FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:20029 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x557c21c980e0 size 40 | libevent_malloc: new ptr-libevent@0x557c21c98110 size 40 | libevent_malloc: new ptr-libevent@0x557c21c998f0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x557c21c998b0 size 56 | libevent_malloc: new ptr-libevent@0x557c21c99920 size 664 | libevent_malloc: new ptr-libevent@0x557c21c99bc0 size 24 | libevent_malloc: new ptr-libevent@0x557c21c530f0 size 384 | libevent_malloc: new ptr-libevent@0x557c21c99be0 size 16 | libevent_malloc: new ptr-libevent@0x557c21c99c00 size 40 | libevent_malloc: new ptr-libevent@0x557c21c99c30 size 48 | libevent_realloc: new ptr-libevent@0x557c21c99c70 size 256 | libevent_malloc: new ptr-libevent@0x557c21c99d80 size 16 | libevent_free: release ptr-libevent@0x557c21c998b0 | libevent initialized | libevent_realloc: new ptr-libevent@0x557c21c99da0 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x557c21ca45b0 | libevent_malloc: new ptr-libevent@0x557c21cab680 size 128 | libevent_malloc: new ptr-libevent@0x557c21ca4510 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x557c21c9ea60 | libevent_malloc: new ptr-libevent@0x557c21cab710 size 128 | libevent_malloc: new ptr-libevent@0x557c21ca44f0 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x557c21c9e820 | libevent_malloc: new ptr-libevent@0x557c21cb5c90 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb5d20 size 16 | libevent_realloc: new ptr-libevent@0x557c21cb5d40 size 256 | libevent_malloc: new ptr-libevent@0x557c21cb5e50 size 8 | libevent_realloc: new ptr-libevent@0x557c21caa980 size 144 | libevent_malloc: new ptr-libevent@0x557c21cb5e70 size 152 | libevent_malloc: new ptr-libevent@0x557c21cb5f10 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x557c21cb5f30 size 8 | libevent_malloc: new ptr-libevent@0x557c21cb5f50 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x557c21cb5ff0 size 8 | libevent_malloc: new ptr-libevent@0x557c21cb6010 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x557c21cb60b0 size 8 | libevent_realloc: release ptr-libevent@0x557c21caa980 | libevent_realloc: new ptr-libevent@0x557c21cb60d0 size 256 | libevent_malloc: new ptr-libevent@0x557c21caa980 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:20326) using fork+execve | forked child 20326 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x557c21c9f920 | libevent_malloc: new ptr-libevent@0x557c21cb64b0 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb6540 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6560 | libevent_malloc: new ptr-libevent@0x557c21cb65a0 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb6630 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6650 | libevent_malloc: new ptr-libevent@0x557c21cb6690 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb6720 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6740 | libevent_malloc: new ptr-libevent@0x557c21cb6780 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb6810 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6830 | libevent_malloc: new ptr-libevent@0x557c21cb6870 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb6900 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6920 | libevent_malloc: new ptr-libevent@0x557c21cb6960 size 128 | libevent_malloc: new ptr-libevent@0x557c21cb69f0 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.61 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x557c21cb64b0 | free_event_entry: release EVENT_NULL-pe@0x557c21c9f920 | add_fd_read_event_handler: new ethX-pe@0x557c21c9f920 | libevent_malloc: new ptr-libevent@0x557c21cb64b0 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x557c21cb65a0 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6560 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6560 | libevent_malloc: new ptr-libevent@0x557c21cb65a0 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x557c21cb6690 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6650 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6650 | libevent_malloc: new ptr-libevent@0x557c21cb6690 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x557c21cb6780 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6740 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6740 | libevent_malloc: new ptr-libevent@0x557c21cb6780 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x557c21cb6870 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6830 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6830 | libevent_malloc: new ptr-libevent@0x557c21cb6870 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x557c21cb6960 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6920 | add_fd_read_event_handler: new ethX-pe@0x557c21cb6920 | libevent_malloc: new ptr-libevent@0x557c21cb6960 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.387 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 20326 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0172 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-ikev2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | loading left certificate 'west' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb93e0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8eb0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8dc0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8cd0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb94d0 | unreference key: 0x557c21cb8a90 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cb8f30 192.1.2.45 cnt 1-- | warning: no secret key loaded for left certificate with nickname west: NSS: cert private key not found | counting wild cards for 192.1.2.45 is 0 | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8eb0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21c980b0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8dc0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb8cd0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557c21cb94d0 | unreference key: 0x557c21cbe340 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cc2610 192.1.2.23 cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for 192.1.2.23 is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x557c21cbd1d0 added connection description "westnet-eastnet-ikev2" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>...192.1.2.45<192.1.2.45>===192.0.1.0/24 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.28 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.337 milliseconds in whack | spent 0.00257 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 41 fb 4a 94 0a a2 9a ac 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 90 77 8a 88 55 fa bb d9 | aa 01 42 2b fc b6 2c 2c 9e 94 e7 19 66 43 ea 41 | df 27 37 f7 74 23 ef 20 35 ed ac 04 f0 4d b1 26 | c6 99 e0 51 49 6a 9d 50 5e 27 1d 2b 2e 12 27 00 | 81 72 f1 3e 7f cb b7 1a 46 08 8c 69 01 19 f5 5b | 88 b1 c9 0e 2b d7 9c 70 20 3f ee d0 b0 58 db bb | ba db 60 11 c1 56 10 87 fc a5 d6 86 12 38 8a f3 | 53 e4 04 c2 ce 80 11 16 52 5a 44 0b c0 ba 20 b8 | b0 ed 99 dc fe c1 0e cd 2f c5 ac 62 e6 4e 5f 69 | ae 50 da db e6 35 5b 40 2a 83 8f bd 56 27 2d 7a | 4b 76 15 bd cc a0 34 81 e3 75 5c b5 41 e8 02 8f | 05 de d4 4d 8c 28 d2 a4 ee f9 b9 48 ed 47 2b ca | 28 5e 9e 85 db fc 6f 46 c8 0c 8d b6 5b 89 b2 59 | fb 5e 69 b2 e4 ea 97 fa 0a 0b 7d 25 51 a8 f4 16 | 9d fb 21 ec e6 38 08 b8 2b f6 05 39 a0 6a 13 b1 | d1 9d c0 73 b8 8d 71 82 82 e4 c2 9c c0 aa 1a 8c | 2f de 19 af c5 c2 36 aa 29 00 00 24 92 b9 cd 82 | c1 51 0c f7 a9 61 27 49 07 82 76 05 f5 18 f6 22 | 34 e3 eb dd d6 7e 31 f6 67 5a 1c 50 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 81 0c e6 82 | 63 31 be b9 0e 5a 51 a8 75 9c 77 ea f8 7f a1 13 | 00 00 00 1c 