FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:5796 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x555e28bd0ff0 size 40 | libevent_malloc: new ptr-libevent@0x555e28bd22a0 size 40 | libevent_malloc: new ptr-libevent@0x555e28bd22d0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x555e28bd2260 size 56 | libevent_malloc: new ptr-libevent@0x555e28bd2300 size 664 | libevent_malloc: new ptr-libevent@0x555e28bd25a0 size 24 | libevent_malloc: new ptr-libevent@0x555e28bc3db0 size 384 | libevent_malloc: new ptr-libevent@0x555e28bd25c0 size 16 | libevent_malloc: new ptr-libevent@0x555e28bd25e0 size 40 | libevent_malloc: new ptr-libevent@0x555e28bd2610 size 48 | libevent_realloc: new ptr-libevent@0x555e28b54370 size 256 | libevent_malloc: new ptr-libevent@0x555e28bd2650 size 16 | libevent_free: release ptr-libevent@0x555e28bd2260 | libevent initialized | libevent_realloc: new ptr-libevent@0x555e28bd2670 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x555e28bd7d10 | libevent_malloc: new ptr-libevent@0x555e28be3e30 size 128 | libevent_malloc: new ptr-libevent@0x555e28bd6ff0 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x555e28bd7cd0 | libevent_malloc: new ptr-libevent@0x555e28be3ec0 size 128 | libevent_malloc: new ptr-libevent@0x555e28bd7010 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x555e28bd2260 | libevent_malloc: new ptr-libevent@0x555e28bee3b0 size 128 | libevent_malloc: new ptr-libevent@0x555e28bee440 size 16 | libevent_realloc: new ptr-libevent@0x555e28b526c0 size 256 | libevent_malloc: new ptr-libevent@0x555e28bee460 size 8 | libevent_realloc: new ptr-libevent@0x555e28be3230 size 144 | libevent_malloc: new ptr-libevent@0x555e28bee480 size 152 | libevent_malloc: new ptr-libevent@0x555e28bee520 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x555e28bee540 size 8 | libevent_malloc: new ptr-libevent@0x555e28bee560 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x555e28bee600 size 8 | libevent_malloc: new ptr-libevent@0x555e28bee620 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x555e28bee6c0 size 8 | libevent_realloc: release ptr-libevent@0x555e28be3230 | libevent_realloc: new ptr-libevent@0x555e28bee6e0 size 256 | libevent_malloc: new ptr-libevent@0x555e28be3230 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:5958) using fork+execve | forked child 5958 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) | Inspecting interface lo | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x555e28beea50 | libevent_malloc: new ptr-libevent@0x555e28beea90 size 128 | libevent_malloc: new ptr-libevent@0x555e28beeb20 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x555e28beeb40 | libevent_malloc: new ptr-libevent@0x555e28beeb80 size 128 | libevent_malloc: new ptr-libevent@0x555e28beec10 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x555e28beec30 | libevent_malloc: new ptr-libevent@0x555e28beec70 size 128 | libevent_malloc: new ptr-libevent@0x555e28beed00 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x555e28beed20 | libevent_malloc: new ptr-libevent@0x555e28beed60 size 128 | libevent_malloc: new ptr-libevent@0x555e28beedf0 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x555e28beee10 | libevent_malloc: new ptr-libevent@0x555e28beee50 size 128 | libevent_malloc: new ptr-libevent@0x555e28beeee0 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x555e28beef00 | libevent_malloc: new ptr-libevent@0x555e28beef40 size 128 | libevent_malloc: new ptr-libevent@0x555e28beefd0 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.624 milliseconds in whack | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 6 waiting (nothing to do) | crypto helper 2 waiting (nothing to do) | crypto helper 1 waiting (nothing to do) | crypto