21 07:16:37.919116: | match_id a=192.1.3.209 Sep 21 07:16:37.919119: | b=192.1.3.209 Sep 21 07:16:37.919121: | results matched Sep 21 07:16:37.919127: | refine_host_connection: checking "eastnet-any"[2] 192.1.2.254 against "eastnet-any"[2] 192.1.2.254, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:37.919130: | Warning: not switching back to template of current instance Sep 21 07:16:37.919132: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:37.919135: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:37.919140: | refine_host_connection: checked eastnet-any[2] 192.1.2.254 against eastnet-any[2] 192.1.2.254, now for see if best Sep 21 07:16:37.919144: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919148: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919151: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:37.919155: | 1: compared key %any to @east / 192.1.3.209 -> 002 Sep 21 07:16:37.919159: | 2: compared key @east to @east / 192.1.3.209 -> 012 Sep 21 07:16:37.919162: | line 1: match=012 Sep 21 07:16:37.919165: | match 012 beats previous best_match 000 match=0x55bba9455530 (line=1) Sep 21 07:16:37.919167: | concluding with best_match=012 best=0x55bba9455530 (lineno=1) Sep 21 07:16:37.919170: | returning because exact peer id match Sep 21 07:16:37.919172: | offered CA: '%none' Sep 21 07:16:37.919177: "eastnet-any"[2] 192.1.2.254 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.209' Sep 21 07:16:37.919197: | verifying AUTH payload Sep 21 07:16:37.919201: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:16:37.919206: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919210: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919213: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:37.919217: | 1: compared key %any to @east / 192.1.3.209 -> 002 Sep 21 07:16:37.919221: | 2: compared key @east to @east / 192.1.3.209 -> 012 Sep 21 07:16:37.919224: | line 1: match=012 Sep 21 07:16:37.919226: | match 012 beats previous best_match 000 match=0x55bba9455530 (line=1) Sep 21 07:16:37.919229: | concluding with best_match=012 best=0x55bba9455530 (lineno=1) Sep 21 07:16:37.919294: "eastnet-any"[2] 192.1.2.254 #1: Authenticated using authby=secret Sep 21 07:16:37.919300: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:16:37.919304: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:37.919307: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:37.919311: | libevent_free: release ptr-libevent@0x55bba9465e30 Sep 21 07:16:37.919313: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55bba9465df0 Sep 21 07:16:37.919316: | event_schedule: new EVENT_SA_REKEY-pe@0x55bba9465df0 Sep 21 07:16:37.919320: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:16:37.919323: | libevent_malloc: new ptr-libevent@0x55bba9465e30 size 128 Sep 21 07:16:37.919711: | pstats #1 ikev2.ike established Sep 21 07:16:37.919725: | **emit ISAKMP Message: Sep 21 07:16:37.919729: | initiator cookie: Sep 21 07:16:37.919732: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:37.919734: | responder cookie: Sep 21 07:16:37.919737: | 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:37.919740: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:37.919744: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:37.919746: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:37.919750: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:37.919752: | Message ID: 1 (0x1) Sep 21 07:16:37.919756: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:37.919759: | IKEv2 CERT: send a certificate? Sep 21 07:16:37.919763: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:16:37.919766: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:37.919769: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.919772: | flags: none (0x0) Sep 21 07:16:37.919776: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:37.919779: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.919787: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:37.919800: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:37.919819: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:37.919822: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.919824: | flags: none (0x0) Sep 21 07:16:37.919827: | ID type: ID_FQDN (0x2) Sep 21 07:16:37.919831: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:37.919833: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.919837: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:16:37.919839: | my identity 65 61 73 74 Sep 21 07:16:37.919842: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:16:37.919854: | assembled IDr payload Sep 21 07:16:37.919857: | CHILD SA proposals received Sep 21 07:16:37.919859: | going to assemble AUTH payload Sep 21 07:16:37.919862: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:37.919864: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:37.919867: | flags: none (0x0) Sep 21 07:16:37.919869: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:16:37.919872: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:16:37.919875: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:37.919878: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.919881: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:16:37.919886: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919890: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Sep 21 07:16:37.919893: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:16:37.919897: | 1: compared key %any to @east / 192.1.3.209 -> 002 Sep 21 07:16:37.919901: | 2: compared key @east to @east / 192.1.3.209 -> 012 Sep 21 07:16:37.919904: | line 1: match=012 Sep 21 07:16:37.919907: | match 012 beats previous best_match 000 match=0x55bba9455530 (line=1) Sep 21 07:16:37.919909: | concluding with best_match=012 best=0x55bba9455530 (lineno=1) Sep 21 07:16:37.919961: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:16:37.919965: | PSK auth 97 8c f8 cb 6f 92 3f 88 c7 11 91 78 c6 3b f2 33 Sep 21 07:16:37.919969: | PSK auth 28 c5 19 0a be 3b 10 c5 27 bc ab fd 04 35 da 22 Sep 21 07:16:37.919971: | PSK auth 0c 53 be b6 02 42 b5 b7 49 65 a8 3f ad ae b3 ba Sep 21 07:16:37.919973: | PSK auth 8b 47 47 bb 1f 08 ba d3 00 c3 a6 e4 66 9f 6f 85 Sep 21 07:16:37.919976: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:16:37.919980: | creating state object #2 at 0x55bba9464740 Sep 21 07:16:37.919983: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:16:37.919986: | pstats #2 ikev2.child started Sep 21 07:16:37.919991: | duplicating state object #1 "eastnet-any"[2] 192.1.2.254 as #2 for IPSEC SA Sep 21 07:16:37.919997: | #2 setting local endpoint to 192.1.2.23:4500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:37.920003: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:37.920008: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:37.920013: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:37.920016: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:16:37.920019: | TSi: parsing 1 traffic selectors Sep 21 07:16:37.920022: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:37.920025: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:37.920028: | IP Protocol ID: 0 (0x0) Sep 21 07:16:37.920030: | length: 16 (0x10) Sep 21 07:16:37.920033: | start port: 0 (0x0) Sep 21 07:16:37.920035: | end port: 65535 (0xffff) Sep 21 