00 00 40 05 e7 19 3b 9e 52 83 0f 42 | 05 62 65 ca f4 66 33 18 ba 75 66 de | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 828 (0x33c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | DDOS disabled and no cookie sent, continuing | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ikev2) | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ikev2) | find_next_host_connection returns westnet-eastnet-ikev2 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | found connection: westnet-eastnet-ikev2 with policy RSASIG+IKEV2_ALLOW | creating state object #1 at 0x557c21cc1970 | State DB: adding IKEv2 state #1 in UNDEFINED | pstats #1 ikev2.ike started | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 | #1 in state PARENT_R0: processing SA_INIT request | selected state microcode Respond to IKE_SA_INIT | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | constructing local IKE proposals for westnet-eastnet-ikev2 (IKE SA responder matching remote proposals) | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 "westnet-eastnet-ikev2": constructed local IKE proposals for westnet-eastnet-ikev2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 2 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 8 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 2 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 8 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 2 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 8 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 2 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 8 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 100 (0x64) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 11 (0xb) | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 116 (0x74) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 116 (0x74) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 13 (0xd) | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "westnet-eastnet-ikev2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x557c203347a0(20) | natd_hash: icookie= 41 fb 4a 94 0a a2 9a ac | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= e7 19 3b 9e 52 83 0f 42 05 62 65 ca f4 66 33 18 | natd_hash: hash= ba 75 66 de | natd_hash: rcookie is zero | natd_hash: hasher=0x557c203347a0(20) | natd_hash: icookie= 41 fb 4a 94 0a a2 9a ac | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 81 0c e6 82 63 31 be b9 0e 5a 51 a8 75 9c 77 ea | natd_hash: hash= f8 7f a1 13 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x557c21cb8d60 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557c21cb8e20 size 128 | #1 spent 0.641 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND | suspending state #1 and saving MD | #1 is busy; has a suspended MD | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) | "westnet-eastnet-ikev2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 1.01 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.03 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 resuming | crypto helper 4 starting work-order 1 for state #1 | crypto helper 4 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 | crypto helper 4 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000756 seconds | (#1) spent 0.763 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) | crypto helper 4 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f9d54006900 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 1 | calling continuation function 0x557c2025e630 | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x ee 23 cf 2e b9 82 6d 2b b1 dd f3 58 dc 80 aa cf | ikev2 g^x 30 0c b7 bc e2 15 5b aa dc b7 74 61 21 28 9b ff | ikev2 g^x 27 b4 db 6e 18 88 54 1c f9 c2 42 ec de ac 34 fc | ikev2 g^x dc 78 c7 22 5d 72 aa e9 69 4d 4e a9 42 04 d7 7d | ikev2 g^x 41 85 ab fc 3a 77 e8 12 6d 95 b8 d3 22 ad 1a 66 | ikev2 g^x aa 17 62 c8 34 68 0f 07 b1 23 50 74 66 a5 7d 65 | ikev2 g^x 29 9d 74 aa eb b5 7a 32 17 c2 aa b5 a9 83 e3 98 | ikev2 g^x 5c 4f 93 08 ce 38 a4 1c d3 be 06 8b b6 ca 74 97 | ikev2 g^x de 32 44 20 77 1e 11 96 9c d2 a4 36 ec 55 1d 77 | ikev2 g^x 62 b0 9b 60 ed 7e 80 06 4c ce 61 de db 55 5e 5c | ikev2 g^x 43 70 82 f2 33 51 54 e9 8d 04 f5 f7 bc 68 f6 74 | ikev2 g^x d5 21 f5 47 58 96 78 b2 4d 45 2c 65 85 5b d4 cc | ikev2 g^x cb 13 13 de d8 15 fb b6 85 e6 76 8b e8 40 d8 f1 | ikev2 g^x 65 b7 e9 fd ba 14 af e9 a7 a3 17 01 e7 2f 0d c3 | ikev2 g^x a9 51 9a 63 06 cf 3d 7e cc 80 21 fb c6 06 8f 81 | ikev2 g^x 90 29 0c 72 65 e4 21 32 3d d9 fb 00 75 2b e7 ac | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 97 5d da df 55 92 5b ee 03 d5 25 fe 5f 9f 2f 6d | IKEv2 nonce 3b 83 be 87 22 0f d2 5a 14 96 b6 3f be 35 24 52 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x557c203347a0(20) | natd_hash: icookie= 41 fb 4a 94 0a a2 9a ac | natd_hash: rcookie= 8e 5d 55 36 d0 04 9e 86 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 0d d9 c4 8b 39 39 4e 87 69 15 f5 43 88 6a 10 7f | natd_hash: hash= 0d f4 06 af | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 0d d9 c4 8b 39 39 4e 87 69 15 f5 43 88 6a 10 7f | Notify data 0d f4 06 af | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x557c203347a0(20) | natd_hash: icookie= 41 fb 4a 94 0a a2 9a ac | natd_hash: rcookie= 8e 5d 55 36 d0 04 9e 86 | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= d2 91 3c dc c2 ea 3e a3 c1 c7 1b 88 10 68 c6 cc | natd_hash: hash= 0d ee c9 24 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data d2 91 3c dc c2 ea 3e a3 c1 c7 1b 88 10 68 c6 cc | Notify data 0d ee c9 24 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | NSS: locating CA cert 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' for CERTREQ using CERT_FindCertByName() failed: (NSS: 0 (0x0): Success; 0 indicates NSS lost the error code) | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #1 to 0 after switching state | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 "westnet-eastnet-ikev2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 ee 23 cf 2e | b9 82 6d 2b b1 dd f3 58 dc 80 aa cf 30 0c b7 bc | e2 15 5b aa dc b7 74 61 21 28 9b ff 27 b4 db 6e | 18 88 54 1c f9 c2 42 ec de ac 34 fc dc 78 c7 22 | 5d 72 aa e9 69 4d 4e a9 42 04 d7 7d 41 85 ab fc | 3a 77 e8 12 6d 95 b8 d3 22 ad 1a 66 aa 17 62 c8 | 34 68 0f 07 b1 23 50 74 66 a5 7d 65 29 9d 74 aa | eb b5 7a 32 17 c2 aa b5 a9 83 e3 98 5c 4f 93 08 | ce 38 a4 1c d3 be 06 8b b6 ca 74 97 de 32 44 20 | 77 1e 11 96 9c d2 a4 36 ec 55 1d 77 62 b0 9b 60 | ed 7e 80 06 4c ce 61 de db 55 5e 5c 43 70 82 f2 | 33 51 54 e9 8d 04 f5 f7 bc 68 f6 74 d5 21 f5 47 | 58 96 78 b2 4d 45 2c 65 85 5b d4 cc cb 13 13 de | d8 15 fb b6 85 e6 76 8b e8 40 d8 f1 65 b7 e9 fd | ba 14 af e9 a7 a3 17 01 e7 2f 0d c3 a9 51 9a 63 | 06 cf 3d 7e cc 80 21 fb c6 06 8f 81 90 29 0c 72 | 65 e4 21 32 3d d9 fb 00 75 2b e7 ac 29 00 00 24 | 97 5d da df 55 92 5b ee 03 d5 25 fe 5f 9f 2f 6d | 3b 83 be 87 22 0f d2 5a 14 96 b6 3f be 35 24 52 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 0d d9 c4 8b 39 39 4e 87 69 15 f5 43 88 6a 10 7f | 0d f4 06 af 26 00 00 1c 00 00 40 05 d2 91 3c dc | c2 ea 3e a3 c1 c7 1b 88 10 68 c6 cc 0d ee c9 24 | 00 00 00 05 04 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x557c21cb8e20 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x557c21cb8d60 | event_schedule: new EVENT_SO_DISCARD-pe@0x557c21cb8d60 | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 | libevent_malloc: new ptr-libevent@0x557c21cb8e20 size 128 | resume sending helper answer for #1 suppresed complete_v2_state_transition() | #1 spent 0.563 milliseconds in resume sending helper answer | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f9d54006900 | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 04 cb 37 6c f4 bb ea e0 08 6e da ee 9c | bc ef a2 