FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:12653 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x563abe1192b0 size 40 | libevent_malloc: new ptr-libevent@0x563abe1192e0 size 40 | libevent_malloc: new ptr-libevent@0x563abe11aa90 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x563abe11aa50 size 56 | libevent_malloc: new ptr-libevent@0x563abe11aac0 size 664 | libevent_malloc: new ptr-libevent@0x563abe11ad60 size 24 | libevent_malloc: new ptr-libevent@0x563abe0d42f0 size 384 | libevent_malloc: new ptr-libevent@0x563abe11ad80 size 16 | libevent_malloc: new ptr-libevent@0x563abe11ada0 size 40 | libevent_malloc: new ptr-libevent@0x563abe11add0 size 48 | libevent_realloc: new ptr-libevent@0x563abe11ae10 size 256 | libevent_malloc: new ptr-libevent@0x563abe11af20 size 16 | libevent_free: release ptr-libevent@0x563abe11aa50 | libevent initialized | libevent_realloc: new ptr-libevent@0x563abe11af40 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | checking IKEv1 state table | crypto helper 6 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563abe125700 | libevent_malloc: new ptr-libevent@0x563abe12c7d0 size 128 | libevent_malloc: new ptr-libevent@0x563abe125660 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563abe11fbb0 | libevent_malloc: new ptr-libevent@0x563abe12c860 size 128 | libevent_malloc: new ptr-libevent@0x563abe125640 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563abe11f970 | libevent_malloc: new ptr-libevent@0x563abe136de0 size 128 | libevent_malloc: new ptr-libevent@0x563abe136e70 size 16 | libevent_realloc: new ptr-libevent@0x563abe136e90 size 256 | libevent_malloc: new ptr-libevent@0x563abe136fa0 size 8 | libevent_realloc: new ptr-libevent@0x563abe12bad0 size 144 | libevent_malloc: new ptr-libevent@0x563abe136fc0 size 152 | libevent_malloc: new ptr-libevent@0x563abe137060 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x563abe137080 size 8 | libevent_malloc: new ptr-libevent@0x563abe1370a0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x563abe137140 size 8 | libevent_malloc: new ptr-libevent@0x563abe137160 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x563abe137200 size 8 | libevent_realloc: release ptr-libevent@0x563abe12bad0 | libevent_realloc: new ptr-libevent@0x563abe137220 size 256 | libevent_malloc: new ptr-libevent@0x563abe12bad0 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:12750) using fork+execve | forked child 12750 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x563abe120a70 | libevent_malloc: new ptr-libevent@0x563abe137600 size 128 | libevent_malloc: new ptr-libevent@0x563abe137690 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x563abe1376b0 | libevent_malloc: new ptr-libevent@0x563abe1376f0 size 128 | libevent_malloc: new ptr-libevent@0x563abe137780 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x563abe1377a0 | libevent_malloc: new ptr-libevent@0x563abe1377e0 size 128 | libevent_malloc: new ptr-libevent@0x563abe137870 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x563abe137890 | libevent_malloc: new ptr-libevent@0x563abe1378d0 size 128 | libevent_malloc: new ptr-libevent@0x563abe137960 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x563abe137980 | libevent_malloc: new ptr-libevent@0x563abe1379c0 size 128 | libevent_malloc: new ptr-libevent@0x563abe137a50 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x563abe137a70 | libevent_malloc: new ptr-libevent@0x563abe137ab0 size 128 | libevent_malloc: new ptr-libevent@0x563abe137b40 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.673 milliseconds in whack | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x563abe137600 | free_event_entry: release EVENT_NULL-pe@0x563abe120a70 | add_fd_read_event_handler: new ethX-pe@0x563abe120a70 | libevent_malloc: new ptr-libevent@0x563abe137600 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x563abe1376f0 | free_event_entry: release EVENT_NULL-pe@0x563abe1376b0 | add_fd_read_event_handler: new ethX-pe@0x563abe1376b0 | libevent_malloc: new ptr-libevent@0x563abe1376f0 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x563abe1377e0 | free_event_entry: release EVENT_NULL-pe@0x563abe1377a0 | add_fd_read_event_handler: new ethX-pe@0x563abe1377a0 | libevent_malloc: new ptr-libevent@0x563abe1377e0 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x563abe1378d0 | free_event_entry: release EVENT_NULL-pe@0x563abe137890 | add_fd_read_event_handler: new ethX-pe@0x563abe137890 | libevent_malloc: new ptr-libevent@0x563abe1378d0 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x563abe1379c0 | free_event_entry: release EVENT_NULL-pe@0x563abe137980 | add_fd_read_event_handler: new ethX-pe@0x563abe137980 | libevent_malloc: new ptr-libevent@0x563abe1379c0 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x563abe137ab0 | free_event_entry: release EVENT_NULL-pe@0x563abe137a70 | add_fd_read_event_handler: new ethX-pe@0x563abe137a70 | libevent_malloc: new ptr-libevent@0x563abe137ab0 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.338 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 12750 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0137 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection road-eastnet-ikev1 with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe13c1f0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe13c1c0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe138850 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe138880 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe138b10 | unreference key: 0x563abe13c430 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x563abe119200 added connection description "road-eastnet-ikev1" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...