07:16:37.920039: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:37.920041: | TS low c0 00 01 00 Sep 21 07:16:37.920043: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:37.920045: | TS high c0 00 01 ff Sep 21 07:16:37.920047: | TSi: parsed 1 traffic selectors Sep 21 07:16:37.920049: | TSr: parsing 1 traffic selectors Sep 21 07:16:37.920052: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:37.920054: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:37.920056: | IP Protocol ID: 0 (0x0) Sep 21 07:16:37.920058: | length: 16 (0x10) Sep 21 07:16:37.920060: | start port: 0 (0x0) Sep 21 07:16:37.920063: | end port: 65535 (0xffff) Sep 21 07:16:37.920065: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:37.920067: | TS low c0 00 02 00 Sep 21 07:16:37.920069: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:37.920071: | TS high c0 00 02 ff Sep 21 07:16:37.920074: | TSr: parsed 1 traffic selectors Sep 21 07:16:37.920076: | looking for best SPD in current connection Sep 21 07:16:37.920083: | evaluating our conn="eastnet-any"[2] 192.1.2.254 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:37.920088: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:37.920094: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:16:37.920097: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:37.920099: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:37.920102: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:37.920105: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:37.920110: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:37.920115: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:37.920118: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:37.920121: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:37.920123: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:37.920126: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:37.920131: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:37.920134: | found better spd route for TSi[0],TSr[0] Sep 21 07:16:37.920136: | looking for better host pair Sep 21 07:16:37.920142: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.254:500 but ignoring ports Sep 21 07:16:37.920146: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Sep 21 07:16:37.920149: | investigating connection "eastnet-any" as a better match Sep 21 07:16:37.920153: | match_id a=192.1.3.209 Sep 21 07:16:37.920156: | b=192.1.3.209 Sep 21 07:16:37.920158: | results matched Sep 21 07:16:37.920165: | evaluating our conn="eastnet-any"[2] 192.1.2.254 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:37.920170: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:37.920176: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:16:37.920179: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:37.920182: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:37.920184: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:37.920187: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:37.920192: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:37.920197: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:37.920201: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:37.920203: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:37.920206: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:37.920209: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:37.920211: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:37.920213: | did not find a better connection using host pair Sep 21 07:16:37.920216: | printing contents struct traffic_selector Sep 21 07:16:37.920218: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:37.920221: | ipprotoid: 0 Sep 21 07:16:37.920223: | port range: 0-65535 Sep 21 07:16:37.920227: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:37.920229: | printing contents struct traffic_selector Sep 21 07:16:37.920232: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:37.920234: | ipprotoid: 0 Sep 21 07:16:37.920236: | port range: 0-65535 Sep 21 07:16:37.920241: | ip range: 192.0.1.0-192.0.1.255 Sep 21 07:16:37.920245: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:16:37.920251: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:16:37.920258: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:16:37.920261: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:16:37.920265: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:16:37.920269: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:16:37.920273: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:37.920276: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:16:37.920280: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:37.920290: "eastnet-any"[2] 192.1.2.254: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:16:37.920294: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:16:37.920300: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:37.920302: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:37.920305: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:37.920308: | local proposal 1 type DH has 1 transforms Sep 21 07:16:37.920310: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:37.920314: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:16:37.920316: | local proposal 2 type ENCR has 1 transforms Sep 21 07:16:37.920318: | local proposal 2 type PRF has 0 transforms Sep 21 07:16:37.920321: | local proposal 2 type INTEG has 1 transforms Sep 21 07:16:37.920323: | local proposal 2 type DH has 1 transforms Sep 21 07:16:37.920326: | local proposal 2 type ESN has 1 transforms Sep 21 07:16:37.920328: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:16:37.920331: | local proposal 3 type ENCR has 1 transforms Sep 21 07:16:37.920334: | local proposal 3 type PRF has 0 transforms Sep 21 07:16:37.920336: | local proposal 3 type INTEG has 2 transforms Sep 21 07:16:37.920339: | local proposal 3 type DH has 1 transforms Sep 21 07:16:37.920341: | local proposal 3 type ESN has 1 transforms Sep 21 07:16:37.920344: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:37.920346: | local proposal 4 type ENCR has 1 transforms Sep 21 07:16:37.920349: | local proposal 4 type PRF has 0 transforms Sep 21 07:16:37.920351: | local proposal 4 type INTEG has 2 transforms Sep 21 07:16:37.920353: | local proposal 4 type DH has 1 transforms Sep 21 07:16:37.920355: | local proposal 4 type ESN has 1 transforms Sep 21 07:16:37.920358: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:37.920361: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.920363: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.920366: | length: 32 (0x20) Sep 21 07:16:37.920368: | prop #: 1 (0x1) Sep 21 07:16:37.920370: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:37.920373: | spi size: 4 (0x4) Sep 21 07:16:37.920375: | # transforms: 2 (0x2) Sep 21 07:16:37.920378: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:37.920381: | remote SPI 52 1f 4c c9 Sep 21 07:16:37.920384: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:16:37.920387: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920389: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920391: | length: 12 (0xc) Sep 21 07:16:37.920394: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.920396: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.920399: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.920402: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.920404: | length/value: 256 (0x100) Sep 21 07:16:37.920408: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:37.920411: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920414: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.920416: | length: 8 (0x8) Sep 21 07:16:37.920418: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:37.920421: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:37.920425: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:37.920428: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:16:37.920431: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:16:37.920434: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:16:37.920437: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:16:37.920444: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:16:37.920447: | remote proposal 1 matches local proposal 1 Sep 21 07:16:37.920450: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.920452: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.920454: | length: 32 (0x20) Sep 21 07:16:37.920456: | prop #: 2 (0x2) Sep 21 07:16:37.920459: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:37.920461: | spi size: 4 (0x4) Sep 21 07:16:37.920463: | # transforms: 2 (0x2) Sep 21 07:16:37.920467: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:37.920469: | remote SPI 52 1f 4c c9 Sep 21 07:16:37.920472: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.920475: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920477: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920480: | length: 12 (0xc) Sep 21 07:16:37.920482: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.920485: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.920487: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.920490: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.920492: | length/value: 128 (0x80) Sep 21 07:16:37.920495: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920497: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.920500: | length: 8 (0x8) Sep 21 07:16:37.920502: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:37.920505: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:37.920508: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:16:37.920511: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:16:37.920513: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.920516: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:16:37.920518: | length: 48 (0x30) Sep 21 07:16:37.920520: | prop #: 3 (0x3) Sep 21 07:16:37.920523: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:37.920525: | spi size: 4 (0x4) Sep 21 07:16:37.920527: | # transforms: 4 (0x4) Sep 21 07:16:37.920530: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:37.920533: | remote SPI 52 1f 4c c9 Sep 21 07:16:37.920535: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.920538: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920541: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920543: | length: 12 (0xc) Sep 21 07:16:37.920546: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.920548: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:37.920550: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.920552: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.920554: | length/value: 256 (0x100) Sep 21 07:16:37.920557: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920560: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920562: | length: 8 (0x8) Sep 21 07:16:37.920565: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.920567: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:37.920570: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920572: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920574: | length: 8 (0x8) Sep 21 07:16:37.920577: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.920579: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:37.920582: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920584: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.920586: | length: 8 (0x8) Sep 21 07:16:37.920589: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:37.920592: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:37.920596: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:16:37.920599: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:16:37.920602: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.920604: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:37.920606: | length: 48 (0x30) Sep 21 07:16:37.920608: | prop #: 4 (0x4) Sep 21 07:16:37.920610: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:37.920612: | spi size: 4 (0x4) Sep 21 07:16:37.920614: | # transforms: 4 (0x4) Sep 21 07:16:37.920617: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:37.920619: | remote SPI 52 1f 4c c9 Sep 21 07:16:37.920622: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:16:37.920625: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920627: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920629: | length: 12 (0xc) Sep 21 07:16:37.920631: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.920633: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:37.920635: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.920638: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.920640: | length/value: 128 (0x80) Sep 21 07:16:37.920643: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920645: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920647: | length: 8 (0x8) Sep 21 07:16:37.920650: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.920652: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:37.920655: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920657: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920659: | length: 8 (0x8) Sep 21 07:16:37.920661: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:37.920663: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:37.920666: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920668: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.920670: | length: 8 (0x8) Sep 21 07:16:37.920672: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:37.920674: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:37.920677: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:16:37.920679: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:16:37.920684: "eastnet-any"[2] 192.1.2.254 #1: proposal 1:ESP:SPI=521f4cc9;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:16:37.920688: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=521f4cc9;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:16:37.920691: | converting proposal to internal trans attrs Sep 21 07:16:37.920707: | netlink_get_spi: allocated 0x44b468eb for esp.0@192.1.2.23 Sep 21 07:16:37.920710: | Emitting ikev2_proposal ... Sep 21 07:16:37.920712: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:37.920714: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.920716: | flags: none (0x0) Sep 21 07:16:37.920719: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:37.920721: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.920724: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:37.920727: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:37.920729: | prop #: 1 (0x1) Sep 21 07:16:37.920731: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:37.920733: | spi size: 