0d 3b 2f b4 09 d0 9c 2c 20 d8 32 d0 b2 | 17 29 17 69 fc a2 08 c9 8c c7 45 e7 41 75 c5 d1 | 46 30 fd ae 58 3e 78 79 e0 6f e7 67 b7 ec 30 54 | 8d 54 71 dd 73 fb 26 c4 85 9a e8 9e 62 d8 03 e4 | c4 55 82 e7 fd c4 12 1e 3c 46 d1 1a 74 d5 09 f4 | dc a7 5e cb e3 8e ee ab 92 09 a3 13 9a 31 6b 24 | cb 37 63 d9 e6 67 d0 06 8c 5a 8a b7 96 27 cc ac | d6 bd 9b 87 48 39 52 3b d4 49 7d c7 d6 db 82 c9 | 2a a5 5f 36 8c 2d 60 56 49 9b df 1d c4 87 5b 7c | 40 f9 0c d2 a3 a3 23 8b 60 d3 07 e2 a0 d9 bd fe | 2c 9c 31 18 e3 51 20 dd 93 4f ea 30 ab 8f 34 39 | 4b 39 3d 23 15 5a 80 a2 57 8d 75 38 54 f3 17 37 | 51 b2 b0 e9 40 6f 93 f2 0f 63 65 2f 3f 17 32 6b | d0 8d 40 0a f0 e2 ee ab 92 0a 9e 9f f1 eb 9f 37 | 26 eb b8 e7 fb 6e d1 98 6b e7 3e 72 55 17 02 ea | 3a 77 96 83 b0 e0 1c 8b 45 db 04 87 39 45 c9 a5 | 97 3a 75 36 10 33 d4 e3 45 f2 b8 ee 23 4e 36 df | 86 b8 23 c7 98 34 c2 98 a9 a4 75 b3 99 e6 a1 64 | ce 71 52 98 ed 00 8b 89 4d c9 b7 0e bd fd 2b a9 | 97 8e a4 c4 0b 9e f1 86 a8 03 00 1d ae 67 2d 8f | bf 9c f9 9b 6b de 80 03 4b 3a 3a ad aa e4 a7 55 | f2 76 da 24 da 02 93 a8 91 ec 35 26 61 a1 5b 29 | ed 44 c9 ce 6a 78 9d 5e 4d 14 cb 42 88 59 21 63 | 14 9f 41 5a f5 39 1a df e1 ed ca 0d c4 7c bc 0d | 2d db e2 bb 8d 33 3b 13 d6 86 ed 83 34 74 d4 88 | be fb b4 ad 8b 57 b8 d1 93 19 1c 53 05 17 fd 22 | 94 b4 1b 3c 83 c7 a4 02 1d a0 4f ba 27 d8 4b 77 | 58 80 94 2c 3f ad 08 fa 1a 4f bc fe 67 43 d2 a1 | af e5 46 22 fb 3c c7 a2 bf 56 ed cc bd 72 ba 0d | 6b aa 1f f8 85 97 67 2e e1 1f 00 ba 2c b5 7f 41 | f2 49 84 ec 5c dd 6f 9f 4e fc 4e | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '1', total number '4', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.156 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.168 milliseconds in comm_handle_cb() reading and processing packet | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 d5 c8 23 37 2a 47 03 2c b1 3e b6 56 | b5 b4 d6 be 30 fa 1c cf f0 ec 08 76 9f a8 36 c1 | cf 91 6f ad 5e 85 43 8d 1a da d4 f6 63 ac 39 e2 | 42 da b1 3d 9d dc c1 53 20 a3 a0 d3 d8 d8 1d 65 | 3f 4b 03 b1 19 97 a6 db 07 77 d9 e9 73 cd 0a 64 | c9 ad 1e 75 cf c5 04 b1 12 5a 74 66 b4 d0 02 fc | ff 57 42 97 96 2e d5 46 79 fb 02 9a ed dd ee bd | 8c bf cb 31 e8 60 ad 89 4e 60 de b5 6b d4 8d fd | f7 50 f1 1e aa 68 c5 45 c7 ef fa 81 35 59 03 79 | ac 2e e8 c3 a0 27 92 1d 3f a4 e1 44 95 c1 94 37 | 26 06 a6 fb 89 12 6d c2 07 cd 2f 80 17 8f 19 d2 | c6 51 b2 1a 57 48 d9 6d 4d 18 d1 ed 86 a8 d1 f5 | 92 be 39 ee f4 1a 4f 29 b9 ae e7 14 9e d9 0b 58 | 59 6e 3d 9d d6 89 61 88 e8 55 1e 1c d9 3d d5 18 | 12 32 cf 49 52 6c e3 16 61 49 6a 8f f9 c8 c5 87 | 49 aa 15 f8 db 1c 12 a1 c0 1f fc b6 ff 64 8c 1a | b4 92 da 31 57 b6 01 ff 7f 50 dd 89 81 2b aa 01 | c8 04 e3 9c 4d a5 45 54 11 4b 8e a4 44 83 0b 34 | 6a 8e 42 e2 c0 80 ca 3b 33 4d 9d 85 6d 0e 95 d6 | d2 f9 d3 ed f6 e4 db 13 69 38 2c bb 71 c9 2b 54 | 17 79 16 c2 c5 af 14 a0 7f 7e 32 17 bd 08 f6 41 | fe bf ed fb db ad 6b 66 ca ce 9b 8c b6 19 55 b7 | 15 fa 07 32 21 91 15 27 f2 3c 8c 60 36 6c 13 cc | e3 af fc ff a3 e3 2a bd 78 46 fa ff 18 19 72 24 | 3c 68 fa 32 85 72 2f 84 17 fb 89 0c 30 82 2b 10 | 51 26 a9 db fb 8c 8a f8 a6 b5 bc 8b 66 56 70 25 | 26 7d 98 1b 28 4e f6 67 ed e3 5e ed 90 42 7f 57 | a6 4d 80 c3 7d 52 a6 b1 f9 ae bc a4 df c2 03 2a | 9a ea f4 07 f5 9a 80 2a 76 6a d1 d4 4c 42 76 05 | 60 9e 77 a2 08 49 14 34 e5 c6 89 b9 1e 25 10 fb | 13 52 e0 f9 59 1a 64 39 45 3d 4d ff 41 1f b4 74 | df 7a 27 6d 9a 0c b2 70 9b c5 20 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '2', total number '4', next payload '0' | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.14 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.151 milliseconds in comm_handle_cb() reading and processing packet | spent 0.000123 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 539 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 b9 4e 5f 0c 51 a8 49 2d ea ec 83 34 | a0 1a 64 b8 c6 8a 95 95 2c 3d b9 67 4f 1f 29 6b | e3 fa b3 41 6f e7 87 72 7f 2d 04 b4 8c 2b 8b d1 | c0 fb 8f 21 d3 cb 1e 2c 7b 9a 26 d7 0f 77 3a 2e | df 8e bd be 37 a9 9c 51 1a 8d f3 09 d8 43 dc 6a | f8 64 b6 d2 db 2e a7 ad a2 1e 3d e8 04 3e f7 6f | ad 44 3f 80 4c 49 5c ac 7f 50 9d fd eb 0f d6 e7 | 12 a3 90 e4 82 3d c6 c6 b9 f4 03 ec 02 54 f4 f3 | b6 2d 3d 75 fb 9b 84 9a 8e 48 8d d6 95 53 a5 4d | 28 cb 48 f6 61 45 b9 b7 e5 27 d2 ff 41 1e 0b 7a | 9c 1f 89 07 ca 10 17 a9 af 93 e5 a4 a5 f6 32 15 | fb db 0a ea 75 b4 4c a4 dc 97 71 45 62 4a 59 54 | 2e 81 d8 4c 25 9a e0 ac c1 52 fa ed e5 43 50 8b | 14 f0 00 08 78 f2 42 b5 3c d5 14 d7 7e 9c d4 70 | 2e 28 0c 68 15 86 2d 39 8c 87 4c 46 26 de 02 c1 | ce 19 f1 c8 a8 82 b1 a1 4b 6a fc 85 97 c5 b7 aa | d8 19 6e a3 28 a0 14 e0 35 92 02 f7 53 05 d3 05 | f1 a2 4d 01 f7 fd b4 e7 d2 c6 c5 a0 50 a5 5a 33 | f2 d3 4f 20 c7 c1 5b 1e df fe cc f0 96 ef 91 fe | 9f d7 5c 9e 7e 6b 28 ac 22 5f 25 dd 96 38 ac 9f | 98 a6 17 5a 7d 92 6e ee 79 59 15 72 d5 76 14 c7 | 4a 0f f1 b3 df ca 3f 0a ed 8b c0 db 26 73 71 f5 | f8 bd 92 67 50 ae 2a de 6b a9 6e 4f b8 90 a3 53 | f5 6b d7 53 f5 d6 2a 31 66 a9 6d 70 3c 9e 2c b5 | dd dc ee 84 6c 2a 54 dd 06 2e d5 2a 5c a5 4b e7 | eb 76 24 45 f3 84 59 90 c1 36 a4 18 e0 0d 8a 1e | db 92 ad f5 26 fb a4 6b a5 fa af ef 6d 11 4e 8d | 11 db 46 07 b6 92 1f 75 3f 83 38 e0 12 80 56 b3 | 7e ac 53 f5 49 09 6b df 65 a7 1f c6 13 b2 51 30 | 38 c8 8b 70 e9 a4 14 cb 4b 36 ed de 3d 48 18 69 | c7 ae d9 a6 b3 52 fe 42 7e be de c4 7f d8 cd b3 | da 58 d0 49 7a e3 96 f0 c9 31 56 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '3', total number '4', next payload '0' | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.135 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.146 milliseconds in comm_handle_cb() reading and processing packet | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 513 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 08 00 00 00 01 00 00 02 01 00 00 01 e5 | 00 04 00 04 f8 56 d8 4b 96 df ba 4e c4 0b 06 1c | f6 29 75 84 91 b1 4a 75 d0 a4 4f b5 91 9c 75 5b | 82 d1 37 14 ff a8 eb 70 4f 87 79 b8 f2 68 66 60 | b5 18 9d da 68 bf 14 2b c5 25 36 11 f3 0e 95 d9 | e1 e6 39 c0 f8 66 e6 0c b6 9c fc 30 fd 37 cb b6 | 6b 1b 20 08 a0 f4 2c 01 cb 9f fd e3 c4 61 38 26 | 22 81 3e d7 c2 5c a7 82 80 45 ec 22 39 58 7c 6a | eb 8c 8c bf be 23 76 84 a9 74 de 21 99 53 4a 6b | a5 01 0d e5 6c 21 94 d5 28 76 f2 a9 96 e0 df b9 | 3b 8e 29 c9 ac d9 63 61 76 e9 ed 78 29 f0 70 17 | 56 f2 55 7a 0d 77 a9 d1 11 89 0d 23 05 e7 70 5e | d2 e2 d2 27 a4 a0 73 d2 5f 8d 58 71 07 75 76 20 | 18 8a e1 60 8f a7 3f 95 18 79 75 61 8c e8 09 fa | 0b 5f df 70 de a5 5d a6 e4 83 9e 0e 06 0b fa 3f | 53 d6 ff b0 ef 76 9f 32 67 ee 39 48 0d 83 45 aa | 60 ee fe 69 ad 99 fe 5d d3 a8 06 d7 9c ae ca 52 | 20 56 93 7e 14 4c 2a 7b 66 b6 71 d5 d0 de b6 ad | 5e 0d 9d 21 5a 17 57 f3 e6 20 5e 0d ef 0d db 52 | a7 f8 2b 28 1a aa 2b ca 85 9c 0e e3 37 e3 c5 6c | bf 90 ec a2 f9 9e 81 df 52 f7 47 43 dd 21 93 7f | 73 40 1c 91 d3 ed 8e 4b cf 8e eb c7 5b 17 27 c1 | 64 ff c4 72 01 88 49 7d cb bb df 8d a7 35 11 34 | ef 05 67 e8 af 80 d6 2e b9 29 35 dc 07 fe 9d 5e | c4 8c 70 09 3f 88 ee d7 41 ec 7c b9 12 e1 7f 4f | 4c fb e2 39 c3 0c 24 33 03 fd b3 1f 80 cc 72 a1 | 3b b6 bc 37 41 8d 5f 15 17 b5 76 eb af f5 18 2e | 77 c7 76 33 ae b9 47 22 cb 64 2d ee e5 f7 bf 41 | 5e ba bd 9e a8 9e d1 93 43 35 5b 67 b9 35 b9 b2 | 52 e2 73 49 2f 29 9f 7d b1 0d 52 0f 0d c4 89 a4 | cb 0f 55 b1 da 30 91 70 25 28 ce 2d be 4e c6 67 | 74 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 513 (0x201) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2062) | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 is idle | #1 idle | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 | unpacking clear payload | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 485 (0x1e5) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | processing