helper 3 waiting (nothing to do) | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + none | base impairing = none | revival | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0535 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x555e28beea90 | free_event_entry: release EVENT_NULL-pe@0x555e28beea50 | add_fd_read_event_handler: new ethX-pe@0x555e28beea50 | libevent_malloc: new ptr-libevent@0x555e28beea90 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x555e28beeb80 | free_event_entry: release EVENT_NULL-pe@0x555e28beeb40 | add_fd_read_event_handler: new ethX-pe@0x555e28beeb40 | libevent_malloc: new ptr-libevent@0x555e28beeb80 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x555e28beec70 | free_event_entry: release EVENT_NULL-pe@0x555e28beec30 | add_fd_read_event_handler: new ethX-pe@0x555e28beec30 | libevent_malloc: new ptr-libevent@0x555e28beec70 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x555e28beed60 | free_event_entry: release EVENT_NULL-pe@0x555e28beed20 | add_fd_read_event_handler: new ethX-pe@0x555e28beed20 | libevent_malloc: new ptr-libevent@0x555e28beed60 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x555e28beee50 | free_event_entry: release EVENT_NULL-pe@0x555e28beee10 | add_fd_read_event_handler: new ethX-pe@0x555e28beee10 | libevent_malloc: new ptr-libevent@0x555e28beee50 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x555e28beef40 | free_event_entry: release EVENT_NULL-pe@0x555e28beef00 | add_fd_read_event_handler: new ethX-pe@0x555e28beef00 | libevent_malloc: new ptr-libevent@0x555e28beef40 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.469 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 5958 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0214 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-aggr with policy ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP1536 | counting wild cards for @west is 0 | counting wild cards for @east is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x555e28bbb550 added connection description "westnet-eastnet-aggr" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.135 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) add keyid @west | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | add pubkey 15 04 37 f9 | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 | keyid: *AQOm9dY/4 | n a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 8b 49 | n 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e b3 96 | n 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 09 f0 | n c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 8f 95 | n 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 f5 99 | n f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c ac 34 | n ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a 94 d3 | n d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 b2 2b | n 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 7d 7a | n 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a 8f 52 | n a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 ca 80 | n db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc 2a b3 | n 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e d3 3a | n 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 87 33 | n 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d 6e e8 | n 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f c9 20 | n 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 15 04 | n 37 f9 | e 03 | CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | CKAID 7f 0f 03 50 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.117 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) add keyid @east | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | keyid: *AQO9bJbr3 | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 | n 48 ef | e 03 | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0958 milliseconds in whack | spent 0.00322 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 444 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 12 b8 27 1e a5 16 ff 34 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 bc 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0a 00 00 c4 77 f5 a3 7a 56 be 18 93 fd e7 ba f8 | 4f d1 c6 b7 a3 29 71 cf d1 ad 7f f7 cf d0 8f 3e | 4c 4b 17 a8 87 18 79 d8 75 0e 90 25 9c 0a 5c 8e | ef ec d8 ec 00 ca cb 4f 0a f0 84 4d a1 35 18 91 | 3c 8f 86 cc 49 81 28 8f 5c 50 8d 99 c6 1c 8e f0 | 6b 3f 2f 20 a0 e7 5f 42 31 b2 1b 9c 23 42 6d f5 | 53 4d db 96 7b 4b c2 c5 79 e7 94 c7 cd a0 30 fa | a8 b2 10 8b 39 0a 98 0b 23 0f 8c 7d 5f 30 5e be | 5e 41 4c 8e 74 39 04 76 2b 50 7f 50 a6 a4 e8 09 | 1a 59 e7 28 35 33 e7 ae cb 4a e8 74 00 83 c3 f7 | 24 e6 22 a2 da e1 61 db 94 e5 4c b2 cc fb 37 48 | 71 e1 2e a7 f9 76 81 a5 37 4f 1a 06 a0 05 ac 5d | b3 6e ba 03 05 00 00 24 6f 33 62 79 56 e3 3a 7b | b0 5b 04 3a ef a1 d9 c1 30 78 2f c9 38 9e 9a 34 | 06 ff ba 41 45 04 24 fc 0d 00 00 0c 02 00 00 00 | 77 65 73 74 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | 0d 00 00 14 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 | 15 52 9d 56 0d 00 00 14 90 cb 80 91 3e bb 69 6e | 08 63 81 b5 ec 42 7b 1f 00 00 00 14 cd 60 46 43 | 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 12 b8 27 1e a5 16 ff 34 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | length: 444 (0x1bc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 196 (0xc4) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x420 opt: 0x102000 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 36 (0x24) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 77 65 73 74 | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'aggr_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+AGGRESSIVE+IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=RSASIG+AGGRESSIVE+IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-aggr) | find_next_host_connection returns westnet-eastnet-aggr | find_next_host_connection policy=RSASIG+AGGRESSIVE+IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x555e28bf1c00 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 from 192.1.2.45:500 (in aggr_inI1_outR1() at ikev1_aggr.c:181) | parent state #1: UNDEFINED(ignore) => AGGR_R1(open IKE SA) "westnet-eastnet-aggr" #1: Peer ID is ID_FQDN: '@west' | X509: no CERT payloads to process "westnet-eastnet-aggr" #1: responding to Aggressive Mode, state #1, connection "westnet-eastnet-aggr" from 192.1.2.45 | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | adding outI2 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555e28bf00c0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x555e28bf0100 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.479 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.00057 seconds | (#1) spent 0.577 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f2984001e30 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x555e27de3630 | aggr inI1_outR1: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x555e28bf0100 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555e28bf00c0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x555e28bf00c0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x555e28bf0100 size 128 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | resume sending helper answer for #1 suppresed complete_v1_state_transition() and stole MD | #1 spent 0.0452 milliseconds in resume sending helper answer | stop processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f2984001e30 | crypto helper 5 resuming | crypto helper 5 starting