4 (0x4) Sep 21 07:16:37.920735: | # transforms: 2 (0x2) Sep 21 07:16:37.920738: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:37.920741: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:37.920743: | our spi 44 b4 68 eb Sep 21 07:16:37.920745: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920747: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920749: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:37.920751: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:16:37.920753: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:37.920756: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:37.920758: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:37.920760: | length/value: 256 (0x100) Sep 21 07:16:37.920762: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:37.920764: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:37.920767: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:37.920769: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:37.920771: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:37.920774: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:37.920777: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:37.920779: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:37.920781: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:16:37.920787: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:37.920792: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:16:37.920795: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:37.920797: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:37.920800: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.920802: | flags: none (0x0) Sep 21 07:16:37.920804: | number of TS: 1 (0x1) Sep 21 07:16:37.920807: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:37.920810: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.920812: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:37.920815: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:37.920817: | IP Protocol ID: 0 (0x0) Sep 21 07:16:37.920819: | start port: 0 (0x0) Sep 21 07:16:37.920821: | end port: 65535 (0xffff) Sep 21 07:16:37.920824: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:37.920826: | IP start c0 00 01 00 Sep 21 07:16:37.920828: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:37.920830: | IP end c0 00 01 ff Sep 21 07:16:37.920832: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:37.920834: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:37.920836: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:37.920839: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:37.920841: | flags: none (0x0) Sep 21 07:16:37.920843: | number of TS: 1 (0x1) Sep 21 07:16:37.920846: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:37.920873: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:37.920878: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:37.920883: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:37.920888: | IP Protocol ID: 0 (0x0) Sep 21 07:16:37.920893: | start port: 0 (0x0) Sep 21 07:16:37.920899: | end port: 65535 (0xffff) Sep 21 07:16:37.920904: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:37.920909: | IP start c0 00 02 00 Sep 21 07:16:37.920914: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:37.920919: | IP end c0 00 02 ff Sep 21 07:16:37.920924: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:37.920929: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:37.920934: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:37.920940: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:16:37.921111: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:16:37.921123: | #1 spent 1.93 milliseconds Sep 21 07:16:37.921128: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:16:37.921133: | could_route called for eastnet-any (kind=CK_INSTANCE) Sep 21 07:16:37.921138: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:37.921144: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:37.921149: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:37.921153: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:37.921158: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:37.921169: | route owner of "eastnet-any"[2] 192.1.2.254 unrouted: NULL; eroute owner: NULL Sep 21 07:16:37.921175: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:16:37.921180: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:16:37.921185: | AES_GCM_16 requires 4 salt bytes Sep 21 07:16:37.921190: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:16:37.921196: | setting IPsec SA replay-window to 32 Sep 21 07:16:37.921202: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:16:37.921205: | netlink: enabling tunnel mode Sep 21 07:16:37.921208: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:37.921210: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:37.921890: | netlink response for Add SA esp.521f4cc9@192.1.2.254 included non-error error Sep 21 07:16:37.921899: | set up outgoing SA, ref=0/0 Sep 21 07:16:37.921902: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:16:37.921905: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:16:37.921908: | AES_GCM_16 requires 4 salt bytes Sep 21 07:16:37.921910: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:16:37.921914: | setting IPsec SA replay-window to 32 Sep 21 07:16:37.921917: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:16:37.921919: | netlink: enabling tunnel mode Sep 21 07:16:37.921922: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:37.921924: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:37.922084: | netlink response for Add SA esp.44b468eb@192.1.2.23 included non-error error Sep 21 07:16:37.922170: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:37.922181: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:37.922185: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:37.922426: | raw_eroute result=success Sep 21 07:16:37.922431: | set up incoming SA, ref=0/0 Sep 21 07:16:37.922437: | sr for #2: unrouted Sep 21 07:16:37.922440: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:37.922442: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:37.922445: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:37.922449: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:37.922452: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:37.922454: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:37.922459: | route owner of "eastnet-any"[2] 192.1.2.254 unrouted: NULL; eroute owner: NULL Sep 21 07:16:37.922463: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:16:37.922466: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:37.922473: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.254 (raw_eroute) Sep 21 07:16:37.922476: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:37.922594: | raw_eroute result=success Sep 21 07:16:37.922601: | running updown command "ipsec _updown" for verb up Sep 21 07:16:37.922604: | command executing up-client Sep 21 07:16:37.922630: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x521f4cc9 Sep 21 07:16:37.922634: | popen cmd is 1034 chars long Sep 21 07:16:37.922637: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Sep 21 07:16:37.922639: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=: Sep 21 07:16:37.922642: | cmd( 160):'@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_: Sep 21 07:16:37.922644: | cmd( 240):CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQ: Sep 21 07:16:37.922647: | cmd( 320):ID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.2: Sep 21 07:16:37.922649: | cmd( 400):09' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Sep 21 07:16:37.922651: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:16:37.922654: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Sep 21 07:16:37.922656: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Sep 21 07:16:37.922659: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Sep 21 07:16:37.922661: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Sep 21 07:16:37.922664: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Sep 21 07:16:37.922666: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0x521f4cc9 SPI_OUT=0x44b468eb ipsec _updown 2>&1: Sep 21 07:16:38.016755: | route_and_eroute: firewall_notified: true Sep 21 07:16:38.016769: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:38.016774: | command executing prepare-client Sep 21 07:16:38.016814: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Sep 21 07:16:38.016822: | popen cmd is 1039 chars long Sep 21 07:16:38.016825: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:16:38.016828: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_M: Sep 21 07:16:38.016831: | cmd( 160):Y_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUT: Sep 21 07:16:38.016833: | cmd( 240):O_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_S: Sep 21 07:16:38.016836: | cmd( 320):A_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.: Sep 21 07:16:38.016839: | cmd( 400):1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUT: Sep 21 07:16:38.016841: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Sep 21 07:16:38.016844: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+EN: Sep 21 07:16:38.016846: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=: Sep 21 07:16:38.016849: | cmd( 720):'CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Sep 21 07:16:38.016851: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Sep 21 07:16:38.016854: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Sep 21 07:16:38.016857: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x521f4cc9 SPI_OUT=0x44b468eb ipsec _updown 2>&1: Sep 21 07:16:38.279967: | running updown command "ipsec _updown" for verb route Sep 21 07:16:38.279985: | command executing route-client Sep 21 07:16:38.280017: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x52 Sep 21 07:16:38.280020: | popen cmd is 1037 chars long Sep 21 07:16:38.280024: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Sep 21 07:16:38.280026: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_: Sep 21 07:16:38.280029: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Sep 21 07:16:38.280036: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Sep 21 07:16:38.280039: | cmd( 320):REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.: Sep 21 07:16:38.280041: | cmd( 400):3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Sep 21 07:16:38.280044: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Sep 21 07:16:38.280046: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Sep 21 07:16:38.280049: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Sep 21 07:16:38.280052: | cmd( 720):K_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' : Sep 21 07:16:38.280054: | cmd( 800):PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_: Sep 21 07:16:38.280057: | cmd( 880):SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING: Sep 21 07:16:38.280060: | cmd( 960):='no' VTI_SHARED='no' SPI_IN=0x521f4cc9 SPI_OUT=0x44b468eb ipsec _updown 2>&1: Sep 21 07:16:38.597858: | route_and_eroute: instance "eastnet-any"[2] 192.1.2.254, setting eroute_owner {spd=0x55bba9467380,sr=0x55bba9467380} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:38.597937: | #1 spent 0.998 milliseconds in install_ipsec_sa() Sep 21 07:16:38.597947: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[2], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:16:38.597953: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:38.597957: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:38.597961: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:38.597964: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:16:38.597967: | emitting length of ISAKMP Message: 225 Sep 21 07:16:38.597991: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:16:38.597998: | #1 spent 3 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:16:38.598007: | suspend processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:38.598015: | start processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:38.598020: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:16:38.598024: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:16:38.598028: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:38.598032: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:16:38.598039: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:38.598045: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:38.598048: | pstats #2 ikev2.child established Sep 21 07:16:38.598057: "eastnet-any"[2] 192.1.2.254 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Sep 21 07:16:38.598063: | NAT-T: NAT Traversal detected - their IKE port is '500' Sep 21 07:16:38.598066: | NAT-T: encaps is 'auto' Sep 21 07:16:38.598072: "eastnet-any"[2] 192.1.2.254 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x521f4cc9 <0x44b468eb xfrm=AES_GCM_16_256-NONE NATOA=none NATD=192.1.2.254:4500 DPD=passive} Sep 21 07:16:38.598080: | sending V2 new request packet to 192.1.2.254:4500 (from 192.1.2.23:4500) Sep 21 07:16:38.598088: | sending 229 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #1) Sep 21 07:16:38.598094: | 00 00 00 00 e2 89 18 1d 52 8d ca 70 77 7a c6 a2 Sep 21 07:16:38.598097: | 02 ee bc 1f 2e 20 23 20 00 00 00 01 00 00 00 e1 Sep 21 07:16:38.598099: | 24 00 00 c5 c4 82 0d a8 a3 5b 64 10 8a 41 aa a0 Sep 21 07:16:38.598102: | 43 89 51 90 57 56 92 74 a2 d8 2d 09 4b f5 50 7a Sep 21 07:16:38.598104: | ed f4 09 92 2c c8 48 15 57 a3 d0 e1 fa 31 29 96 Sep 21 07:16:38.598107: | 56 3f fe 2d bc 34 74 8a c8 54 81 ea 78 67 de 99 Sep 21 07:16:38.598109: | 6f b2 66 6d 2a 07 10 34 53 27 a5 69 36 e3 9e 08 Sep 21 07:16:38.598111: | e8 35 30 97 95 4e e8 d7 af 57 27 43 82 51 e9 44 Sep 21 07:16:38.598114: | 7c cd 78 c0 53 b2 3f 67 b4 73 09 38 72 de d6 7e Sep 21 07:16:38.598116: | ea 0e 6a 2c 8a 67 64 cd fd 26 06 53 35 4c 75 df Sep 21 07:16:38.598119: | 53 a7 f2 03 1e 37 cf 3d a5 cd 6f 5c 4a 97 91 8d Sep 21 07:16:38.598121: | 68 a3 99 4d 88 2d 89 04 a5 35 fd b8 7c 14 72 84 Sep 21 07:16:38.598123: | 09 95 2a 44 1e ab 8e 8c ef 18 8f 2b 6c c7 31 55 Sep 21 07:16:38.598126: | b2 e1 7f fb 4e 9a 90 fa 22 06 3e fa 54 f6 d0 00 Sep 21 07:16:38.598128: | df dc 54 19 e2 Sep 21 07:16:38.598178: | releasing whack for #2 (sock=fd@-1) Sep 21 07:16:38.598183: | releasing whack and unpending for parent #1 Sep 21 07:16:38.598187: | unpending state #1 connection "eastnet-any"[2] 192.1.2.254 Sep 21 07:16:38.598192: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:38.598196: | event_schedule: new EVENT_SA_REKEY-pe@0x7f02f8002b20 Sep 21 07:16:38.598200: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:16:38.598204: | libevent_malloc: new ptr-libevent@0x55bba9469f30 size 128 Sep 21 07:16:38.598210: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:38.598215: | #1 spent 3.32 milliseconds in resume sending helper answer Sep 21 07:16:38.598222: | stop processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in resume_handler() at server.c:833) Sep 21 07:16:38.598226: | libevent_free: release ptr-libevent@0x7f02f0006b90 Sep 21 07:16:38.598236: | processing signal PLUTO_SIGCHLD Sep 21 07:16:38.598241: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:38.598246: | spent 0.00533 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:38.598249: | processing signal PLUTO_SIGCHLD Sep 21 07:16:38.598252: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:38.598256: | spent 0.00357 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:38.598259: | processing signal PLUTO_SIGCHLD Sep 21 07:16:38.598262: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:38.598266: | spent 0.00349 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:39.425898: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:39.426285: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:39.426291: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:39.426400: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:16:39.426405: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:39.426421: | get_sa_info esp.44b468eb@192.1.2.23 Sep 21 07:16:39.426438: | get_sa_info esp.521f4cc9@192.1.2.254 Sep 21 07:16:39.426463: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:39.426471: | spent 0.575 milliseconds in whack Sep 21 07:16:41.795949: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:41.795974: shutting down Sep 21 07:16:41.795982: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:16:41.795986: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:16:41.795993: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:41.795996: forgetting secrets Sep 21 07:16:41.796003: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:41.796009: | start processing: connection "eastnet-any"[2] 192.1.2.254 (in delete_connection() at connections.c:189) Sep 21 07:16:41.796016: "eastnet-any"[2] 192.1.2.254: deleting connection "eastnet-any"[2] 192.1.2.254 instance with peer 192.1.2.254 {isakmp=#1/ipsec=#2} Sep 21 07:16:41.796019: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:41.796021: | pass 0 Sep 21 07:16:41.796024: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:41.796026: | state #2 Sep 21 07:16:41.796031: | suspend processing: connection "eastnet-any"[2] 192.1.2.254 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:41.796037: | start processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:41.796040: | pstats #2 ikev2.child deleted completed Sep 21 07:16:41.796046: | [RE]START processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in delete_state() at state.c:879) Sep 21 07:16:41.796052: "eastnet-any"[2] 192.1.2.254 #2: deleting state (STATE_V2_IPSEC_R) aged 3.876s and sending notification Sep 21 07:16:41.796055: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:41.796060: | get_sa_info esp.521f4cc9@192.1.2.254 Sep 21 07:16:41.796073: | get_sa_info esp.44b468eb@192.1.2.23 Sep 21 07:16:41.796082: "eastnet-any"[2] 192.1.2.254 #2: ESP traffic information: in=0B out=0B Sep 21 07:16:41.796085: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:16:41.796088: | Opening output PBS informational exchange delete request Sep 21 07:16:41.796092: | **emit ISAKMP Message: Sep 21 07:16:41.796095: | initiator cookie: Sep 21 07:16:41.796097: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:41.796099: | responder cookie: Sep 21 07:16:41.796102: | 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:41.796105: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:41.796107: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:41.796110: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:41.796113: | flags: none (0x0) Sep 21 07:16:41.796115: | Message ID: 0 (0x0) Sep 21 07:16:41.796118: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:41.796121: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:41.796124: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:41.796126: | flags: none (0x0) Sep 21 07:16:41.796129: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:41.796133: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:41.796136: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:41.796146: | ****emit IKEv2 Delete Payload: Sep 21 07:16:41.796149: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:41.796151: | flags: none (0x0) Sep 21 07:16:41.796153: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:41.796156: | SPI size: 4 (0x4) Sep 21 07:16:41.796158: | number of SPIs: 1 (0x1) Sep 21 07:16:41.796161: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:41.796164: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:41.796167: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:16:41.796169: | local spis 44 b4 68 eb Sep 21 07:16:41.796172: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:41.796175: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:41.796178: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:41.796183: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:41.796186: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:16:41.796188: | emitting length of ISAKMP Message: 69 Sep 21 07:16:41.796216: | sending 73 bytes for delete notification through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #2) Sep 21 07:16:41.796222: | 00 00 00 00 e2 89 18 1d 52 8d ca 70 77 7a c6 a2 Sep 21 07:16:41.796224: | 02 ee bc 1f 2e 20 25 00 00 00 00 00 00 00 00 45 Sep 21 07:16:41.796227: | 2a 00 00 29 fd 63 a3 29 f1 de a1 fe 8e da d2 dc Sep 21 07:16:41.796229: | 77 02 2d 65 3c 81 03 ec f5 15 9e 65 ae 3d 16 8c Sep 21 07:16:41.796231: | fa a3 18 61 af ad a7 17 6c Sep 21 07:16:41.796284: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:16:41.796288: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:16:41.796294: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:41.796298: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:41.796303: | libevent_free: release ptr-libevent@0x55bba9469f30 Sep 21 07:16:41.796307: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f02f8002b20 Sep 21 07:16:41.796456: | running updown command "ipsec _updown" for verb down Sep 21 07:16:41.796462: | command executing down-client Sep 21 07:16:41.796488: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050197' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Sep 21 07:16:41.796492: | popen cmd is 1047 chars long Sep 21 07:16:41.796495: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Sep 21 07:16:41.796498: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Sep 21 07:16:41.796501: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Sep 21 07:16:41.796503: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Sep 21 07:16:41.796506: | cmd( 320):EQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3: Sep 21 07:16:41.796508: | cmd( 400):.