payload: ISAKMP_NEXT_v2SKF (len=477) | #1 in state PARENT_R1: received v2I1, sent v2R1 | received IKE encrypted fragment number '4', total number '4', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 2 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x557c21cb8e20 | free_event_entry: release EVENT_SO_DISCARD-pe@0x557c21cb8d60 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x557c21cb8d60 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557c21cb8e20 size 128 | #1 spent 0.032 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() | crypto helper 6 resuming | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND | suspending state #1 and saving MD | #1 is busy; has a suspended MD | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) | "westnet-eastnet-ikev2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 | stop processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) | #1 spent 0.208 milliseconds in ikev2_process_packet() | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.218 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 6 starting work-order 2 for state #1 | crypto helper 6 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 6 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001368 seconds | (#1) spent 1.37 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) | crypto helper 6 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f9d4c006b90 size 128 | crypto helper 6 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 2 | calling continuation function 0x557c2025e630 | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 | #1 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | processing payload: ISAKMP_NEXT_v2IDi (len=4) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2CERTREQ (0x26) | flags: none (0x0) | length: 1265 (0x4f1) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1260) | Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ) | **parse IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 5 (0x5) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERTREQ (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 164 (0xa4) | processing payload: ISAKMP_NEXT_v2SA (len=160) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request "westnet-eastnet-ikev2" #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,SA,TSi,TSr} | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 2.27 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0222 milliseconds in get_root_certs() filtering CAs | #1 spent 2.32 milliseconds in find_and_verify_certs() calling get_root_certs() "westnet-eastnet-ikev2" #1: No Certificate Authority in NSS Certificate DB! Certificate payloads discarded. | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID | peer ID c0 01 02 2d | CERT_X509_SIGNATURE CR: | | requested CA: '%any' | refine_host_connection for IKEv2: starting with "westnet-eastnet-ikev2" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: happy with starting point: "westnet-eastnet-ikev2" | The remote did not specify an IDr and our current connection is good enough | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "westnet-eastnet-ikev2" #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' | received CERTREQ payload; going to decode it | CERT_X509_SIGNATURE CR: | | requested CA: '%any' | verifying AUTH payload | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | checking RSA keyid '192.1.2.23' for match with '192.1.2.45' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with '192.1.2.45' | checking RSA keyid 'user-east@testing.libreswan.org' for match with '192.1.2.45' | checking RSA keyid '@east.testing.libreswan.org' for match with '192.1.2.45' | checking RSA keyid 'east@testing.libreswan.org' for match with '192.1.2.45' | checking RSA keyid '192.1.2.45' for match with '192.1.2.45' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | RSA key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAa0Pt [preloaded keys] | #1 spent 0.181 milliseconds in try_all_keys() trying a pubkey "westnet-eastnet-ikev2" #1: Authenticated using RSA | #1 spent 0.255 milliseconds in ikev2_verify_rsa_hash() | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x557c21cb8e20 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x557c21cb8d60 | event_schedule: new EVENT_SA_REKEY-pe@0x557c21ccaa90 | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x557c21cb8e20 size 128 | pstats #1 ikev2.ike established | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_IPV4_ADDR (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity c0 01 02 17 | emitting length of IKEv2 Identification - Responder - Payload: 12 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1260 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 39 31 35 31 39 34 34 35 39 | CERT 5a 18 0f 32 30 32 32 30 39 31 34 31 39 34 34 35 | CERT 39 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 b0 0d 9e ca 2d 55 | CERT 24 59 06 37 09 58 0d 06 ab 90 5e 98 7c 00 0b 66 | CERT 73 f4 12 27 69 75 6e d4 8d 13 e9 c6 e9 4f c4 b1 | CERT 19 1a 1a 4f e6 4e 06 da 29 ec cf 8d 4c c3 c3 57 | CERT c0 24 57 83 7a 1b 7f 96 a3 21 66 67 52 68 8e 77 | CERT b9 bb f6 9b d2 43 11 57 c9 d6 ca e2 39 73 93 ea | CERT 99 99 f7 52 38 4d 58 69 7f a5 18 9b ff 66 72 6c | CERT df 6d df 18 50 cf 10 98 a3 f5 f9 69 27 5b 3f bd | CERT 0f 34 18 93 99 1a be 8a 46 84 37 69 71 7f a7 df | CERT d0 9d b2 9d ad 80 0f d0 1a 40 cb ff 37 20 ac ac | CERT 3d a9 8e 56 56 cf 25 c0 5e 55 52 86 5a c5 b4 ce | CERT a8 dd 95 cf ab 38 91 f6 1f 9f 83 36 d5 3f 8c d3 | CERT 1d f5 3f 23 3c d2 5c 87 23 bc 6a 67 f7 00 c3 96 | CERT 3f 76 5c b9 8e 6f 2b 16 90 2c 00 c0 05 a0 e2 8d | CERT 57 d5 76 34 7f 6f be e8 48 79 08 91 a8 17 72 1f | CERT c0 1c 8a 52 a8 18 aa 32 3c 9a e4 d9 90 58 25 5e | CERT 4c 49 8e cb 7a 33 19 d2 87 1a 2a 8e b5 04 f7 f9 | CERT cd 80 8c 59 ae 34 61 c5 1d de 53 65 fe 4f f3 f4 | CERT 09 f2 b4 21 7a 2b eb 1f 4a f2 5f 85 3a f0 f8 2b | CERT 3b 42 5b da 89 c1 ef b2 81 18 2a 4b 57 a2 ca 63 | CERT 8b a7 60 8e 54 95 c3 20 5c e5 53 f0 4a 57 df 41 | CERT fa 06 e6 ab 4e 0b 46 49 14 0d db b0 dc 10 2e 6d | CERT 5f 52 cb 75 36 1b e2 1d 9d 77 0f 73 9d 0a 64 07 | CERT 84 f4 0e 0a 98 97 58 c4 40 f6 1b ac a3 be 21 aa | CERT 67 3a 2b b1 0e b7 9a 36 ff 67 02 03 01 00 01 a3 | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 bf 3c 12 c5 | CERT 00 3e 71 2a 2b 2b 60 83 b9 b9 f2 4d b1 ca 0e fd | CERT b4 e0 0b 6a ad 54 d7 c9 98 57 e0 5c 26 4d bf 11 | CERT 23 20 79 05 b6 1b 9b 09 ed 4f 2e fd 7e da 55 53 | CERT b6 8c 88 fa f3 9b ce ec ef 95 37 11 70 ce 1c 98 | CERT d3 d5 cf f6 30 71 44 78 fb 45 03 69 50 d5 a5 c3 | CERT de 00 4c f7 0a 7d 00 cb 3a ab 11 74 6b 57 67 4d | CERT e7 c0 3a 97 98 44 e2 15 9d f2 6f 1b c7 b1 15 d0 | CERT 88 c4 dc 32 b7 72 1d 9c ac 1b 37 63 | emitting length of IKEv2 Certificate Payload: 1265 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for 192.1.2.23->192.1.2.45 of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbANn vs PKK_RSA:AwEAAbANn | #1 spent 9.72 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 14 eb dc 6c 54 39 39 38 cc 39 7c d9 14 93 69 94 | rsa signature 35 ac e6 e6 8a 1f b2 7c 31 a3 e1 b2 1c e6 8e 12 | rsa signature 5d 1b e7 19 9e ec 06 67 26 a4 73 cc aa bd 5b 44 | rsa signature a3 88 d6 10 07 26 7b 13 4d 1a 86 81 9a 23 2d 95 | rsa signature 65 cb 51 cf 55 0d 30 38 e2 9f b2 66 5e 4e 76 f7 | rsa signature 96 40 ee ae 15 9b df 18 e2 9c 3b 98 e9 6c 79 94 | rsa signature ba fd 5b a0 e7 74 d1 bd 7e ee 93 1a fd b7 9d 05 | rsa signature 8c f5 ea 9a b7 80 24 2f 6a 50 9b 58 c7 d5 9e e3 | rsa signature 61 a8 a6 82 64 30 cc bf b7 93 a3 00 1b a0 f4 c4 | rsa signature bd b4 c1 7c 69 e5 4d f1 3d 24 01 01 fb 6a 96 b6 | rsa signature 8d 56 57 a6 5c ed b5 e4 9c 9d 9b 16 d7 25 4e 35 | rsa