%any[%fromcert]===1.2.3.4/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.13 milliseconds in whack | spent 0.00277 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.222:500 on eth1 (192.1.2.23:500) | d8 07 d2 5f 82 be ab ec 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.222:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.222:500 policy=IKEV1_ALLOW but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-ikev1) | find_next_host_connection returns road-eastnet-ikev1 | find_next_host_connection policy=RSASIG+IKEV1_ALLOW | find_next_host_connection returns empty | instantiating "road-eastnet-ikev1" for initial Main Mode message received on 192.1.2.23:500 | connect_to_host_pair: 192.1.2.23:500 192.1.2.222:500 -> hp@(nil): none | new hp@0x563abe0d2c50 | rw_instantiate() instantiated "road-eastnet-ikev1"[1] 192.1.2.222 for 192.1.2.222 | creating state object #1 at 0x563abe140170 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ICOOKIE-DUMP: d8 07 d2 5f 82 be ab ec "road-eastnet-ikev1"[1] 192.1.2.222 #1: responding to Main Mode from unknown peer 192.1.2.222:500 | **emit ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.222:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.222:500 (using #1) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x563abe13c120 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563abe13c220 size 128 "road-eastnet-ikev1"[1] 192.1.2.222 #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.222:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.49 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00239 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.222:500 on eth1 (192.1.2.23:500) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 1d 22 21 bd c1 2b 45 2e 2a 6c 26 6f 8c 38 eb 47 | 13 5e 59 00 ae e3 25 df cc 3d bf b7 c0 de 9e 69 | 07 4a f8 58 7f 63 b4 13 bf 48 88 50 23 d4 72 29 | f6 02 32 a0 ad d8 0b 30 52 43 48 81 e1 fd 88 b4 | cc 3d a4 81 62 6d bd de b6 e7 0f d2 16 83 fa dc | ae b7 ed 8e 1a 8d 5f e1 9f 9a c5 8a a1 6c a9 c6 | 59 c3 57 a0 d1 c7 f4 ed 5b be a8 78 83 1a 1e 76 | 4b 3e 32 e1 1d ed 0c d1 b1 df ae 63 c0 6c a5 08 | bc 46 7b bf 6e 41 6e 96 5b cf 95 07 c7 d7 ab e8 | 32 3e a8 40 1c e7 57 24 91 e1 99 7e 1a ba 07 cc | f5 91 4f 0e df d5 4c 00 94 3d d6 68 fa d5 49 a4 | fc ae d3 9b 78 2e e0 70 fe e7 33 67 5d 09 ba b4 | f8 55 ff 55 c8 c4 b9 9a a1 aa 09 3d e4 e3 25 54 | 9e 16 06 26 5b 1a 3a 08 ca af a3 41 e9 ae 12 e7 | c1 84 07 2c d0 88 8a db 67 97 53 90 9e d6 6a 03 | 06 a6 f3 9c 80 73 ac c0 a9 a4 ff cb 3a 2d 61 7b | 14 00 00 24 82 8e 3f e1 21 3e c8 fe 37 ed eb de | dd 2a 57 76 0a 22 02 e1 1d 99 f9 db 13 2a ea cc | 69 ff c3 3c 14 00 00 24 32 0a 8d dd ce 36 1c d1 | 53 70 47 67 a4 63 95 6e 6e 87 75 d1 75 43 e5 51 | 2d fd 09 3f 5c 4d fc 8b 00 00 00 24 54 95 ce f2 | d1 06 d9 d4 49 c6 22 d9 8b 80 4b 17 2e fa 3e 64 | cf c2 2d a5 30 25 33 1e b4 c3 a6 9c | start processing: from 192.1.2.222:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x563abc123c40(32) | natd_hash: icookie= d8 07 d2 5f 82 be ab ec | natd_hash: rcookie= 58 4a 1f 22 be c6 4c bb | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | natd_hash: hash= 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | natd_hash: hasher=0x563abc123c40(32) | natd_hash: icookie= d8 07 d2 5f 82 be ab ec | natd_hash: rcookie= 58 4a 1f 22 be c6 4c bb | natd_hash: ip= c0 01 02 de | natd_hash: port= 01 f4 | natd_hash: hash= a4 20 43 13 f1 5c 07 43 e7 04 f4 ec 21 50 93 dd | natd_hash: hash= 85 7e 92 17 2e 54 82 c4 45 4b 57 62 7b b3 cf e8 | expected NAT-D(me): 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | expected NAT-D(me): 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | expected NAT-D(him): | a4 20 43 13 f1 5c 07 43 e7 04 f4 ec 21 50 93 dd | 85 7e 92 17 2e 54 82 c4 45 4b 57 62 7b b3 cf e8 | received NAT-D: 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | received NAT-D: 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | received NAT-D: 54 95 ce f2 d1 06 d9 d4 49 c6 22 d9 8b 80 4b 17 | received NAT-D: 2e fa 3e 64 cf c2 2d a5 30 25 33 1e b4 c3 a6 9c | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is behind NAT 192.1.2.222 | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.222 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: peer behind NAT | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x563abe13c220 | free_event_entry: release EVENT_SO_DISCARD-pe@0x563abe13c120 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563abe13c120 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563abe13c220 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.125 milliseconds in process_packet_tail() | stop processing: from 192.1.2.222:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.274 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (inI2_outR2 KE); request ID 1 | crypto helper 0 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.000924 seconds | (#1) spent 0.931 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fb380006900 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x563abc04d630 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 69 e7 d6 ed ea 41 72 c9 ff d0 fb 23 7c f8 1d 4b | keyex value a6 1b 8c f0 2f 9a 54 b3 12 fc 30 0c 05 00 24 3a | keyex value d4 16 15 d0 ce 17 3f 52 89 b4 19 53 a5 aa 8b 2a | keyex value b7 d7 be 4a 7d ff 34 58 b9 77 c7 a5 d0 86 48 d1 | keyex value 50 ef 16 8f e8 e4 20 a7 4e 52 fe 78 e7 8c bb 30 | keyex value be 32 cd 55 61 f3 f5 95 c6 f3 01 31 a4 f0 26 6d | keyex value 07 31 67 1e f8 b7 85 d6 6c 0f 38 e1 8b 88 ce 44 | keyex value ef ad c6 d7 e4 56 eb 9f aa a4 0b e9 33 f7 30 fa | keyex value dc 0e ec f2 83 a6 a2 60 b1 4c 20 cd 1d c2 53 a9 | keyex value a7 1c 4e 5a 9d a3 04 e2 18 3b ce 5f 61 7e ec 76 | keyex value bb 29 08 2f 95 6b ff 60 0d f6 76 82 d2 11 1c 7a | keyex value 30 02 28 ea f1 85 f0 41 f5 d7 6b eb a8 62 04 88 | keyex value e1 0a ee 09 b5 c3 73 4c 3f 75 f5 2d 59 7c d3 00 | keyex value 25 54 71 ac 57 71 5f 09 9f 03 ed c1 4f 37 5a 9b | keyex value 7a c2 7b 72 68 6a 4f 07 2a 99 87 db bf 1d 6a 47 | keyex value 77 f3 f9 50 ef b0 82 ba 20 ba f3 06 7b e9 18 5d | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 04 9a 02 63 63 fa 71 02 be 72 b3 b7 42 a6 de 38 | Nr 51 4c 93 b6 c1 1f d6 5c aa 85 18 9e cd 43 6a 22 | emitting length of ISAKMP Nonce Payload: 36 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_NONE (0x0) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting 175 raw bytes of CA into ISAKMP Certificate RequestPayload | CA 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | CA 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | CA 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | CA 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | CA 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | CA 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | CA 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | CA 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | CA 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | CA 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | CA 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Certificate RequestPayload: 180 | sending NAT-D payloads | natd_hash: hasher=0x563abc123c40(32) | natd_hash: icookie= d8 07 d2 5f 82 be ab ec | natd_hash: rcookie= 58 4a 1f 22 be c6 4c bb | natd_hash: ip= c0 01 02 de | natd_hash: port= 01 f4 | natd_hash: hash= a4 20 43 13 f1 5c 07 43 e7 04 f4 ec 21 50 93 dd | natd_hash: hash= 85 7e 92 17 2e 54 82 c4 45 4b 57 62 7b b3 cf e8 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D a4 20 43 13 f1 5c 07 43 e7 04 f4 ec 21 50 93 dd | NAT-D 85 7e 92 17 2e 54 82 c4 45 4b 57 62 7b b3 cf e8 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x563abc123c40(32) | natd_hash: icookie= d8 07 d2 5f 82 be ab ec | natd_hash: rcookie= 58 4a 1f 22 be c6 4c bb | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | natd_hash: hash= 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | NAT-D 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 576 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563abe13c220 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563abe13c120 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563abe13c120 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563abe13c220 size 128 | #1 main_inI2_outR2_continue1_tail:1158 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563abe13c220 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563abe13c120 | sending reply packet to 192.1.2.222:500 (from 192.1.2.23:500) | sending 576 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.222:500 (using #1) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 04 10 02 00 00 00 00 00 00 00 02 40 0a 00 01 04 | 69 e7 d6 ed ea 41 72 c9 ff d0 fb 23 7c f8 1d 4b | a6 1b 8c f0 2f 9a 54 b3 12 fc 30 0c 05 00 24 3a | d4 16 15 d0 ce 17 3f 52 89 b4 19 53 a5 aa 8b 2a | b7 d7 be 4a 7d ff 34 58 b9 77 c7 a5 d0 86 48 d1 | 50 ef 16 8f e8 e4 20 a7 4e 52 fe 78 e7 8c bb 30 | be 32 cd 55 61 f3 f5 95 c6 f3 01 31 a4 f0 26 6d | 07 31 67 1e f8 b7 85 d6 6c 0f 38 e1 8b 88 ce 44 | ef ad c6 d7 e4 56 eb 9f aa a4 0b e9 33 f7 30 fa | dc 0e ec f2 83 a6 a2 60 b1 4c 20 cd 1d c2 53 a9 | a7 1c 4e 5a 9d a3 04 e2 18 3b ce 5f 61 7e ec 76 | bb 29 08 2f 95 6b ff 60 0d f6 76 82 d2 11 1c 7a | 30 02 28 ea f1 85 f0 41 f5 d7 6b eb a8 62 04 88 | e1 0a ee 09 b5 c3 73 4c 3f 75 f5 2d 59 7c d3 00 | 25 54 71 ac 57 71 5f 09 9f 03 ed c1 4f 37 5a 9b | 7a c2 7b 72 68 6a 4f 07 2a 99 87 db bf 1d 6a 47 | 77 f3 f9 50 ef b0 82 ba 20 ba f3 06 7b e9 18 5d | 07 00 00 24 04 9a 02 63 63 fa 71 02 be 72 b3 b7 | 42 a6 de 38 51 4c 93 b6 c1 1f d6 5c aa 85 18 9e | cd 43 6a 22 14 00 00 b4 04 30 81 ac 31 0b 30 09 | 06 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 | 04 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 | 03 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 | 10 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 | 6e 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 | 20 44 65 70 61 72 74 6d 65 6e 74 31 25 30 23 06 | 03 55 04 03 0c 1c 4c 69 62 72 65 73 77 61 6e 20 | 74 65 73 74 20 43 41 20 66 6f 72 20 6d 61 69 6e | 63 61 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 | 01 16 15 74 65 73 74 69 6e 67 40 6c 69 62 72 65 | 73 77 61 6e 2e 6f 72 67 14 00 00 24 a4 20 43 13 | f1 5c 07 43 e7 04 f4 ec 21 50 93 dd 85 7e 92 17 | 2e 54 82 c4 45 4b 57 62 7b b3 cf e8 00 00 00 24 | 32 0a 8d dd ce 36 1c d1 53 70 47 67 a4 63 95 6e | 6e 87 75 d1 75 43 e5 51 2d fd 09 3f 5c 4d fc 8b | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x563abe13c120 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x563abe13c220 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 49587.928224 "road-eastnet-ikev1"[1] 192.1.2.222 #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.413 milliseconds in resume sending helper answer | stop processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb380006900 | crypto helper 2 resuming | crypto helper 2 starting work-order 2 for state #1 | crypto helper 2 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 2 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001182 seconds | (#1) spent 1.19 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 2 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fb378004f00 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 2 | calling continuation function 0x563abc04d630 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1008) | stop processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1021) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0196 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb378004f00 | spent 0.00278 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1852 bytes from 192.1.2.222:4500 on eth1 (192.1.2.23:4500) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 05 10 02 01 00 00 00 00 00 00 07 3c 7c f9 e5 3a | d6 3c b1 b5 14 91 b6 16 f6 cc c5 96 d1 51 6c f5 | b4 e4 ff 7b ac 0d 25 0c 57 2b bd 78 06 11 cb a1 | 1b c9 cc 61 8d f6 5b 12 70 2a 27 ec bd 4c df 73 | 93 12 a2 ab 2c 22 cd f1 10 50 17 c6 89 b9 d0 7e | a3 76 48 2b b8 83 e3 aa ca ff 51 7b e1 ea e3 9f | 1c 65 56 a9 a4 d7 30 0c 0f b7 14 26 12 f4 12 20 | a9 9c 13 65 df b4 bb 70 db 64 ae 38 f7 e3 74 4c | 37 b7 43 ab 19 a6 9b 5d f5 ca 8b 70 da 33 65 3c | 54 41 85 14 a5 51 ce 38 2f 94 ae 7d c6 02 a3 0a | 0b 13 5d ea a9 f3 91 7c 38 45 1d 6c 16 b9 2f 45 | eb 1c 9e 9d c0 3e 0a 1f de 0f f6 fe 4c 56 dc 0f | d2 f4 c8 87 1d 0a 8c e2 02 00 45 71 c1 ed 52 bf | a3 32 4c ca a2 a4 5c 76 20 28 4e 57 b9 55 96 c3 | 23 0b 3e a4 f7 07 37 66 db e6 d2 1a 2f f9 f6 d9 | ac 21 ed bd d4 55 39 62 d1 a6 6d e7 19 4e 41 de | 1f 31 ac bd 72 42 0b be eb 79 6f 6d 73 c4 5b fd | f9 8f ec 93 4f af 23 f4 50 c3 a6 ed 71 f0 9c f9 | 8c 57 51 22 f5 ba 13 2a 4e 2d 59 73 f4 b7 aa 49 | e9 93 97 b8 b2 d6 fa 93 cb 08 8d c9 eb a7 09 cb | 3b 4a 45 8c 02 1b f7 91 ba e5 40 4c a0 88 bd 3f | 5a 07 ff fb ad 81 f4 b7 67 4b 52 c4 28 2d 77 4a | dc 46 3c a9 e0 43 f2 b4 9a eb 57 48 a1 bb 38 63 | 97 c9 c4 bf ac 53 3f ec 64 29 c9 29 b8 ea 66 d0 | 0c 39 62 0f 51 81 ff ff 0c 1a 3f 84 89 e9 d9 6e | 3b 12 01 47 8f 86 97 25 79 29 64 68 2e 04 24 cc | eb fc f7 ef 57 c4 b2 ac 4d 4d 39 32 27 d3 81 96 | 8a 87 c4 10 9a cf 2e 7b b1 2f 7f 64 55 64 4e e2 | 6d f5 0f d7 6a 57 34 a5 6d 33 c0 b6 fa d7 78 28 | 3b c9 a7 fc cc a4 9d 23 cf 82 32 11 6b 75 2c d9 | 8d c2 ac 08 9d db ec d0 a9 8c 03 17 a5 15 65 75 | 10 70 32 20 87 05 6c 8e 09 3c 22 d3 31 db ce a1 | c0 21 fb fd e7 fc 93 ce c1 44 88 d5 32 c8 53 f9 | 9d 34 a0 c6 ae ad 1c 03 da 7f 08 06 11 cd 1a b7 | 1f d4 c5 83 8a 17 83 32 9b 5e 02 e8 b0 8c a7 2a | 2c 43 4e 04 e0 c9 0c b4 6c b6 5f 8e ea f7 d0 0d | 5b 1d 4c 59 88 d5 c2 ff 70 a0 7b 2c 62 3f 05 e4 | b8 43 e1 5c 21 da 92 d8 57 7d dc 25 03 9d 96 fa | c5 7f 25 97 93 76 46 5b 46 6c 92 c9 b5 96 38 f3 | ce 0b 8b 9e b1 03 18 f2 de 06 c7 8f ff 66 0e a2 | 5c 2e b7 b9 ca f2 95 2e e2 a7 a7 69 76 7f 52 e9 | 20 7d 98 62 af 79 f2 bb ec b3 b6 0d bc d3 40 5f | b2 aa 0c 42 84 a7 dc c0 d9 fe de 69 98 f5 66 19 | 26 46 cd ea 77 a8 dd 2e 32 c0 65 d7 bf 5d b9 2c | 54 f6 56 6a 40 46 b0 b3 b1 cb d4 84 8c 6c 41 eb | 1d 72 d0 9f 5e 7c af 04 f1 10 63 77 32 6c 6f 58 | 62 44 1a 5e ad 13 77 e5 64 4d a7 aa 38 21 3e 4d | e8 fd 07 95 f2 4a fb ce ad 75 ad 7d 88 43 e6 8b | 1b 13 db 40 c2 11 f4 4c 00 ba 89 4c ff f1 87 5d | 14 d6 de 72 a1 f8 81 45 e3 73 8f 6b 01 ac 21 17 | 91 29 31 93 48 45 b4 74 2c cc 9d df 51 d1 35 ea | c8 e4 ee 44 d6 0c 54 d0 3f 74 2f 70 5c b0 07 0c | a8 34 cd 57 27 d1 c5 d9 f8 c1 bb 71 0e 0b 