work-order 2 for state #1 | crypto helper 5 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | crypto helper 5 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.000724 seconds | (#1) spent 0.731 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 5 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f297c00b6b0 size 128 | crypto helper 5 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 2 | calling continuation function 0x555e27de3630 | aggr_inI1_outR1_continue2 for #1: calculated ke+nonce+DH, sending R1 | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because I do not have one. | I am not sending a certificate request | **emit ISAKMP Message: | initiator cookie: | 12 b8 27 1e a5 16 ff 34 | responder cookie: | b0 4f 73 44 aa 0e 52 f4 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02 | attributes 80 03 00 03 80 04 00 05 | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 5f ed 4e c8 f5 3e c0 08 09 81 d6 99 0d bf b6 7b | keyex value e2 92 27 e1 3c 36 ac c0 2a 85 ed 1c bc 26 3c 39 | keyex value c6 af c1 c9 c3 ec ea 82 eb d2 e3 6d d2 ea c9 55 | keyex value 32 72 10 7e 38 a2 76 cb 75 fb 36 87 47 6d 19 38 | keyex value 50 14 50 c8 36 e8 eb 42 b4 d9 3f 87 9d d5 3a 95 | keyex value ec 50 e4 1d d9 5f 46 e5 9f ed 72 e2 5b 3f 73 a4 | keyex value 49 e7 5d d3 88 15 28 1f ea 3b ae f8 cd 4c 19 9a | keyex value bf bf b3 7f ab d3 d6 34 48 3b f9 46 8b 2c a0 1a | keyex value 57 38 33 b0 af ed 4c 66 bc 66 05 36 4f f5 18 f9 | keyex value b0 15 41 57 2f 6e 34 d7 11 44 d9 80 48 e8 d5 4e | keyex value 50 3f 5a df 77 fd 3b 52 79 dd 5c 0d d3 06 1f c5 | keyex value a3 61 d8 e2 84 37 37 3e c1 f9 dc 61 d8 58 e2 6d | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr b4 71 51 ec 86 21 f1 f1 93 5d 96 4e 4d 0b 54 7d | Nr f8 32 33 4a 98 cc b4 80 83 c5 ea a6 3c 68 ae c6 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_SIG (0x9) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | started looking for secret for @east->@west of kind PKK_RSA | actually looking for secret for @east->@west of kind PKK_RSA | line 1: key type PKK_RSA(@east) to type PKK_RSA | 1: compared key (none) to @east / @west -> 002 | 2: compared key (none) to @east / @west -> 002 | line 1: match=002 | match 002 beats previous best_match 000 match=0x555e28be3ff0 (line=1) | concluding with best_match=002 best=0x555e28be3ff0 (lineno=1) | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Signature Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 274 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R 83 05 a8 b3 c3 86 72 1b fd e4 1e 1b 41 e8 b8 8a | SIG_R 5a 97 c6 56 58 bb a7 45 da 01 91 3c 6a 73 b4 58 | SIG_R fc a6 5c f9 a4 f4 88 f6 f2 11 fa 30 c8 41 01 29 | SIG_R 24 e9 d0 c9 14 1a 6b b9 83 df 0f b8 f7 f3 97 5e | SIG_R 69 e4 33 11 38 bb f6 ce e3 74 04 22 c7 38 37 54 | SIG_R 31 20 8b fc 48 29 b4 f8 37 d4 4e 92 38 3f e9 62 | SIG_R c2 71 eb 41 73 2f 64 ac 2b 15 81 1b 43 8a 37 d4 | SIG_R b8 94 31 0a 25 34 62 80 8a 79 48 b1 84 81 bd e9 | SIG_R 85 83 8b bb eb af 59 6c d7 84 40 d6 85 ff f1 cf | SIG_R 9f 91 35 1f 0b 2f 1c 81 62 45 0d 73 3d 35 b7 f5 | SIG_R 57 69 22 88 3e 24 65 a2 7a 87 6e 1b 53 ad f7 21 | SIG_R 40 17 13 a1 e5 6f 94 bf b1 bc f0 3f 06 e0 fb e4 | SIG_R 86 13 83 a3 c7 5a fd 7c 1f c5 93 53 a4 8d 60 31 | SIG_R 0d 0d 6a 0d ce 51 2b 5e b8 50 72 34 f2 c6 c8 08 | SIG_R 03 98 de 60 3b 50 f4 cb a1 4c 97 a3 a1 e3 57 4d | SIG_R d7 83 04 49 2c 52 35 a8 ac 07 15 0f 1a 94 9e 28 | SIG_R e0 ea b0 35 b6 2f d7 e1 e1 a5 bb fd cf c0 61 b0 | SIG_R 9e 33 | emitting length of ISAKMP Signature Payload: 278 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Signature Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | sending NAT-D payloads | natd_hash: hasher=0x555e27eb97a0(20) | natd_hash: icookie= 12 b8 27 1e a5 16 ff 34 | natd_hash: rcookie= b0 4f 73 44 aa 0e 52 f4 | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 6d ce 87 72 16 b7 0a 29 d5 1d 40 c0 1d 4d 08 18 | natd_hash: hash= a4 12 7b cc | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 6d ce 87 72 16 b7 0a 29 d5 1d 40 c0 1d 4d 08 18 | NAT-D a4 12 7b cc | emitting length of ISAKMP NAT-D Payload: 24 | natd_hash: hasher=0x555e27eb97a0(20) | natd_hash: icookie= 12 b8 27 1e a5 16 ff 34 | natd_hash: rcookie= b0 4f 73 44 aa 0e 52 f4 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 86 a9 89 21 1c 73 9b 67 d7 0e ee 84 ee e0 81 81 | natd_hash: hash= 0b 67 b5 b8 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 86 a9 89 21 1c 73 9b 67 d7 0e ee 84 ee e0 81 81 | NAT-D 0b 67 b5 b8 | emitting length of ISAKMP NAT-D Payload: 24 | padding IKEv1 message with 2 bytes | emitting 2 zero bytes of message padding into ISAKMP Message | emitting length of ISAKMP Message: 712 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1 | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x555e28bf0100 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x555e28bf00c0 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 712 bytes for STATE_AGGR_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 12 b8 27 1e a5 16 ff 34 b0 4f 73 44 aa 0e 52 f4 | 01 10 04 00 00 00 00 00 00 00 02 c8 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0a 00 00 c4 5f ed 4e c8 f5 3e c0 08 09 81 d6 99 | 0d bf b6 7b e2 92 27 e1 3c 36 ac c0 2a 85 ed 1c | bc 26 3c 39 c6 af c1 c9 c3 ec ea 82 eb d2 e3 6d | d2 ea c9 55 32 72 10 7e 38 a2 76 cb 75 fb 36 87 | 47 6d 19 38 50 14 50 c8 36 e8 eb 42 b4 d9 3f 87 | 9d d5 3a 95 ec 50 e4 1d d9 5f 46 e5 9f ed 72 e2 | 5b 3f 73 a4 49 e7 5d d3 88 15 28 1f ea 3b ae f8 | cd 4c 19 9a bf bf b3 7f ab d3 d6 34 48 3b f9 46 | 8b 2c a0 1a 57 38 33 b0 af ed 4c 66 bc 66 05 36 | 4f f5 18 f9 b0 15 41 57 2f 6e 34 d7 11 44 d9 80 | 48 e8 d5 4e 50 3f 5a df 77 fd 3b 52 79 dd 5c 0d | d3 06 1f c5 a3 61 d8 e2 84 37 37 3e c1 f9 dc 61 | d8 58 e2 6d 05 00 00 24 b4 71 51 ec 86 21 f1 f1 | 93 5d 96 4e 4d 0b 54 7d f8 32 33 4a 98 cc b4 80 | 83 c5 ea a6 3c 68 ae c6 09 00 00 0c 02 00 00 00 | 65 61 73 74 0d 00 01 16 83 05 a8 b3 c3 86 72 1b | fd e4 1e 1b 41 e8 b8 8a 5a 97 c6 56 58 bb a7 45 | da 01 91 3c 6a 73 b4 58 fc a6 5c f9 a4 f4 88 f6 | f2 11 fa 30 c8 41 01 29 24 e9 d0 c9 14 1a 6b b9 | 83 df 0f b8 f7 f3 97 5e 69 e4 33 11 38 bb f6 ce | e3 74 04 22 c7 38 37 54 31 20 8b fc 48 29 b4 f8 | 37 d4 4e 92 38 3f e9 62 c2 71 eb 41 73 2f 64 ac | 2b 15 81 1b 43 8a 37 d4 b8 94 31 0a 25 34 62 80 | 8a 79 48 b1 84 81 bd e9 85 83 8b bb eb af 59 6c | d7 84 40 d6 85 ff f1 cf 9f 91 35 1f 0b 2f 1c 81 | 62 45 0d 73 3d 35 b7 f5 57 69 22 88 3e 24 65 a2 | 7a 87 6e 1b 53 ad f7 21 40 17 13 a1 e5 6f 94 bf | b1 bc f0 3f 06 e0 fb e4 86 13 83 a3 c7 5a fd 7c | 1f c5 93 53 a4 8d 60 31 0d 0d 6a 0d ce 51 2b 5e | b8 50 72 34 f2 c6 c8 08 03 98 de 60 3b 50 f4 cb | a1 4c 97 a3 a1 e3 57 4d d7 83 04 49 2c 52 35 a8 | ac 07 15 0f 1a 94 9e 28 e0 ea b0 35 b6 2f d7 e1 | e1 a5 bb fd cf c0 61 b0 9e 33 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 | 01 00 14 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 | 28 f2 0e 95 45 2f 14 00 00 18 6d ce 87 72 16 b7 | 0a 29 d5 1d 40 c0 1d 4d 08 18 a4 12 7b cc 00 00 | 00 18 86 a9 89 21 1c 73 9b 67 d7 0e ee 84 ee e0 | 81 81 0b 67 b5 b8 00 00 | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x555e28bf07a0 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x555e28bf0100 size 128 "westnet-eastnet-aggr" #1: STATE_AGGR_R1: sent AR1, expecting AI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 5.83 milliseconds in resume sending helper answer | stop processing: state #1 connection "westnet-eastnet-aggr" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f297c00b6b0