signature 6d 5d 94 db fa ea e4 6e 9f d8 90 25 c5 e2 21 a7 | rsa signature 21 21 0a b0 5a 16 a1 46 15 95 e9 e8 1a 8f 5b a9 | rsa signature 2a 87 ce 0e c8 65 de e4 3c 87 8f a4 31 d6 9c 94 | rsa signature ad 82 be a9 ff a7 b2 90 4f cc 32 a6 9b da 9d 42 | rsa signature 29 c8 09 a8 a6 c1 28 5e 1c 91 b6 dc 23 84 92 a4 | rsa signature 7d bb 25 ef 0a bf 20 af 15 21 bc 56 2e 7c 22 63 | rsa signature ec 03 da 9c 2a 5d 72 e7 08 6a 10 66 86 d6 48 cc | rsa signature b7 97 53 f2 9c 75 47 33 e1 47 5b ac e2 f7 3d 15 | rsa signature 65 96 a9 01 bb f8 d2 4e 37 d4 30 08 c4 5c 42 1f | rsa signature ed 3d b4 ee 52 56 10 ce 71 14 ba e3 a4 dd f8 29 | rsa signature 2a 4c 24 48 2f 3c 8e 4e 87 13 fb 28 07 a3 9b 98 | rsa signature b3 8a 8a 37 b2 ab 01 10 7a ed 04 bb 20 6b 8e 3e | rsa signature e6 7a 89 8f 1a 0d 11 50 6b 55 8f 37 3f 3a 95 57 | #1 spent 9.86 milliseconds in ikev2_calculate_rsa_hash() | emitting length of IKEv2 Authentication Payload: 392 | creating state object #2 at 0x557c21ccbb30 | State DB: adding IKEv2 state #2 in UNDEFINED | pstats #2 ikev2.child started | duplicating state object #1 "westnet-eastnet-ikev2" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low | TS low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high | TS high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low | TS low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high | TS high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="westnet-eastnet-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found | investigating connection "westnet-eastnet-ikev2" as a better match | match_id a=192.1.2.45 | b=192.1.2.45 | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | evaluating our conn="westnet-eastnet-ikev2" I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | constructing ESP/AH proposals with all DH removed for westnet-eastnet-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals) | converting proposal AES_GCM_16_256-NONE to ikev2 ... | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED | converting proposal AES_GCM_16_128-NONE to ikev2 ... | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED "westnet-eastnet-ikev2": constructed local ESP/AH proposals for westnet-eastnet-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 1 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 1 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 1 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 1 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI e4 7a a1 43 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI e4 7a a1 43 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI e4 7a a1 43 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI e4 7a a1 43 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN "westnet-eastnet-ikev2" #1: proposal 1:ESP:SPI=e47aa143;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=e47aa143;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0xcf01a557 for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi cf 01 a5 57 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector | IP start c0 00 01 00 | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector | IP end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector | IP start c0 00 02 00 | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector | IP end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | install_ipsec_sa() for #2: inbound and outbound | could_route called for westnet-eastnet-ikev2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-ikev2" unrouted: NULL; eroute owner: NULL | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-ikev2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.e47aa143@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-ikev2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.cf01a557@192.1.2.23 included non-error error | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-ikev2" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: westnet-eastnet-ikev2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE | popen cmd is 1168 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ike: | cmd( 80):v2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLU: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: | cmd( 320):' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_: | cmd( 400):ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 560):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 640):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 720):' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAR: | cmd( 800):EF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFA: | cmd( 880):MILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_: | cmd( 960):PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT=': | cmd(1040):0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1120):0xe47aa143 SPI_OUT=0xcf01a557 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_ | popen cmd is 1173 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23: | cmd( 160):' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='1: | cmd( 240):92.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_: | cmd( 400):PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192: | cmd( 480):.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLO: | cmd( 800):W+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_A: | cmd( 880):DDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' P: | cmd( 960):LUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLI: | cmd(1040):ENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP: | cmd(1120):I_IN=0xe47aa143 SPI_OUT=0xcf01a557 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER | popen cmd is 1171 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: | cmd( 80):ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192: | cmd( 240):.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL: | cmd( 320):='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PE: | cmd( 400):ER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0: | cmd( 480):.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROT: | cmd( 560):OCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depart: | cmd( 640):ment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='net: | cmd( 720):key' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+: | cmd( 800):SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADD: | cmd( 880):RFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLU: | cmd( 960):TO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIEN: | cmd(1040):T='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_: | cmd(1120):IN=0xe47aa143 SPI_OUT=0xcf01a557 ipsec _updown 2>&1: | route_and_eroute: instance "westnet-eastnet-ikev2", setting eroute_owner {spd=0x557c21cb72a0,sr=0x557c21cb72a0} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.977 milliseconds in install_ipsec_sa() | ISAKMP_v2_IKE_AUTH: instance westnet-eastnet-ikev2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1782 | emitting length of ISAKMP Message: 1810 | **parse ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1810 (0x712) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1782 (0x6f6) | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 0c 01 00 00 00 c0 01 02 17 27 00 04 f1 | cleartext fragment 04 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 | cleartext fragment 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 | cleartext fragment 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | cleartext fragment 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | cleartext fragment 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | cleartext fragment 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | cleartext