83 6c | 9a e3 de ae 27 99 9d 7a b7 33 23 6c 4d 31 aa 8f | d1 b0 ff f2 74 64 c6 54 ee 25 68 c1 32 d0 07 fd | 79 e9 fc 76 37 9d 54 11 5a 96 a4 e2 a8 52 d6 bc | f5 12 59 53 0a 14 1b 1e 19 00 4e b1 b7 81 79 28 | 9c 0b fa 53 a0 6f 9f 76 a0 34 1c 27 2f 41 b1 fe | df 26 d9 40 9c 59 86 60 be 1d 7c b0 e3 ff 1a cd | 92 16 f3 50 fa a5 68 28 62 a3 e0 b0 8f b1 4f 15 | 88 c5 b9 65 75 9b d4 ed 06 8e 46 c4 a2 39 d6 be | 6e 46 a9 ce 70 fa 9f 41 ee ee ec 49 cd c0 f6 a8 | 88 a9 28 97 4f b1 cc 36 d9 cc 5e 0b cb 8a c8 34 | c3 4a dc dd ea fc 4f c7 4f 94 c9 18 3a fb 54 40 | e7 2b cd 70 19 ae 41 85 a7 0d 31 91 34 7e e3 e6 | 3b dd 0c a7 0a 7a 36 74 22 d8 3e 23 24 54 c2 13 | ac 41 4c 3c f3 c8 a6 54 48 0d 84 c5 bf c6 37 0c | cd cd 50 87 ad 0a 35 50 d1 b0 f5 ee 60 67 2a 4d | da 0e 28 d6 47 79 a4 c9 4d 75 fb 65 20 1f 91 66 | 13 80 cd 61 9f 2f 95 50 ae a4 0f a2 6e 28 e8 f2 | ef 63 32 34 d9 d3 d0 90 2b 6a ce 17 0a 9b 91 f9 | f3 53 e3 e7 f7 96 2b 40 84 d2 87 44 81 dc 6e b1 | dc 97 26 39 e8 75 09 14 2c 10 9b 12 eb 53 3d 01 | 4b 1a 05 f8 a4 e4 b9 4f 05 c7 c5 fb 56 cc d5 b8 | 5f 07 71 c8 f3 3e c1 49 0a a7 d2 54 34 42 ec 45 | d7 a0 e7 e7 c2 c3 9d b5 5d ee 05 01 62 03 59 97 | b8 3a a2 0a 5e 6b b6 c4 84 97 ed 06 5a 53 9d 10 | 9d da 26 5f 7b 5e 93 1c ed e8 e7 e3 4e dd 34 f1 | 4c ae 37 44 8b 8b d0 ba b4 42 05 fd 73 4a 2e 6d | 76 33 dc 6c b2 39 1d bd ac f6 6c fd 9c 21 f0 67 | 03 80 92 df 36 07 ae 40 0f 96 08 85 a9 79 b7 1c | c4 17 b6 aa 4f 27 75 77 dd c8 53 00 8c b3 19 0f | 5d 0f 61 13 b8 71 d2 35 de 38 35 45 39 59 ff bd | 5d a2 82 b3 2e bd 61 18 da 47 41 26 29 e9 4c 9f | d1 b3 cf db 3c 38 4e bc c2 f3 12 0a b2 aa 18 99 | 69 f0 02 91 dc 6f f6 09 c7 83 72 c5 6c 17 d9 db | b4 64 23 cc 32 af a6 2b 96 bb 41 f1 17 2c 95 b7 | 5e 64 aa 34 00 87 9b 37 ef 91 36 35 27 cc 32 3e | e7 d7 44 74 f3 f4 06 35 90 f6 8d 94 1b 7e 9a 01 | dc 68 aa 74 a4 1a 6a 1e 36 4e b5 e7 eb 6d 75 ec | f9 4d 99 3a 58 7a 0f 41 06 ca 93 e6 02 8b 2d a6 | 80 fd 45 f1 72 cf b8 59 02 fc 2c 29 2f 0a cf aa | 20 74 ba 53 c1 c6 a9 dd de a9 84 56 0e eb d4 3a | e8 62 30 69 98 6d 2c e2 40 3e 54 6c 97 fb f5 d8 | bd bd 37 9b ab 3e 80 69 fd 7c 53 8a 4b 59 6f 0c | f2 77 27 4a ec 31 dd 24 39 19 da f7 e3 ee b2 9d | f6 99 3b 09 74 c5 1f 70 bf 3d d6 f5 5c 41 a4 01 | 17 7f 0b 85 2a fb 38 c7 3e f3 8d cf 99 1a 88 29 | 3d 96 76 e4 12 e4 22 c1 10 7a c8 ec 4f 76 e4 ba | f9 23 e2 d7 11 70 e5 c3 3a 8c 18 7b d8 f1 ff bf | dc 1b a1 da 84 13 74 5b b2 64 b1 73 6c 80 10 78 | 69 1d 87 a1 85 25 a1 45 0c 63 e4 3e 08 10 0c 31 | 5c 4b 12 f7 a2 c6 08 29 ef 7e eb 5d 9e a9 ff 6c | 4e 5d 63 39 c2 07 18 71 46 c2 36 68 2b 34 55 eb | 3c 57 09 ac 5f fd e2 fa 8b 53 c6 4a 87 80 ea 0c | 65 a6 34 03 4a b5 ca 6b 32 bf 36 d8 04 88 9a a6 | 79 8f 87 e8 f7 b9 38 3d a2 09 b8 28 df c5 6b c1 | 6a 1f 93 c4 f3 15 b6 91 57 94 f0 1d 8d 96 e9 eb | df 9c 47 8b ca 89 6b af 23 eb 63 5c c0 55 a2 e5 | 7f 48 1a 8e 37 2d f1 74 0e 3c 80 fe 93 cf 53 e4 | a7 79 fe 27 f0 9e 34 2b 96 46 9d c3 7e 64 1f 30 | 5d 96 28 ae 39 83 a9 4b 6e db 6d 54 b1 98 8a 17 | 50 ab c0 aa e7 2b 4b bd ee 74 c7 25 ce b1 cb cc | 51 4a 79 7c d7 40 ce b8 85 11 1d 71 91 bc 26 18 | 49 6c d7 aa cf 55 a0 e9 ed 4e b5 a3 | start processing: from 192.1.2.222:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1852 (0x73c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.222:4500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72 6f 61 | obj: 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72 6f 61 | obj: 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1229 (0x4cd) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 11 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72 6f 61 | DER ASN1 DN: 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72 6f 61 | DER ASN1 DN: 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "road-eastnet-ikev1"[1] 192.1.2.222 #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 3.8 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0234 milliseconds in get_root_certs() filtering CAs | #1 spent 3.85 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.682 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0413 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec | certificate is valid (profile IPsec) | #1 spent 0.129 milliseconds in find_and_verify_certs() calling verify_end_cert() "road-eastnet-ikev1"[1] 192.1.2.222 #1: certificate verified OK: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe13c1c0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe13d760 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563abe138850 | unreference key: 0x563abe144670 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1-- | #1 spent 0.248 milliseconds in decode_certs() calling add_pubkey_from_nss_cert() | #1 spent 4.99 milliseconds in decode_certs() | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' | ID_DER_ASN1_DN 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' matched our ID 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' | SAN ID matched, updating that.cert | X509: CERT and ID matches current connection | CR | requested CA: '%any' | refine_host_connection for IKEv1: starting with "road-eastnet-ikev1"[1] 192.1.2.222 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: happy with starting point: "road-eastnet-ikev1"[1] 192.1.2.222 | The remote did not specify an IDr and our current connection is good enough | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | RSA key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAaqjE [remote certificates] | #1 spent 0.158 milliseconds in try_all_keys() trying a pubkey "road-eastnet-ikev1"[1] 192.1.2.222 #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so send cert. | **emit ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_CERT (0x6) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 6:ISAKMP_NEXT_CERT | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 "road-eastnet-ikev1"[1] 192.1.2.222 #1: I am sending my cert | ***emit ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate Payload'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Certificate Payload (6:ISAKMP_NEXT_CERT) | next payload chain: saving location 'ISAKMP Certificate Payload'.'next payload type' in 'reply packet' | emitting 1260 raw bytes of CERT into ISAKMP Certificate Payload | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 39 31 35 31 39 34 34 35 39 | CERT 5a 18 0f 32 30 32 32 30 39 31 34 31 39 34 34 35 | CERT 39 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 b0 0d 9e ca 2d 55 | CERT 24 59 06 37 09 58 0d 06 ab 90 5e 98 7c 00 0b 66 | CERT 73 f4 12 27 69 75 6e d4 8d 13 e9 c6 e9 4f c4 b1 | CERT 19 1a 1a 4f e6 4e 06 da 29 ec cf 8d 4c c3 c3 57 | CERT c0 24 57 83 7a 1b 7f 96 a3 21 66 67 52 68 8e 77 | CERT b9 bb f6 9b d2 43 11 57 c9 d6 ca e2 39 73 93 ea | CERT 99 