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Sep 21 07:16:41.796511: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:41.796513: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050197' PLUTO_CONN_POLICY=': Sep 21 07:16:41.796516: | cmd( 640):PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:16:41.796518: | cmd( 720):_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Sep 21 07:16:41.796520: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Sep 21 07:16:41.796523: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Sep 21 07:16:41.796525: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x521f4cc9 SPI_OUT=0x44b468eb ipsec _updo: Sep 21 07:16:41.796529: | cmd(1040):wn 2>&1: Sep 21 07:16:41.824226: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:16:41.824247: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:16:41.824251: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:41.824254: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:41.824442: | delete esp.521f4cc9@192.1.2.254 Sep 21 07:16:41.824551: | netlink response for Del SA esp.521f4cc9@192.1.2.254 included non-error error Sep 21 07:16:41.824558: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:41.824566: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:41.824738: | raw_eroute result=success Sep 21 07:16:41.824745: | delete esp.44b468eb@192.1.2.23 Sep 21 07:16:41.824833: | netlink response for Del SA esp.44b468eb@192.1.2.23 included non-error error Sep 21 07:16:41.824847: | stop processing: connection "eastnet-any"[2] 192.1.2.254 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:16:41.824851: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:16:41.824854: | in connection_discard for connection eastnet-any Sep 21 07:16:41.824857: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:16:41.824862: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:16:41.824868: | stop processing: state #2 from 192.1.2.254:4500 (in delete_state() at state.c:1143) Sep 21 07:16:41.824874: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:41.824876: | state #1 Sep 21 07:16:41.824879: | pass 1 Sep 21 07:16:41.824882: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:41.824884: | state #1 Sep 21 07:16:41.824890: | start processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:41.824893: | pstats #1 ikev2.ike deleted completed Sep 21 07:16:41.824898: | #1 spent 8.15 milliseconds in total Sep 21 07:16:41.824904: | [RE]START processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in delete_state() at state.c:879) Sep 21 07:16:41.824910: "eastnet-any"[2] 192.1.2.254 #1: deleting state (STATE_PARENT_R2) aged 3.913s and sending notification Sep 21 07:16:41.824913: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:16:41.824981: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:16:41.824985: | Opening output PBS informational exchange delete request Sep 21 07:16:41.824988: | **emit ISAKMP Message: Sep 21 07:16:41.824991: | initiator cookie: Sep 21 07:16:41.824994: | e2 89 18 1d 52 8d ca 70 Sep 21 07:16:41.824996: | responder cookie: Sep 21 07:16:41.824998: | 77 7a c6 a2 02 ee bc 1f Sep 21 07:16:41.825001: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:41.825004: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:41.825007: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:41.825010: | flags: none (0x0) Sep 21 07:16:41.825012: | Message ID: 1 (0x1) Sep 21 07:16:41.825015: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:41.825018: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:41.825021: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:41.825024: | flags: none (0x0) Sep 21 07:16:41.825027: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:41.825030: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:41.825036: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:41.825046: | ****emit IKEv2 Delete Payload: Sep 21 07:16:41.825049: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:41.825051: | flags: none (0x0) Sep 21 07:16:41.825054: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:41.825056: | SPI size: 0 (0x0) Sep 21 07:16:41.825059: | number of SPIs: 0 (0x0) Sep 21 07:16:41.825062: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:41.825065: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:41.825068: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:16:41.825071: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:41.825074: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:41.825088: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:41.825091: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:16:41.825094: | emitting length of ISAKMP Message: 65 Sep 21 07:16:41.825115: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #1) Sep 21 07:16:41.825118: | 00 00 00 00 e2 89 18 1d 52 8d ca 70 77 7a c6 a2 Sep 21 07:16:41.825121: | 02 ee bc 1f 2e 20 25 00 00 00 00 01 00 00 00 41 Sep 21 07:16:41.825123: | 2a 00 00 25 93 65 82 08 87 45 a6 ba 97 af a1 1b Sep 21 07:16:41.825126: | d1 a6 d8 c8 d6 5e ab f8 49 42 6e b4 29 76 67 f2 Sep 21 07:16:41.825128: | ff 5f f9 cf af Sep 21 07:16:41.825171: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:16:41.825174: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:16:41.825180: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Sep 21 07:16:41.825185: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Sep 21 07:16:41.825188: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:41.825193: | libevent_free: release ptr-libevent@0x55bba9465e30 Sep 21 07:16:41.825196: | free_event_entry: release EVENT_SA_REKEY-pe@0x55bba9465df0 Sep 21 07:16:41.825199: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:41.825202: | in connection_discard for connection eastnet-any Sep 21 07:16:41.825205: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:16:41.825208: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:41.825225: | stop processing: state #1 from 192.1.2.254:4500 (in delete_state() at state.c:1143) Sep 21 07:16:41.825239: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:41.825246: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:16:41.825251: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:16:41.825254: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:41.825293: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:16:41.825303: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:41.825307: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:41.825310: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:41.825312: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:16:41.825315: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:16:41.825318: | route owner of "eastnet-any" unrouted: NULL Sep 21 07:16:41.825321: | running updown command "ipsec _updown" for verb unroute Sep 21 07:16:41.825326: | command executing unroute-client Sep 21 07:16:41.825354: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:16:41.825357: | popen cmd is 1028 chars long Sep 21 07:16:41.825360: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:16:41.825363: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_M: Sep 21 07:16:41.825366: | cmd( 160):Y_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUT: Sep 21 07:16:41.825368: | cmd( 240):O_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_S: Sep 21 07:16:41.825371: | cmd( 320):A_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192: Sep 21 07:16:41.825374: | cmd( 400):.