fragment 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | cleartext fragment 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | cleartext fragment 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | cleartext fragment 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | cleartext fragment 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | cleartext fragment 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | cleartext fragment 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 22 18 0f 32 30 31 39 30 39 31 35 31 39 34 34 35 | cleartext fragment 39 5a 18 0f 32 30 32 32 30 39 31 34 31 39 34 34 | cleartext fragment 35 39 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a | cleartext fragment 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 | cleartext fragment 2a 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d | cleartext fragment 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 | cleartext fragment 8f 00 30 82 01 8a 02 82 01 81 00 b0 0d 9e | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment ca 2d 55 24 59 06 37 09 58 0d 06 ab 90 5e 98 7c | cleartext fragment 00 0b 66 73 f4 12 27 69 75 6e d4 8d 13 e9 c6 e9 | cleartext fragment 4f c4 b1 19 1a 1a 4f e6 4e 06 da 29 ec cf 8d 4c | cleartext fragment c3 c3 57 c0 24 57 83 7a 1b 7f 96 a3 21 66 67 52 | cleartext fragment 68 8e 77 b9 bb f6 9b d2 43 11 57 c9 d6 ca e2 39 | cleartext fragment 73 93 ea 99 99 f7 52 38 4d 58 69 7f a5 18 9b ff | cleartext fragment 66 72 6c df 6d df 18 50 cf 10 98 a3 f5 f9 69 27 | cleartext fragment 5b 3f bd 0f 34 18 93 99 1a be 8a 46 84 37 69 71 | cleartext fragment 7f a7 df d0 9d b2 9d ad 80 0f d0 1a 40 cb ff 37 | cleartext fragment 20 ac ac 3d a9 8e 56 56 cf 25 c0 5e 55 52 86 5a | cleartext fragment c5 b4 ce a8 dd 95 cf ab 38 91 f6 1f 9f 83 36 d5 | cleartext fragment 3f 8c d3 1d f5 3f 23 3c d2 5c 87 23 bc 6a 67 f7 | cleartext fragment 00 c3 96 3f 76 5c b9 8e 6f 2b 16 90 2c 00 c0 05 | cleartext fragment a0 e2 8d 57 d5 76 34 7f 6f be e8 48 79 08 91 a8 | cleartext fragment 17 72 1f c0 1c 8a 52 a8 18 aa 32 3c 9a e4 d9 90 | cleartext fragment 58 25 5e 4c 49 8e cb 7a 33 19 d2 87 1a 2a 8e b5 | cleartext fragment 04 f7 f9 cd 80 8c 59 ae 34 61 c5 1d de 53 65 fe | cleartext fragment 4f f3 f4 09 f2 b4 21 7a 2b eb 1f 4a f2 5f 85 3a | cleartext fragment f0 f8 2b 3b 42 5b da 89 c1 ef b2 81 18 2a 4b 57 | cleartext fragment a2 ca 63 8b a7 60 8e 54 95 c3 20 5c e5 53 f0 4a | cleartext fragment 57 df 41 fa 06 e6 ab 4e 0b 46 49 14 0d db b0 dc | cleartext fragment 10 2e 6d 5f 52 cb 75 36 1b e2 1d 9d 77 0f 73 9d | cleartext fragment 0a 64 07 84 f4 0e 0a 98 97 58 c4 40 f6 1b ac a3 | cleartext fragment be 21 aa 67 3a 2b b1 0e b7 9a 36 ff 67 02 03 01 | cleartext fragment 00 01 a3 82 01 06 30 82 01 02 30 09 06 03 55 1d | cleartext fragment 13 04 02 30 00 30 47 06 03 55 1d 11 04 40 30 3e | cleartext fragment 82 1a 65 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 | cleartext fragment 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 | cleartext fragment 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 17 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 1d 06 | cleartext fragment 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 | cleartext fragment 03 01 06 08 2b 06 01 05 05 07 03 02 30 41 06 08 | cleartext fragment 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 06 08 | cleartext fragment 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 3a 2f | cleartext fragment 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62 | cleartext fragment 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 30 30 | cleartext fragment 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 a0 2e | cleartext fragment 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73 | cleartext fragment 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c 30 0d | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 | cleartext fragment 00 bf 3c 12 c5 00 3e 71 2a 2b 2b 60 83 b9 b9 f2 | cleartext fragment 4d b1 ca 0e fd b4 e0 0b 6a ad 54 d7 c9 98 57 e0 | cleartext fragment 5c 26 4d bf 11 23 20 79 05 b6 1b 9b 09 ed 4f 2e | cleartext fragment fd 7e da 55 53 b6 8c 88 fa f3 9b ce ec ef 95 37 | cleartext fragment 11 70 ce 1c 98 d3 d5 cf f6 30 71 44 78 fb 45 03 | cleartext fragment 69 50 d5 a5 c3 de 00 4c f7 0a 7d 00 cb 3a ab 11 | cleartext fragment 74 6b 57 67 4d e7 c0 3a 97 98 44 e2 15 9d f2 6f | cleartext fragment 1b c7 b1 15 d0 88 c4 dc 32 b7 72 1d 9c ac 1b 37 | cleartext fragment 63 21 00 01 88 01 00 00 00 14 eb dc 6c 54 39 39 | cleartext fragment 38 cc 39 7c d9 14 93 69 94 35 ac e6 e6 8a 1f b2 | cleartext fragment 7c 31 a3 e1 b2 1c e6 8e 12 5d 1b e7 19 9e ec 06 | cleartext fragment 67 26 a4 73 cc aa bd 5b 44 a3 88 d6 10 07 26 7b | cleartext fragment 13 4d 1a 86 81 9a 23 2d 95 65 cb 51 cf 55 0d 30 | cleartext fragment 38 e2 9f b2 66 5e 4e 76 f7 96 40 ee ae 15 9b df | cleartext fragment 18 e2 9c 3b 98 e9 6c 79 94 ba fd 5b a0 e7 74 d1 | cleartext fragment bd 7e ee 93 1a fd b7 9d 05 8c f5 ea 9a b7 80 24 | cleartext fragment 2f 6a 50 9b 58 c7 d5 9e e3 61 a8 a6 82 64 30 cc | cleartext fragment bf b7 93 a3 00 1b a0 f4 c4 bd b4 c1 7c 69 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 319 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment e5 4d f1 3d 24 01 01 fb 6a 96 b6 8d 56 57 a6 5c | cleartext fragment ed b5 e4 9c 9d 9b 16 d7 25 4e 35 6d 5d 94 db fa | cleartext fragment ea e4 6e 9f d8 90 25 c5 e2 21 a7 21 21 0a b0 5a | cleartext fragment 16 a1 46 15 95 e9 e8 1a 8f 5b a9 2a 87 ce 0e c8 | cleartext fragment 65 de e4 3c 87 8f a4 31 d6 9c 94 ad 82 be a9 ff | cleartext fragment a7 b2 90 4f cc 32 a6 9b da 9d 42 29 c8 09 a8 a6 | cleartext fragment c1 28 5e 1c 91 b6 dc 23 84 92 a4 7d bb 25 ef 0a | cleartext fragment bf 20 af 15 21 bc 56 2e 7c 22 63 ec 03 da 9c 2a | cleartext fragment 5d 72 e7 08 6a 10 66 86 d6 48 cc b7 97 53 f2 9c | cleartext fragment 75 47 33 e1 47 5b ac e2 f7 3d 15 65 96 a9 01 bb | cleartext fragment f8 d2 4e 37 d4 30 08 c4 5c 42 1f ed 3d b4 ee 52 | cleartext fragment 56 10 ce 71 14 ba e3 a4 dd f8 29 2a 4c 24 48 2f | cleartext fragment 3c 8e 4e 87 13 fb 28 07 a3 9b 98 b3 8a 8a 37 b2 | cleartext fragment ab 01 10 7a ed 04 bb 20 6b 8e 3e e6 7a 89 8f 1a | cleartext fragment 0d 11 50 6b 55 8f 37 3f 3a 95 57 2c 00 00 24 00 | cleartext fragment 00 00 20 01 03 04 02 cf 01 a5 57 03 00 00 0c 01 | cleartext fragment 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 00 2d | cleartext fragment 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff c0 | cleartext fragment 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 00 07 | cleartext fragment 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 352 | emitting length of ISAKMP Message: 380 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | #1 spent 15.3 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() | suspend processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) | start processing: state #2 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #2 to 1 after switching state | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 | pstats #2 ikev2.child established "westnet-eastnet-ikev2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "westnet-eastnet-ikev2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xe47aa143 <0xcf01a557 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 bc cf db c5 9c cc fa fe f1 96 5c 1e | 57 a6 e1 42 15 99 96 5d e9 06 5f b2 01 0b 4f 6f | 1a ab f5 f7 01 2a 90 00 95 d2 38 41 c2 40 be ae | 72 7d d2 53 7a 00 a0 70 a1 4a a4 4b 91 44 45 15 | 8c 06 62 e2 fc f9 31 98 fe b9 88 c1 b7 8b b8 54 | 2e b5 c7 65 9a 85 be 3c e4 75 04 10 13 dd 4f 96 | ff 77 e0 5c c2 08 b5 7d 1e 52 1f 76 47 d3 07 7a | 6a 82 32 5e 63 d0 cf 3a dc db 69 65 db 27 2f 47 | 83 b9 1c