99 f7 52 38 4d 58 69 7f a5 18 9b ff 66 72 6c | CERT df 6d df 18 50 cf 10 98 a3 f5 f9 69 27 5b 3f bd | CERT 0f 34 18 93 99 1a be 8a 46 84 37 69 71 7f a7 df | CERT d0 9d b2 9d ad 80 0f d0 1a 40 cb ff 37 20 ac ac | CERT 3d a9 8e 56 56 cf 25 c0 5e 55 52 86 5a c5 b4 ce | CERT a8 dd 95 cf ab 38 91 f6 1f 9f 83 36 d5 3f 8c d3 | CERT 1d f5 3f 23 3c d2 5c 87 23 bc 6a 67 f7 00 c3 96 | CERT 3f 76 5c b9 8e 6f 2b 16 90 2c 00 c0 05 a0 e2 8d | CERT 57 d5 76 34 7f 6f be e8 48 79 08 91 a8 17 72 1f | CERT c0 1c 8a 52 a8 18 aa 32 3c 9a e4 d9 90 58 25 5e | CERT 4c 49 8e cb 7a 33 19 d2 87 1a 2a 8e b5 04 f7 f9 | CERT cd 80 8c 59 ae 34 61 c5 1d de 53 65 fe 4f f3 f4 | CERT 09 f2 b4 21 7a 2b eb 1f 4a f2 5f 85 3a f0 f8 2b | CERT 3b 42 5b da 89 c1 ef b2 81 18 2a 4b 57 a2 ca 63 | CERT 8b a7 60 8e 54 95 c3 20 5c e5 53 f0 4a 57 df 41 | CERT fa 06 e6 ab 4e 0b 46 49 14 0d db b0 dc 10 2e 6d | CERT 5f 52 cb 75 36 1b e2 1d 9d 77 0f 73 9d 0a 64 07 | CERT 84 f4 0e 0a 98 97 58 c4 40 f6 1b ac a3 be 21 aa | CERT 67 3a 2b b1 0e b7 9a 36 ff 67 02 03 01 00 01 a3 | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 bf 3c 12 c5 | CERT 00 3e 71 2a 2b 2b 60 83 b9 b9 f2 4d b1 ca 0e fd | CERT b4 e0 0b 6a ad 54 d7 c9 98 57 e0 5c 26 4d bf 11 | CERT 23 20 79 05 b6 1b 9b 09 ed 4f 2e fd 7e da 55 53 | CERT b6 8c 88 fa f3 9b ce ec ef 95 37 11 70 ce 1c 98 | CERT d3 d5 cf f6 30 71 44 78 fb 45 03 69 50 d5 a5 c3 | CERT de 00 4c f7 0a 7d 00 cb 3a ab 11 74 6b 57 67 4d | CERT e7 c0 3a 97 98 44 e2 15 9d f2 6f 1b c7 b1 15 d0 | CERT 88 c4 dc 32 b7 72 1d 9c ac 1b 37 63 | emitting length of ISAKMP Certificate Payload: 1265 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbANn vs PKK_RSA:AwEAAbANn | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Certificate Payload'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R 1f 40 e7 0d 9b 64 f8 b8 1d 2a 75 23 6b 0f 38 58 | SIG_R 8c 10 0a fb a5 74 b7 3e b5 4d 5d 64 9f ec 0a a7 | SIG_R 76 2a 31 25 0f 99 f2 66 be 2e 81 a7 66 77 a8 9e | SIG_R 71 49 f0 59 d1 af cc 8e fc ff 2d 5b f0 f7 0f 87 | SIG_R 73 2a 35 a1 f7 f5 ab 9e e2 59 a2 6e e2 f9 1a 2f | SIG_R 0f ae 4f 72 47 bc 7a 00 e3 1f b6 f4 b3 22 c4 65 | SIG_R 07 02 47 0d 0b d5 48 f3 17 8f 5e ea 20 f6 7a d7 | SIG_R b5 97 84 0d 4b 22 f6 48 d5 71 2d dc b1 db 10 77 | SIG_R 1f 84 a8 a7 f6 fe 68 a0 d3 92 21 87 f2 02 86 55 | SIG_R a5 67 ed 12 fe e8 3c 20 fe 91 5b 45 8a c1 41 7d | SIG_R b6 20 fc 35 59 8b f0 94 ce 8e 72 fe 8f 12 a1 b5 | SIG_R 23 f5 74 8c d0 31 b8 37 ae a7 da 58 f2 3e 44 2d | SIG_R 4a f3 c9 1e 32 b5 c2 50 05 e9 18 b4 7d 19 a1 63 | SIG_R 5f 73 1c 91 6c c0 5c 89 5e 59 91 c4 0d 40 5a d2 | SIG_R 9c 38 b6 d4 c7 e1 19 db 88 4b 6b 71 7e a0 bd 4f | SIG_R f7 81 99 26 33 a4 f5 98 64 0d ef 70 e0 64 a0 7e | SIG_R 20 4d 9a 74 d1 04 4a c4 0e 39 47 3f 9b 45 e8 25 | SIG_R f8 17 e9 b7 f1 4f e8 e1 3b 3a 92 68 d2 5e f4 3f | SIG_R fb 88 01 1b 18 44 db c8 da 13 46 86 24 30 39 ca | SIG_R 9f 12 db b7 9d 04 9b a8 34 a1 1f e4 bc 67 b0 04 | SIG_R 9b 7b 28 ea 39 18 c2 5c c1 57 c0 e5 d2 9c 83 fe | SIG_R b6 7f 43 61 3f ea 70 bb 41 01 49 4a b2 36 41 80 | SIG_R 99 f6 82 07 b5 c0 c0 54 f9 8e d9 98 af 7f 49 4b | SIG_R c5 40 14 64 24 26 37 16 ea 02 a2 46 20 ed c8 17 | emitting length of ISAKMP Signature Payload: 388 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 1884 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x563abe13c220 | free_event_entry: release EVENT_RETRANSMIT-pe@0x563abe13c120 | state #1 NAT-T: new mapping 192.1.2.222:4500 | new NAT mapping for #1, was 192.1.2.222:500, now 192.1.2.222:4500 | State DB: IKEv1 state not found (nat_traversal_new_mapping) | NAT-T: #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:4500 (using md->iface in nat_traversal_change_port_lookup()) | sending reply packet to 192.1.2.222:4500 (from 192.1.2.23:4500) | sending 1888 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:4500 to 192.1.2.222:4500 (using #1) | 00 00 00 00 d8 07 d2 5f 82 be ab ec 58 4a 1f 22 | be c6 4c bb 05 10 02 01 00 00 00 00 00 00 07 5c | c2 b9 12 0f e0 57 f2 c4 21 28 82 06 89 b8 4a 9a | 43 92 02 e9 44 d7 7e 84 df 5c 57 9a 52 6c 11 29 | 18 fe 6e 24 33 c2 60 e4 e1 98 2b e1 78 9b 3d b8 | 5c 0b 04 8a 87 7a ee 08 96 20 f6 bd 4d 94 d7 4d | 78 2a a9 55 d0 c5 85 2d d4 51 3c 74 a6 cf 64 f2 | 14 ad 0f a6 28 c0 b7 95 db 5a b3 25 0a d7 35 32 | ae b0 fb f8 77 94 7b 70 02 a2 ca 1a ba b5 5c 41 | 51 b2 7e fa af e4 34 81 77 8d 3a dc bb 82 43 e8 | 02 55 0f 3d a5 46 0b 29 ae b7 a9 b7 02 ae 21 ce | e4 06 1b 3e 88 72 0f 78 6c fb a8 e7 36 79 51 54 | 2c d9 9f 93 36 e3 79 59 3e 1f 09 1d 6d d5 ea 74 | a1 05 1e ee b3 c5 7a 42 a4 b0 9b 74 06 77 c4 6a | 3b 49 1c 37 d5 97 33 1b da 3e 7b 83 7f e9 42 27 | a3 24 c9 4f a0 a7 7f 19 6b a4 b3 e4 56 1b bf 92 | 21 73 c1 fa 55 05 eb 68 29 35 04 84 cf 43 aa aa | ba 70 92 44 d3 fd e3 5c 29 4e fd 7f 5d e8 64 fa | aa 8c 4d 1f 13 98 4f 95 7c 88 b6 28 d8 7c 8e 17 | 52 6a e0 f0 04 41 73 88 c6 43 97 b0 2a f4 dd 37 | e0 01 e4 b3 09 66 c8 e2 87 40 da 97 c2 db b3 b5 | ce 9e 88 42 78 f0 da 07 8f c1 ca 41 87 f4 20 1b | b4 e9 0b 94 e8 b4 98 93 3a ef 25 1b 2f cd 92 fc | 4e 41 0e 65 62 4d 3c 7d 6a 8a ff 98 6b 6c 12 77 | ed 88 c8 29 f9 71 08 52 ae b5 6b 13 b9 ac 50 66 | 2b 27 f0 71 61 95 a9 9b f5 23 8e 26 9f 9b ec 6f | 5d 40 12 2b 09 1b a7 a0 54 28 24 5f 51 7b ce a8 | 2b 76 0f 75 a2 62 64 71 69 b2 17 9a fd 06 ea 59 | be 1a 3a d9 61 68 bc df 3d 7c 6d c5 aa 06 99 ba | a8 67 d3 8f a3 8c 2e cc 09 cd dc 24 ae 4c 5e d2 | 44 e8 37 a0 95 41 38 4f fe dc 87 39 06 a0 59 f6 | 89 10 a7 17 86 7e 16 28 f0 58 e8 af 74 8f 7b 41 | d3 92 37 23 91 1a 77 52 84 3c 52 15 74 35 0c 38 | 2e 25 46 16 19 cb f9 ad 21 84 40 d7 0b 7a 07 13 | 96 48 1d a1 9d e0 95 ae f3 20 e7 fa 6a 87 a8 c3 | 69 7d 57 a9 e0 87 19 93 01 cf 17 f0 f6 99 68 48 | b3 c5 a6 cb 63 07 79 a1 d3 b3 f6 54 98 80 d0 b3 | 3f 3a e9 9c 02 18 bc 1e eb 4a 2d d7 5f 80 0e 8e | 68 36 c8 cc cc 94 d6 a6 b2 89 25 1f ff 14 ea 6d | c9 91 70 13 01 8e 45 7b e4 b7 f7 3a ab 66 c2 e7 | 13 a7 db 30 ba d7 f7 04 8d 54 4e 57 f9 e7 39 71 | 78 c2 fa c8 80 1b 26 bb ef b5 05 94 e2 d3 f6 52 | 83 b9 5e 88 22 5d 0b 21 95 2e c0 10 dc 37 83 f3 | 10 df 3c f0 81 5e 34 da 3f d9 4c 7d 25 27 10 9b | 0a 6b 68 71 ae 63 d8 cc f4 a8 7d f5 3a 4f b5 b1 | 17 e6 e5 2c 08 57 38 e6 ed 2c d5 31 79 0a 82 bc | 2c 41 23 32 38 76 30 82 c3 44 69 bc 34 0c b4 f4 | 94 53 9b 73 53 75 96 67 f7 db 2c d5 0c e3 2b 2f | 69 c3 6e 4c eb bb 2b d1 c8 45 2b 23 2d 79 db e3 | e5 49 50 3d 95 11 af ab 2f 1f 19 f3 90 24 69 e9 | 1e 91 2a 4c d1 7b 38 dd 70 11 11 f7 1d 1d 42 71 | c0 af 15 a9 d8 de de 8a e8 60 a5 e4 f3 c9 33 b6 | db 02 72 23 52 ca 4f b0 3c cb f3 47 7b 23 d0 e5 | f2 dc d5 f0 f1 d5 f5 05 3b 0f 54 f4 ab d7 34 24 | c1 84 05 68 93 08 78 50 36 bd 3b a7 f1 dd 5a 4c | 5e 9b dc 44 8a 4e f9 0b a2 d2 80 45 4e 76 4e c5 | 28 c8 46 bf c4 ba ae d1 4d 9a 1d 47 f4 01 8b 52 | 46 1c 4b 06 66 41 3a bb 