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLU: Sep 21 07:16:41.825376: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Sep 21 07:16:41.825379: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+E: Sep 21 07:16:41.825382: | cmd( 640):NCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Sep 21 07:16:41.825384: | cmd( 720):='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Sep 21 07:16:41.825387: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Sep 21 07:16:41.825390: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Sep 21 07:16:41.825392: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:41.861372: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861389: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861393: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861404: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861416: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861428: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861441: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861453: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861464: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861862: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861871: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.861885: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:41.879108: | free hp@0x55bba93f2dc0 Sep 21 07:16:41.879122: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:16:41.879127: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:16:41.879133: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Sep 21 07:16:41.879142: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:41.879145: | pass 0 Sep 21 07:16:41.879148: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:41.879151: | pass 1 Sep 21 07:16:41.879153: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:41.879156: | free hp@0x55bba942c960 Sep 21 07:16:41.879159: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:16:41.879162: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Sep 21 07:16:41.879169: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:16:41.879172: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:16:41.879182: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:16:41.879186: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:16:41.879190: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:41.879193: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:16:41.879196: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:41.879199: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:16:41.879204: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:16:41.879212: | libevent_free: release ptr-libevent@0x55bba945fff0 Sep 21 07:16:41.879216: | free_event_entry: release EVENT_NULL-pe@0x55bba9449270 Sep 21 07:16:41.879226: | libevent_free: release ptr-libevent@0x55bba94600e0 Sep 21 07:16:41.879229: | free_event_entry: release EVENT_NULL-pe@0x55bba94600a0 Sep 21 07:16:41.879235: | libevent_free: release ptr-libevent@0x55bba94601d0 Sep 21 07:16:41.879238: | free_event_entry: release EVENT_NULL-pe@0x55bba9460190 Sep 21 07:16:41.879244: | libevent_free: release ptr-libevent@0x55bba94602c0 Sep 21 07:16:41.879247: | free_event_entry: release EVENT_NULL-pe@0x55bba9460280 Sep 21 07:16:41.879253: | libevent_free: release ptr-libevent@0x55bba94603b0 Sep 21 07:16:41.879255: | free_event_entry: release EVENT_NULL-pe@0x55bba9460370 Sep 21 07:16:41.879262: | libevent_free: release ptr-libevent@0x55bba94604a0 Sep 21 07:16:41.879264: | free_event_entry: release EVENT_NULL-pe@0x55bba9460460 Sep 21 07:16:41.879269: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:41.879688: | libevent_free: release ptr-libevent@0x55bba945f950 Sep 21 07:16:41.879696: | free_event_entry: release EVENT_NULL-pe@0x55bba94484f0 Sep 21 07:16:41.879701: | libevent_free: release ptr-libevent@0x55bba94553e0 Sep 21 07:16:41.879704: | free_event_entry: release EVENT_NULL-pe@0x55bba94487a0 Sep 21 07:16:41.879708: | libevent_free: release ptr-libevent@0x55bba9455350 Sep 21 07:16:41.879711: | free_event_entry: release EVENT_NULL-pe@0x55bba944df00 Sep 21 07:16:41.879715: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:16:41.879717: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:16:41.879720: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:16:41.879723: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:16:41.879725: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:16:41.879727: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:16:41.879730: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:16:41.879732: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:16:41.879734: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:16:41.879740: | libevent_free: release ptr-libevent@0x55bba945fa20 Sep 21 07:16:41.879743: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:16:41.879746: | libevent_free: release ptr-libevent@0x55bba945fb00 Sep 21 07:16:41.879749: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:16:41.879752: | libevent_free: release ptr-libevent@0x55bba945fbc0 Sep 21 07:16:41.879754: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:16:41.879757: | libevent_free: release ptr-libevent@0x55bba94546d0 Sep 21 07:16:41.879759: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:16:41.879761: | releasing event base Sep 21 07:16:41.879777: | libevent_free: release ptr-libevent@0x55bba945fc80 Sep 21 07:16:41.879780: | libevent_free: release ptr-libevent@0x55bba9435250 Sep 21 07:16:41.879804: | libevent_free: release ptr-libevent@0x55bba9443a80 Sep 21 07:16:41.879809: | libevent_free: release ptr-libevent@0x55bba9443b50 Sep 21 07:16:41.879812: | libevent_free: release ptr-libevent@0x55bba9443aa0 Sep 21 07:16:41.879814: | libevent_free: release ptr-libevent@0x55bba945f9e0 Sep 21 07:16:41.879817: | libevent_free: release ptr-libevent@0x55bba945fac0 Sep 21 07:16:41.879820: | libevent_free: release ptr-libevent@0x55bba9443b30 Sep 21 07:16:41.879822: | libevent_free: release ptr-libevent@0x55bba9443c90 Sep 21 07:16:41.879824: | libevent_free: release ptr-libevent@0x55bba94486f0 Sep 21 07:16:41.879827: | libevent_free: release ptr-libevent@0x55bba9460530 Sep 21 07:16:41.879829: | libevent_free: release ptr-libevent@0x55bba9460440 Sep 21 07:16:41.879832: | libevent_free: release ptr-libevent@0x55bba9460350 Sep 21 07:16:41.879834: | libevent_free: release ptr-libevent@0x55bba9460260 Sep 21 07:16:41.879836: | libevent_free: release ptr-libevent@0x55bba9460170 Sep 21 07:16:41.879838: | libevent_free: release ptr-libevent@0x55bba9460080 Sep 21 07:16:41.879841: | libevent_free: release ptr-libevent@0x55bba93c7370 Sep 21 07:16:41.879843: | libevent_free: release ptr-libevent@0x55bba945fba0 Sep 21 07:16:41.879846: | libevent_free: release ptr-libevent@0x55bba945fae0 Sep 21 07:16:41.879848: | libevent_free: release ptr-libevent@0x55bba945fa00 Sep 21 07:16:41.879851: | libevent_free: release ptr-libevent@0x55bba945fc60 Sep 21 07:16:41.879853: | libevent_free: release ptr-libevent@0x55bba93c55b0 Sep 21 07:16:41.879856: | libevent_free: release ptr-libevent@0x55bba9443ac0 Sep 21 07:16:41.879859: | libevent_free: release ptr-libevent@0x55bba9443af0 Sep 21 07:16:41.879861: | libevent_free: release ptr-libevent@0x55bba94437e0 Sep 21 07:16:41.879864: | releasing global libevent data Sep 21 07:16:41.879867: | libevent_free: release ptr-libevent@0x55bba94424d0 Sep 21 07:16:41.879870: | libevent_free: release ptr-libevent@0x55bba9443780 Sep 21 07:16:41.879873: | libevent_free: release ptr-libevent@0x55bba94437b0