d2 d7 dd b3 03 d8 78 f2 0a f8 af 53 ed | 55 09 28 2d 42 1f e7 b2 bc a6 dc ee 05 ef d5 a2 | 81 cd 75 c0 66 ca 69 5a a4 fa 15 38 e5 d7 17 1a | 44 66 71 9d 83 04 27 c3 b2 5b 2d 8c a4 e8 5e b7 | e0 28 a0 d4 5e cb 88 b4 d0 02 41 37 87 ff 44 a0 | 34 f5 59 6d f4 9b 74 50 0f fb f6 8a fb e8 3c de | 78 3d 0a 57 22 f2 c8 f8 0a f3 a0 3e 0b 17 29 64 | 15 8e 67 23 dc b6 cc 60 77 6d 97 3f d5 08 a1 c0 | 26 9d 32 3d 34 ba 91 98 8c 8f 3e fa 88 27 ad d8 | 05 5b 45 ac 51 4d ee 91 c2 82 83 57 eb 28 e4 f2 | f5 19 82 e8 b0 b0 80 2a ee 42 93 89 70 be be ef | ad a8 bb 8b d4 2a b3 ba 0d 80 3a 43 e7 f4 75 e7 | 5e 48 47 86 fb 9a 2b 73 93 c6 b1 26 4c 6d f1 28 | d0 ae 2e 6b 89 fd 1d 3d c3 a7 5b 0c 1d 00 d0 d2 | c4 7c 88 2b c4 ff c3 d0 b9 ff 65 3f 2d 88 3e a5 | 7d e7 c2 a0 e1 df 09 fa 73 67 5f b2 26 af 41 21 | 17 4f f6 5c 34 70 19 c8 d0 38 ef b9 a0 17 d2 25 | 1d 11 13 1d 2b 9c 69 f2 9c ff 31 f3 b8 b4 c0 aa | 38 9c 77 0c 8f 8f 33 42 08 ab c1 02 56 0c 26 ac | fa f0 13 93 63 98 01 9c 7f ce 1d 4f 54 94 d7 92 | bf 56 bb c3 40 37 8b 78 e2 fe a0 6a 67 4c ab fa | 0a 49 51 f0 60 be 56 50 fe 37 f1 4c a1 4a 9f 01 | a5 70 49 36 b1 90 e7 5d ae 93 6f d1 80 de d1 f7 | 07 aa b5 57 e9 f6 8e 9e fa fe 40 | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 92 f4 fc 8a 06 fd 26 eb dd 82 13 75 | 66 18 b4 c1 76 6d 2a 55 80 69 68 8a 4e c9 91 d9 | 97 66 0d 37 2f e8 80 88 79 c6 56 bc 64 17 52 2b | 44 cf 71 39 0c b1 4f 1c 6d dd d9 e7 1c 5f ea d3 | e2 d9 95 79 49 17 e1 95 ce 77 0a 7f 57 6d ff 34 | 64 c9 b1 9e 1e 59 e1 06 f6 12 c3 09 3f f2 53 f4 | 11 51 a4 9a f8 37 85 f0 58 ad f7 a3 3d 89 cc 45 | 1c c0 55 55 29 79 18 ed 3a 34 92 90 08 ef a2 7a | f5 0f d8 21 64 aa e4 e6 e7 cd 23 6e 1f 53 6a 78 | 11 70 63 ba 17 18 83 0b 1a 74 b2 ce e6 20 72 ac | 6e 1a c6 7f a9 26 88 b6 06 ee 98 3a 1a 42 00 15 | 00 25 a0 3d 68 84 9a 54 1c cf 46 dd 9f f9 77 79 | 08 fc b9 bf 84 8a 4c 3d ca ba 1b 1e b8 0f 59 b0 | ce ed 6c b3 68 4b 7a d2 6e f0 8a e9 75 d6 fc 5c | 13 80 08 09 90 09 18 c9 75 3c 61 0b 03 6e da 62 | bd 2f 8e ee 00 f7 d9 c5 b4 22 90 c8 97 04 43 91 | 78 3b c3 19 b0 ad 72 76 bc 1b b6 89 c7 26 e8 1f | 9c 3d 95 00 4a 85 d7 ae c3 0c 43 fd 08 ad 88 fb | 18 ff 33 16 7d 89 d4 ed be b7 97 ef 30 f3 66 cc | a4 d3 6c 9f 5a fb 11 4b b6 6d 18 10 89 d7 3e e3 | 2e bf d4 0a 54 b1 79 0e b4 23 72 a7 9c 86 cf a1 | 37 85 1e 16 eb 97 a8 09 f5 64 f2 27 f3 c7 39 ea | 74 64 34 4e 09 8f 9e 27 a9 41 14 dc dc 78 01 1b | 6d 65 7e 83 f9 1c 10 0f c3 08 69 ee 87 03 c8 87 | fc c5 28 ac c8 24 f1 01 20 9f 28 88 91 67 44 d6 | 17 01 2c 3b be 75 d9 b9 d6 4e d7 4b 73 df f0 d9 | 15 f4 bb 10 51 67 d9 fb a4 e2 6e 05 f3 1e 1e fd | f7 99 b0 74 b4 93 8c 0a 88 10 bb dd 1d 96 83 49 | 9f 68 62 4e ed ef 39 6b b6 aa 1e 64 eb 8f 39 5b | 36 ff 11 ab 69 1b 5e 76 9d bc 7d 3f 65 72 ea 36 | 47 83 3c c5 d0 43 78 67 e2 42 41 a1 79 df 9f d3 | fb a1 48 cb 34 e2 24 64 29 27 d1 | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 86 b2 d5 e2 09 c4 ea 9e ca 26 15 46 | 0c f8 af 06 ac 7e f4 8c a9 41 18 64 06 fb 0a 3a | 77 15 a9 ac 66 c7 cf c9 9e 0c 63 57 08 6f 9d 6d | c1 c1 1b 34 3d ca 80 c7 e0 19 4b b9 5b 73 d4 47 | 8c cc 78 4b a4 a0 89 d9 aa 11 5c 0a 18 10 1c 07 | cc 21 cc 1a 71 32 54 b2 e9 32 37 0e b8 21 69 2b | 73 f1 d8 42 c4 ee 80 70 b6 27 20 10 52 e3 2f a3 | 7f 31 34 ae ad 22 c8 e9 26 ba bf 82 5e c6 9c eb | 8d 3c ff 6d 6d fe e8 fc e5 8b ec 70 4d 1d 37 5c | 63 92 96 8c 24 ad 3d 20 b6 aa 81 ed bb e4 10 51 | 82 db b9 6f 93 4d 02 b2 54 2b a2 5a 40 de b8 c3 | 7e da 48 5f 64 0c 07 e7 f2 a5 f5 37 d7 e7 5a 04 | 66 34 06 c4 d6 a7 b9 a5 54 ac ff 7a f2 3e d0 1f | 08 61 f8 a1 4a 2c 23 53 d2 e9 64 eb 5c b3 d0 ed | c6 59 d1 68 fb b7 71 8d a2 48 93 b9 06 88 98 b8 | 40 24 0b 64 22 86 57 35 25 ec f1 a6 e9 1b 53 a0 | 1b 25 54 8c cd 77 b9 63 d0 62 b6 1a 52 b5 3e e0 | fe 05 82 09 4c 10 4a 6e f5 31 2c e1 10 03 54 5b | ae 37 f2 31 f8 9d fb 84 50 78 4b 89 d8 88 12 db | 36 8a 69 90 9a 26 7c 18 8a f3 d0 47 5e 34 e0 29 | 88 0a 36 b2 80 c8 3f 35 69 65 53 c7 14 cf 78 b9 | 8e 6d 46 71 1a 22 27 ff f3 28 5b 8f 12 de 02 15 | 6b e1 ac d4 67 ba 1c 3b dc 6e 64 77 78 98 3b 44 | ff 6e e0 51 14 7c 06 bb 2b c5 46 03 e5 a3 9f 54 | 4f 48 d8 47 f3 88 e0 1c 2d 2d a1 b9 d5 eb dd 16 | 5b 6f 39 fa 74 7f 97 3a bd 6e f4 74 dc 56 ff f6 | f1 0f a0 ad d4 fd 4d 3e a9 31 fd 64 f8 af bd 21 | 8a f2 13 1c e5 ad cf e1 9b c7 84 38 08 f2 19 1d | e6 d6 ba d3 87 b4 8c 64 60 0f f9 e0 ae 1e a9 5e | f4 d0 3d fd 54 8c e0 68 bd 74 69 4f 37 b4 b2 fc | c7 db eb 4e 81 86 d3 0b fd d1 83 66 e9 7d a5 85 | c3 d4 49 64 c1 1f f3 5d 42 e1 9f | sending 380 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 35 20 23 20 00 00 00 01 00 00 01 7c 00 00 01 60 | 00 04 00 04 a2 62 ed 42 b4 78 bb 39 cb 0c ae 36 | 4a 06 27 06 53 91 a0 49 fc af de 20 30 b9 ef 1c | 74 bf ee bd 37 1c 17 f0 d9 a1 48 3f 2c 62 1d 9b | 1f 29 9e 45 01 38 27 49 1d 58 b4 7f 55 43 04 79 | a0 3a 5a 94 9b 30 91 9c 08 0a eb b4 ad cf 01 2e | 1d 1b 13 1d 25 bd 49 6e 01 dc 22 51 fd ca 18 27 | 5d 9a f5 0e ba 71 3f 34 ca af c2 33 5e 13 26 d0 | 0d 6a a9 d5 f5 53 45 49 9f b8 11 4f 73 61 b0 ea | 05 d2 5b 8f ea 01 47 a8 0f db 85 ca fd b4 39 db | d4 54 1b 6e c8 56 2f d7 af 59 78 fc 4d f3 88 55 | 64 7d 1b e3 93 b3 f9 f8 42 89 ce 60 65 7e c6 ab | ff 7c 8b 2a 17 98 24 c0 d7 db 46 1f a2 05 11 67 | 9d 4e 1a 12 1c a9 79 80 77 78 26 e5 d4 55 8f 45 | e7 ab f9 43 57 3a df db 92 5f 4f 08 11 70 cc a3 | d3 88 b0 86 40 02 35 9d 9b 56 f5 7d fd 50 15 d3 | 06 34 4f 91 ee cc 7f fc a0 29 d4 4d 0c 48 36 17 | a9 45 d1 ad 8e 7b 3a b4 f5 44 08 e3 77 44 d8 32 | 49 fa 8a 60 1f 01 f0 9e b2 ed c9 ba 21 fc 1d 9c | b3 c9 91 d5 0d 86 e1 8f 6f da 08 88 1d f0 64 ec | 1b 5d 84 0c c9 eb 9e 1a 06 87 18 d2 90 6b 0f 0e | 4a e4 da 26 72 a0 82 80 4e d1 94 4c b6 a8 69 bf | b8 63 21 a8 f7 79 43 77 a9 58 ff 14 | sent 4 fragments | releasing whack for #2 (sock=fd@-1) | releasing whack and unpending for parent #1 | unpending state #1 connection "westnet-eastnet-ikev2" | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REKEY-pe@0x557c21cd6470 | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 | libevent_malloc: new ptr-libevent@0x557c21ccc680 size 128 | resume sending helper answer for #1 suppresed complete_v2_state_transition() | #1 spent 15.8 milliseconds in resume sending helper answer | stop processing: state #2 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f9d4c006b90 | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00442 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00337 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00297 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.cf01a557@192.1.2.23 | get_sa_info esp.e47aa143@192.1.2.45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.373 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | pluto_sd: executing action action: stopping(6), status 0 destroying root certificate cache | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x557c21cbe230 192.1.2.23 cnt 1-- | unreference key: 0x557c21cc3530 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cc3120 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cc2e10 @east.testing.libreswan.org cnt 1-- | unreference key: 0x557c21cc2a50 east@testing.libreswan.org cnt 1-- | unreference key: 0x557c21bb06c0 192.1.2.45 cnt 2-- | unreference key: 0x557c21cbe170 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cbddb0 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x557c21cbda60 @west.testing.libreswan.org cnt 1-- | unreference key: 0x557c21cbd680 west@testing.libreswan.org cnt 1-- | start processing: connection "westnet-eastnet-ikev2" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "westnet-eastnet-ikev2" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev2.child deleted completed | [RE]START processing: state #2 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-ikev2" #2: deleting state (STATE_V2_IPSEC_R) aged 5.032s and sending notification | child state #2: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.e47aa143@192.1.2.45 | get_sa_info esp.cf01a557@192.1.2.23 "westnet-eastnet-ikev2" #2: ESP traffic information: in=168B out=168B | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R | Opening output PBS informational exchange delete request | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' | emitting 4 raw bytes of local spis into IKEv2 Delete Payload | local spis cf 01 a5 57 | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 | 51 21 b6 9e fe 1c f3 3a 7f b8 f0 80 aa 73 82 e9 | 80 f3 02 76 fa 8a 39 6d 4f 3c 67 c6 7b ea 43 9a | b5 df 82 cf e1 | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 | state #2 requesting EVENT_SA_REKEY to be deleted | libevent_free: release ptr-libevent@0x557c21ccc680 | free_event_entry: release EVENT_SA_REKEY-pe@0x557c21cd6470 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050677' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ | popen cmd is 1061 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-i: | cmd( 80):kev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' P: | cmd( 160):LUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=: | cmd( 320):'0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEE: | cmd( 400):R_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050677' PLUTO_C: | cmd( 640):ONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN: | cmd( 720):_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xe47aa143 SPI_OUT=0xcf01a5: | cmd(1040):57 ipsec _updown 2>&1: | shunt_eroute() called for connection 'westnet-eastnet-ikev2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.e47aa143@192.1.2.45 | netlink response for Del SA esp.e47aa143@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.cf01a557@192.1.2.23 | netlink response for Del SA esp.cf01a557@192.1.2.23 included non-error error | stop processing: connection "westnet-eastnet-ikev2" (BACKGROUND) (in update_state_connection() at connections.c:4037) | start processing: connection NULL (in update_state_connection() at connections.c:4038) | in connection_discard for connection westnet-eastnet-ikev2 | State DB: deleting IKEv2 state #2 in V2_IPSEC_R | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev2.ike deleted completed | #1 spent 20.2 milliseconds in total | [RE]START processing: state #1 connection "westnet-eastnet-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-ikev2" #1: deleting state (STATE_PARENT_R2) aged 5.178s and sending notification | parent state #1: PARENT_R2(established IKE SA) => delete | #1 send IKEv2 delete notification for STATE_PARENT_R2 | Opening output PBS informational exchange delete request | **emit ISAKMP Message: | initiator cookie: | 41 fb 4a 94 0a a2 9a ac | responder cookie: | 8e 5d 55 36 d0 04 9e 86 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: none (0x0) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' | emitting length of IKEv2 Delete Payload: 8 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 37 | emitting length of ISAKMP Message: 65 | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 41 fb 4a 94 0a a2 9a ac 8e 5d 55 36 d0 04 9e 86 | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 | ce 84 1d 66 dd 19 3e 53 3a bd ec dc f2 2d 5b 10 | 63 d6 b0 29 56 46 fd b0 69 53 7e 5b 58 e7 75 b2 | 80 | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 | state #1 requesting EVENT_SA_REKEY to be deleted | libevent_free: release ptr-libevent@0x557c21cb8e20 | free_event_entry: release EVENT_SA_REKEY-pe@0x557c21ccaa90 | State DB: IKEv2 state not found (flush_incomplete_children) | in connection_discard for connection westnet-eastnet-ikev2 | State DB: deleting IKEv2 state #1 in PARENT_R2 | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x557c21bb06c0 192.1.2.45 cnt 1-- | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | shunt_eroute() called for connection 'westnet-eastnet-ikev2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | priority calculation of connection "westnet-eastnet-ikev2" is 0xfe7e7 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-ikev2 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-ikev2" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH | popen cmd is 1042 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23: | cmd( 160):' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='1: | cmd( 240):92.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO: | cmd( 400):_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='19: | cmd( 480):2.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_P: | cmd( 640):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' : | cmd( 720):PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: | cmd(1040):&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x557c21cbd1d0 | flush revival: connection 'westnet-eastnet-ikev2' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x557c21cb64b0 | free_event_entry: release EVENT_NULL-pe@0x557c21c9f920 | libevent_free: release ptr-libevent@0x557c21cb65a0 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6560 | libevent_free: release ptr-libevent@0x557c21cb6690 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6650 | libevent_free: release ptr-libevent@0x557c21cb6780 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6740 | libevent_free: release ptr-libevent@0x557c21cb6870 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6830 | libevent_free: release ptr-libevent@0x557c21cb6960 | free_event_entry: release EVENT_NULL-pe@0x557c21cb6920 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x557c21cb5c90 | free_event_entry: release EVENT_NULL-pe@0x557c21c9e820 | libevent_free: release ptr-libevent@0x557c21cab710 | free_event_entry: release EVENT_NULL-pe@0x557c21c9ea60 | libevent_free: release ptr-libevent@0x557c21cab680 | free_event_entry: release EVENT_NULL-pe@0x557c21ca45b0 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x557c21cb5e70 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x557c21cb5f50 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x557c21cb6010 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x557c21caa980 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x557c21cb60d0 | libevent_free: release ptr-libevent@0x557c21c530f0 | libevent_free: release ptr-libevent@0x557c21c99bc0 | libevent_free: release ptr-libevent@0x557c21c99da0 | libevent_free: release ptr-libevent@0x557c21c99be0 | libevent_free: release ptr-libevent@0x557c21cb5d20 | libevent_free: release ptr-libevent@0x557c21cb5f10 | libevent_free: release ptr-libevent@0x557c21c99d80 | libevent_free: release ptr-libevent@0x557c21ca4510 | libevent_free: release ptr-libevent@0x557c21ca44f0 | libevent_free: release ptr-libevent@0x557c21cb69f0 | libevent_free: release ptr-libevent@0x557c21cb6900 | libevent_free: release ptr-libevent@0x557c21cb6810 | libevent_free: release ptr-libevent@0x557c21cb6720 | libevent_free: release ptr-libevent@0x557c21cb6630 | libevent_free: release ptr-libevent@0x557c21cb6540 | libevent_free: release ptr-libevent@0x557c21c99c70 | libevent_free: release ptr-libevent@0x557c21cb5ff0 | libevent_free: release ptr-libevent@0x557c21cb5f30 | libevent_free: release ptr-libevent@0x557c21cb5e50 | libevent_free: release ptr-libevent@0x557c21cb60b0 | libevent_free: release ptr-libevent@0x557c21cb5d40 | libevent_free: release ptr-libevent@0x557c21c99c00 | libevent_free: release ptr-libevent@0x557c21c99c30 | libevent_free: release ptr-libevent@0x557c21c99920 | releasing global libevent data | libevent_free: release ptr-libevent@0x557c21c980e0 | libevent_free: release ptr-libevent@0x557c21c98110 | libevent_free: release ptr-libevent@0x557c21c998f0