66 14 7c 18 a0 28 24 ab | c6 ff 5f d1 1e c7 35 a6 2c 56 c2 96 a8 eb 75 ec | 27 e6 eb 5b e2 e5 71 26 5f 28 77 15 aa d0 cd 4b | 24 a4 3d 7e ef 63 ea 5e 7e 34 5c 4f 03 c7 cd 61 | 9c cf d1 36 30 d8 49 3c 1f 7d 06 9d 8b 4d 7b 51 | 39 91 44 79 35 ba e9 b3 1a b7 40 73 e2 86 11 9a | 4b e7 69 3a d2 06 40 f6 b7 a5 8a b2 75 7c 73 eb | c9 e0 fe 47 09 8d 67 8b cf 14 5e 3e ae b2 6f 34 | 16 74 b2 7f bb b0 e9 18 5c cf dd ea 9b cd e5 fd | e8 07 ae 20 ca 84 a7 69 1b ad 3a 74 ea c2 10 29 | fc ea 36 71 59 83 12 3b a1 ae d1 2d a2 2e 2e 82 | bc e1 c5 73 02 b5 25 2f 12 7e 3e e6 5d 61 e5 c7 | b1 ce af 5d 5c 66 e6 4f 90 14 15 e9 b5 c7 da 17 | 21 08 4d 00 5a a3 20 ad 0e 9a 3e b4 63 f8 83 39 | ac ba 7e 5a a5 41 6f 31 20 39 c9 a1 9d 44 d8 c4 | 46 86 b1 4b 37 9e 3a 6f 95 f1 40 d7 37 95 85 f2 | 9c 8c 7b 38 c4 12 d3 5d 0e 80 18 d6 6a 83 90 df | de 7c ab 93 cd ed 28 8c 45 ef d4 98 fa 2c 9d ea | 4c cb e6 6c 1e ee 1f 85 71 49 50 86 77 24 d8 78 | 04 69 48 0e 48 58 8e 9b 0c ef cb b0 e9 a6 e4 22 | 3f 89 a8 8f 53 69 e9 1f 95 82 0f 73 19 62 f7 7e | b8 ca b4 8b e6 ae e2 58 ee 96 89 ea ff 62 80 64 | 22 03 58 0b 49 14 94 cf 34 a3 b3 c6 be 6c ac 09 | 55 0b cd 25 eb 1f 80 ad df 20 fd b2 a8 6b fb 2c | e2 07 6d e7 41 19 fd 25 46 a2 e2 d8 b4 b2 db da | d2 d7 fc 1c 7b 86 1a 1d 73 9d 58 b6 a6 87 bc d6 | c3 2f 3a 7a 33 fc 77 34 f5 f2 9f 69 b3 3f 48 d0 | 95 46 e4 dc b4 50 ba 74 a2 59 26 2f ff 43 51 d3 | d5 34 fb ca 32 f8 f6 c8 b7 4d d2 79 dc 59 f8 17 | bd 9b 59 ce a2 6f 74 b5 54 c7 5b d3 b7 b8 69 9a | b3 ef 8f 29 3e 63 c7 1b 5a 38 fe 75 30 10 66 c2 | 80 7c b7 02 a3 52 eb b3 82 a9 8f 62 e8 18 81 72 | 79 65 13 60 41 7e 58 e9 c2 6d ae bf ca 73 15 bd | c9 83 45 72 cd fa b7 48 0f 3e 2a e9 93 3a 57 ae | 7b 01 39 50 55 f9 c8 27 e8 8e d9 6f 20 19 22 6d | 4e fe 69 de e3 20 d7 e6 3a bc 1d 3b b1 05 3a 92 | 6e a5 a4 4a ee b7 4f 33 d6 de 5b 79 8c 45 b3 7e | 3c 0a d0 a4 7b 78 78 bd 82 a6 47 4f 30 29 2f 48 | 9c 10 db 80 e2 f7 46 3c b6 6b f8 a5 6f 65 4b 6d | 3c ea 59 17 95 de 86 b6 69 fc 34 ce 3c 35 93 19 | 16 46 d8 90 66 6d 3c 52 95 84 49 13 91 b0 ee 59 | a4 49 7c 92 6d a1 69 ec a6 7b 83 a2 f4 06 b8 55 | d0 3d 2d 82 ed 28 71 81 a1 89 f0 f1 b0 d2 17 a2 | d9 8d 46 76 29 b8 ee 38 a8 d2 81 88 9a b5 c1 3d | dc bc 76 1f d9 06 a3 b8 99 9a 98 a1 50 89 a3 a1 | e4 7c 99 1e e3 22 b9 57 8e 03 a4 20 fc dd 2e 57 | 78 f1 43 cf d0 ec 15 a2 1d d6 99 38 01 43 a9 1b | c4 68 bb c0 22 0a 3c 87 9a a2 88 59 f4 d8 af d5 | d7 b9 60 a9 51 6d c4 12 47 a2 e6 e5 91 a1 e0 25 | 20 15 d8 a0 09 74 af ec 7a 97 b6 18 54 0c c7 68 | 73 19 47 5e e4 ba 15 5d 75 66 35 b4 18 ce b0 cf | cd bc 3a 0a 93 35 28 86 bd d8 86 e2 a8 38 a1 2e | b6 a3 1a 2a 9b 41 a2 2a 43 46 11 bf 6e d7 81 3f | 64 9b b6 ec e3 89 20 b5 1d 75 1f 13 fb cb df 78 | af 65 2e ee ac af bb 0e 2c 35 fc e6 20 a2 8a 2d | 7d 11 d1 75 b1 89 6d 3e aa 58 ab 08 17 cb e0 9c | ad f7 d3 ed ea a3 96 f8 68 1b ec 39 34 9a 5d 43 | be 89 42 6d 43 65 a6 93 ef 24 5d a5 68 d4 39 6d | 5b e1 11 27 9c 88 a8 01 f5 4c 17 74 40 7f 7d dc | 2c 1f ee ee 12 a9 2a 39 bf a5 52 9c fc 6f 73 62 | dd 2b 2f a4 bf 46 a2 2c 2b 43 ff 6e 02 5e 66 84 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x563abe1458b0 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x563abe13c220 size 128 | pstats #1 ikev1.isakmp established "road-eastnet-ikev1"[1] 192.1.2.222 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | #1 spent 9.67 milliseconds | #1 spent 15 milliseconds in process_packet_tail() | stop processing: from 192.1.2.222:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 15.4 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00249 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.222:4500 on eth1 (192.1.2.23:4500) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 08 10 20 01 66 85 70 ff 00 00 01 dc 93 1d 83 76 | c0 71 17 38 7a 80 9e 16 af 89 3d 0f f3 c5 9a fe | 3d 48 14 a9 1a 44 dd 63 5c 59 02 07 71 ef 06 3d | 97 9a a3 ed 6b b8 97 c8 2b 85 ee 39 f6 56 a3 c6 | 8e a2 42 02 de 3e 58 c5 09 04 b7 17 28 60 3a e6 | a2 0b 7c 9e f6 e7 b5 fe 43 12 f0 d0 3d d1 be 1f | f5 e7 13 a4 94 8d 67 e9 bc 82 44 38 f8 e3 a9 e0 | e6 14 33 d4 c2 32 3b b8 b1 14 35 70 94 10 fd e6 | d4 e3 f0 72 eb d6 74 ff 69 4e 37 64 81 09 68 fd | bb 95 11 4b 88 c1 d2 93 df 78 9a c5 c9 51 27 27 | 91 ba c7 37 8d 63 82 b8 ad fb 12 3d 9d 0e a4 1d | 0e 8d 84 a0 fa 31 d7 7c d1 a2 fe 38 99 6f db c2 | 4a 90 b2 70 d1 26 ea 29 a5 f6 37 f1 03 8c b3 72 | 9f 34 7c d7 f8 83 da 9e 06 0f e5 75 a0 f0 8f 6c | 1f 55 f2 b9 e3 f4 8c ef f2 af 4b fc e0 ca 2d 73 | 0f 15 9c 83 1e 90 6e cb 11 a2 ff da 74 f4 b1 89 | dc e5 03 62 d8 d8 7b 4d 2a b9 90 fc 4b a3 21 b7 | 56 59 7c 06 7f 5e df 5c af 20 77 66 5b 99 f7 06 | 6a 0d 0e 82 8a ea 63 ab b3 54 19 af b3 08 04 79 | 09 1a be aa ef ba ec a9 71 36 b5 59 c2 30 e4 3c | 50 1c 1f c7 c1 0b 1f c1 8c cb 86 9d 01 9c 24 60 | 9c 72 0d 6d de 1a 00 74 97 94 ff b8 bd ff a9 dc | e8 69 b8 34 7c 8f a7 a9 2b 95 3e 98 97 e6 3a 1f | c1 c2 51 2a c5 8d 76 43 55 cd 18 fa a7 90 14 70 | d0 7f 27 08 bf 8a 5f 51 af 4c 9a b6 ea 6f bd 6d | d3 87 0d ac d0 72 c6 70 1d e3 00 d3 b4 16 f6 e9 | ce 3f 3a 1e 60 bc 4c 16 f7 ee 83 7a 93 11 01 fc | 8f 64 73 23 a6 e2 67 6d 1c 45 6b a3 2c 32 07 db | 84 b2 1a f4 43 10 04 75 4d 06 07 1e | start processing: from 192.1.2.222:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1720021247 (0x668570ff) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in process_v1_packet() at ikev1.c:1583) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.222:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: 01 02 03 04 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 00 ff ff ff 00 | removing 4 bytes of padding | quick_inI1_outR1 HASH(1): | 28 21 86 d3 30 d5 d1 25 ef 28 a7 8d a2 12 16 ea | 3c 7e f6 fa e1 31 59 eb 2f fa ee 9f f8 42 98 49 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address 01 02 03 04 | peer client is 1.2.3.4/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff 00 | our client is subnet 192.0.2.0/24 | our client protocol/port is 0/0 "road-eastnet-ikev1"[1] 192.1.2.222 #1: the peer proposed: 192.0.2.0/24:0/0 -> 1.2.3.4/32:0/0 | find_client_connection starting with road-eastnet-ikev1 | looking for 192.0.2.0/24:0:0/0 -> 1.2.3.4/32:0:0/0 | concrete checking against sr#0 192.0.2.0/24:0 -> 1.2.3.4/32:0 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | fc_try trying road-eastnet-ikev1:192.0.2.0/24:0:0/0 -> 1.2.3.4/32:0:0/0 vs road-eastnet-ikev1:192.0.2.0/24:0:0/0 -> 1.2.3.4/32:0:0/0 | fc_try concluding with road-eastnet-ikev1 [129] | fc_try road-eastnet-ikev1 gives road-eastnet-ikev1 | concluding with d = road-eastnet-ikev1 | client wildcard: no port wildcard: no virtual: no | NAT-Traversal: received 0 NAT-OA. | creating state object #2 at 0x563abe151c70 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "road-eastnet-ikev1"[1] 192.1.2.222 as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:4500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #1 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | start processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 40 da 36 ac | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 3 (0x3) | [3 is ENCAPSULATION_MODE_UDP_TUNNEL_RFC] | NAT-T RFC: Installing IPsec SA with ENCAP, st->hidden_variables.st_nat_traversal is RFC 3947 (NAT-Traversal)+peer behind NAT | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563abe145350 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb380006900 size 128 | libevent_realloc: release ptr-libevent@0x563abe11af40 | libevent_realloc: new ptr-libevent@0x563abe14d3e0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | #1 spent 0.233 milliseconds in process_packet_tail() | stop processing: from 192.1.2.222:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.469 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 3 resuming | crypto helper 3 starting work-order 3 for state #2 | crypto helper 3 doing build KE and nonce (quick_outI1 KE); request ID 3 | crypto helper 3 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000969 seconds | (#2) spent 0.965 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 3 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fb37c007fa0 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 3 | calling continuation function 0x563abc04d630 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 4 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fb380006900 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563abe145350 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563abe145350 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb380006900 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | #2 spent 0.0758 milliseconds in resume sending helper answer | stop processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb37c007fa0 | crypto helper 4 resuming | crypto helper 4 starting work-order 4 for state #2 | crypto helper 4 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 | crypto helper 4 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000772 seconds | (#2) spent 0.779 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr) | crypto helper 4 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fb370003590 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 4 | calling continuation function 0x563abc04d630 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1720021247 (0x668570ff) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 40 da 36 ac | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 3 (0x3) | [3 is ENCAPSULATION_MODE_UDP_TUNNEL_RFC] | NAT-T RFC: Installing IPsec SA with ENCAP, st->hidden_variables.st_nat_traversal is RFC 3947 (NAT-Traversal)+peer behind NAT | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x531a6b95 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 53 1a 6b 95 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 03 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "road-eastnet-ikev1"[1] 192.1.2.222 #2: responding to Quick Mode proposal {msgid:668570ff} "road-eastnet-ikev1"[1] 192.1.2.222 #2: us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] "road-eastnet-ikev1"[1] 192.1.2.222 #2: them: 192.1.2.222[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]===1.2.3.4/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr a1 63 5b 43 1e c0 c7 d3 a0 02 e1 50 25 79 6d 9f | Nr f4 ee eb 48 b3 2c 1b 11 25 f6 70 9f 6d 04 7b eb | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 6a e0 c8 05 f3 ef 21 ff 07 d8 1b d2 80 4d e7 ae | keyex value 5b 50 c9 64 43 83 72 57 9a 90 eb 6e 45 f8 f0 2e | keyex value f2 5f fd e4 5e be 7a c4 31 d2 d2 a2 f0 76 be 43 | keyex value fc 1b 07 98 90 87 8a ac fd 3f a9 33 eb 59 ef 92 | keyex value a6 7f d5 da 06 66 10 64 89 14 3b ad c3 bc 0f 47 | keyex value 24 13 3b 82 de 51 22 22 b3 5f a8 61 7b e4 72 6c | keyex value 3c a5 a5 e1 29 b5 53 18 28 34 a6 1e c9 8d 8e 29 | keyex value d5 49 a5 7e ed d6 7a 45 ed e9 8c 29 dd 87 5f 12 | keyex value 29 c3 f8 3f ad 73 30 26 c9 b0 9d 94 c8 bc 56 d3 | keyex value 12 d4 3b ad 06 ab b3 39 0f 33 c6 72 f7 69 e1 b2 | keyex value a6 17 7e ef 0c b7 5c 7d 25 59 d9 ed e2 a8 5a 37 | keyex value ec f5 82 f5 57 f8 17 cb 3b de 53 43 47 5c a3 93 | keyex value 0a d8 bd 64 42 1b f6 43 01 df ae 17 8b 20 a4 53 | keyex value 17 5c 02 86 39 01 25 d3 f8 af c3 95 ba 31 1a 37 | keyex value b9 6d 10 59 d8 ed bd 19 ee 15 f6 a2 4e cf 7b 37 | keyex value e3 47 33 76 c4 c3 b8 20 70 bd b0 50 63 2b 06 46 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body 01 02 03 04 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 00 ff ff ff 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 65 0f 7b 69 d0 b8 3d 97 14 0f a8 21 5e 8c 23 f3 | 8f 2f cd 0d d7 ca 2b dc 76 5e 89 8d 80 ed 6d 1c | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | route owner of "road-eastnet-ikev1"[1] 192.1.2.222 unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for road-eastnet-ikev1 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | route owner of "road-eastnet-ikev1"[1] 192.1.2.222 unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x563abe151c70 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'road-eastnet-ikev1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.40da36ac@192.1.2.222 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'road-eastnet-ikev1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.531a6b95@192.1.2.23 included non-error error | priority calculation of connection "road-eastnet-ikev1" is 0xfe7df | add inbound eroute 1.2.3.4/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042399 | raw_eroute result=success | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fb380006900 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563abe145350 | sending reply packet to 192.1.2.222:4500 (from 192.1.2.23:4500) | sending 448 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:4500 to 192.1.2.222:4500 (using #2) | 00 00 00 00 d8 07 d2 5f 82 be ab ec 58 4a 1f 22 | be c6 4c bb 08 10 20 01 66 85 70 ff 00 00 01 bc | ef 4c ea 20 05 8d 19 72 16 c4 cd 33 71 f2 eb 44 | af be 36 82 a1 f8 a4 77 3f b5 a1 f6 d5 51 40 c1 | 32 4c 37 90 86 52 54 22 d7 04 71 9c f5 cc d6 10 | 87 3d 80 c2 3f 34 d1 7f f8 0d 26 6c 38 88 ac e6 | 8a d0 e8 62 9c f1 fd 07 71 11 20 0f c2 08 97 da | ff 0d 9f 02 0a dd f4 94 6c 69 0e 20 04 de 24 7a | de 1b f3 17 cd d7 3d 2c 11 37 e0 59 4b 98 d1 21 | eb ac b8 00 15 41 a2 d6 83 b8 b8 df 55 ac bb cc | d5 ce 35 3e ec aa 3b 39 77 8f dc f7 94 d4 99 d2 | 73 6f ab 6e 58 14 59 e2 ab e6 b4 f7 9d 10 8a 8c | 59 e2 19 d7 f8 93 6d 3f c0 4d 1a 86 bb 71 7e 49 | 65 73 4f 8c 6b 01 aa 6a 7a 0e e0 68 6f 28 f3 20 | 9a 47 60 fd 71 bd 5a 87 64 09 d8 63 89 8b 36 be | be 8f 00 d5 83 8b 6d 6a 79 69 b5 85 95 5e 76 da | 0f 25 7c 5d 70 92 9d f8 ea bb 55 dc ab 14 57 04 | 3a 89 75 2b 98 92 d2 f4 e6 be 36 e4 33 71 f2 ea | b8 36 8e 49 8f 6e 4f 6e 41 53 96 68 a3 fb b6 a0 | 2f 13 ff 75 1d 99 9f b2 15 13 94 44 3f 0c 0a ad | bf d0 07 fc eb 57 3a 07 72 73 4f f6 5c 6b 8f e5 | 60 b5 d3 c4 db 61 1e 82 c9 f0 9a 16 7d 7b 10 59 | 69 e4 8e 3a 3a ea 73 b1 8b 0a d0 4e 4d 73 0b 7f | 5c e0 6c b3 28 af af bf 8d 50 4f f3 30 6d dc c6 | 23 52 8c a3 6f e3 2e 8d f6 df 77 61 a1 fc e6 e9 | 10 1e ad f3 5e 0a 32 6f b1 6d ba c3 1b 7b 1d c7 | 74 13 fe 10 a0 36 7e e3 7a 51 55 64 17 a9 05 2c | 8f ba b1 2a 8e 9e 32 71 85 b8 d6 2e 27 11 68 ce | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x563abe145350 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb380006900 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 49587.97499 | pstats #2 ikev1.ipsec established | NAT-T: NAT Traversal detected - their IKE port is '500' | NAT-T: encaps is 'auto' "road-eastnet-ikev1"[1] 192.1.2.222 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x40da36ac <0x531a6b95 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.1.2.222:4500 DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 1.04 milliseconds in resume sending helper answer | stop processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb370003590 | spent 0.00261 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.222:4500 on eth1 (192.1.2.23:4500) | d8 07 d2 5f 82 be ab ec 58 4a 1f 22 be c6 4c bb | 08 10 20 01 66 85 70 ff 00 00 00 4c df 67 7c 50 | 98 ba e5 f6 f9 d4 85 1b a0 47 6b 88 36 2c 70 42 | d6 07 ee 8c dd 1d 13 dd 46 e8 b0 56 1e 55 e4 06 | 86 e2 62 19 68 af d7 b4 75 48 31 58 | start processing: from 192.1.2.222:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | d8 07 d2 5f 82 be ab ec | responder cookie: | 58 4a 1f 22 be c6 4c bb | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1720021247 (0x668570ff) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "road-eastnet-ikev1"[1] 192.1.2.222 from 192.1.2.222:4500 (in process_v1_packet() at ikev1.c:1609) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.222:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | a4 c8 a2 b8 07 6c ea be 1d 51 ab 49 95 bd 96 80 | ab 5d 7c 19 d7 21 de 7c 7c c8 35 cf 13 9b 78 53 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for road-eastnet-ikev1 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | route owner of "road-eastnet-ikev1"[1] 192.1.2.222 unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 vs | conn road-eastnet-ikev1 mark 0/00000000, 0/00000000 | route owner of "road-eastnet-ikev1"[1] 192.1.2.222 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: road-eastnet-ikev1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "road-eastnet-ikev1" is 0xfe7df | eroute_connection add eroute 192.0.2.0/24:0 --0-> 1.2.3.4/32:0 => tun.0@192.1.2.222 (raw_eroute) | IPsec Sa SPD priority set to 1042399 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-ikev1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY=' | popen cmd is 1278 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-ikev1': | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' PLUTO: | cmd( 160):_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.te: | cmd( 240):sting.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2: | cmd( 320):.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' P: | cmd( 480):LUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan,: | cmd( 560): OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswa: | cmd( 640):n.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO_PEER: | cmd( 720):_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO: | cmd( 800):_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENC: | cmd( 880):RYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=': | cmd( 960):CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0': | cmd(1040): PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG: | cmd(1120):_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTIN: | cmd(1200):G='no' VTI_SHARED='no' SPI_IN=0x40da36ac SPI_OUT=0x531a6b95 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-ikev1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_AD | popen cmd is 1283 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-i: | cmd( 80):kev1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=ea: | cmd( 240):st.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='19: | cmd( 320):2.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0': | cmd( 400): PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='E: | cmd( 480):SP' PLUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libre: | cmd( 560):swan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.lib: | cmd( 640):reswan.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO: | cmd( 720):_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : | cmd( 800):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: | cmd( 880):G+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: | cmd( 960):IND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: | cmd(1040):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: | cmd(1120):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R: | cmd(1200):OUTING='no' VTI_SHARED='no' SPI_IN=0x40da36ac SPI_OUT=0x531a6b95 ipsec _updown 2: | cmd(1280):>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-ikev1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFA | popen cmd is 1281 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-ike: | cmd( 80):v1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.222' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east: | cmd( 240):.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.: | cmd( 320):0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' P: | cmd( 400):LUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP: | cmd( 480):' PLUTO_PEER='192.1.2.222' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libresw: | cmd( 560):an, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libre: | cmd( 640):swan.org' PLUTO_PEER_CLIENT='1.2.3.4/32' PLUTO_PEER_CLIENT_NET='1.2.3.4' PLUTO_P: | cmd( 720):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: | cmd( 800):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: | cmd( 880):ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: | cmd( 960):D='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=: | cmd(1040):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: | cmd(1120):CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: | cmd(1200):TING='no' VTI_SHARED='no' SPI_IN=0x40da36ac SPI_OUT=0x531a6b95 ipsec _updown 2>&: | cmd(1280):1: