Sep 21 07:25:03.450058: FIPS Product: YES Sep 21 07:25:03.450093: FIPS Kernel: NO Sep 21 07:25:03.450096: FIPS Mode: NO Sep 21 07:25:03.450099: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:25:03.450275: Initializing NSS Sep 21 07:25:03.450279: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:25:03.499551: NSS initialized Sep 21 07:25:03.499566: NSS crypto library initialized Sep 21 07:25:03.499569: FIPS HMAC integrity support [enabled] Sep 21 07:25:03.499571: FIPS mode disabled for pluto daemon Sep 21 07:25:03.635186: FIPS HMAC integrity verification self-test FAILED Sep 21 07:25:03.635291: libcap-ng support [enabled] Sep 21 07:25:03.635302: Linux audit support [enabled] Sep 21 07:25:03.635335: Linux audit activated Sep 21 07:25:03.635339: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:18661 Sep 21 07:25:03.635341: core dump dir: /tmp Sep 21 07:25:03.635344: secrets file: /etc/ipsec.secrets Sep 21 07:25:03.635346: leak-detective disabled Sep 21 07:25:03.635348: NSS crypto [enabled] Sep 21 07:25:03.635350: XAUTH PAM support [enabled] Sep 21 07:25:03.635422: | libevent is using pluto's memory allocator Sep 21 07:25:03.635431: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:25:03.635443: | libevent_malloc: new ptr-libevent@0x55d43f595440 size 40 Sep 21 07:25:03.635446: | libevent_malloc: new ptr-libevent@0x55d43f595470 size 40 Sep 21 07:25:03.635449: | libevent_malloc: new ptr-libevent@0x55d43f596c20 size 40 Sep 21 07:25:03.635451: | creating event base Sep 21 07:25:03.635454: | libevent_malloc: new ptr-libevent@0x55d43f596be0 size 56 Sep 21 07:25:03.635458: | libevent_malloc: new ptr-libevent@0x55d43f596c50 size 664 Sep 21 07:25:03.635468: | libevent_malloc: new ptr-libevent@0x55d43f596ef0 size 24 Sep 21 07:25:03.635472: | libevent_malloc: new ptr-libevent@0x55d43f550480 size 384 Sep 21 07:25:03.635495: | libevent_malloc: new ptr-libevent@0x55d43f596f10 size 16 Sep 21 07:25:03.635498: | libevent_malloc: new ptr-libevent@0x55d43f596f30 size 40 Sep 21 07:25:03.635501: | libevent_malloc: new ptr-libevent@0x55d43f596f60 size 48 Sep 21 07:25:03.635508: | libevent_realloc: new ptr-libevent@0x55d43f596fa0 size 256 Sep 21 07:25:03.635511: | libevent_malloc: new ptr-libevent@0x55d43f5970b0 size 16 Sep 21 07:25:03.635517: | libevent_free: release ptr-libevent@0x55d43f596be0 Sep 21 07:25:03.635520: | libevent initialized Sep 21 07:25:03.635524: | libevent_realloc: new ptr-libevent@0x55d43f5970d0 size 64 Sep 21 07:25:03.635528: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:25:03.635541: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:25:03.635544: NAT-Traversal support [enabled] Sep 21 07:25:03.635546: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:25:03.635553: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:25:03.635559: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:25:03.635591: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:25:03.635594: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:25:03.635597: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:25:03.635652: Encryption algorithms: Sep 21 07:25:03.635661: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:25:03.635665: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:25:03.635669: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:25:03.635672: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:25:03.635676: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:25:03.635684: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:25:03.635688: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:25:03.635692: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:25:03.635695: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:25:03.635699: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:25:03.635703: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:25:03.635706: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:25:03.635710: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:25:03.635713: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:25:03.635717: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:25:03.635720: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:25:03.635723: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:25:03.635730: Hash algorithms: Sep 21 07:25:03.635733: MD5 IKEv1: IKE IKEv2: Sep 21 07:25:03.635736: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:25:03.635739: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:25:03.635742: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:25:03.635745: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:25:03.635758: PRF algorithms: Sep 21 07:25:03.635760: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:25:03.635764: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:25:03.635767: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:25:03.635770: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:25:03.635774: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:25:03.635777: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:25:03.635806: Integrity algorithms: Sep 21 07:25:03.635812: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:25:03.635815: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:25:03.635819: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:25:03.635823: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:25:03.635827: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:25:03.635830: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:25:03.635834: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:25:03.635837: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:25:03.635840: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:25:03.635852: DH algorithms: Sep 21 07:25:03.635855: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:25:03.635858: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:25:03.635861: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:25:03.635866: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:25:03.635869: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:25:03.635872: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:25:03.635875: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:25:03.635878: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:25:03.635881: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:25:03.635884: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:25:03.635887: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:25:03.635889: testing CAMELLIA_CBC: Sep 21 07:25:03.635892: Camellia: 16 bytes with 128-bit key Sep 21 07:25:03.636016: Camellia: 16 bytes with 128-bit key Sep 21 07:25:03.636046: Camellia: 16 bytes with 256-bit key Sep 21 07:25:03.636074: Camellia: 16 bytes with 256-bit key Sep 21 07:25:03.636102: testing AES_GCM_16: Sep 21 07:25:03.636105: empty string Sep 21 07:25:03.636130: one block Sep 21 07:25:03.636155: two blocks Sep 21 07:25:03.636181: two blocks with associated data Sep 21 07:25:03.636206: testing AES_CTR: Sep 21 07:25:03.636208: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:25:03.636236: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:25:03.636264: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:25:03.636291: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:25:03.636317: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:25:03.636343: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:25:03.636371: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:25:03.636396: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:25:03.636423: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:25:03.636463: testing AES_CBC: Sep 21 07:25:03.636466: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:25:03.636493: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:25:03.636521: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:25:03.636550: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:25:03.636585: testing AES_XCBC: Sep 21 07:25:03.636587: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:25:03.636705: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:25:03.636844: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:25:03.636973: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:25:03.637103: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:25:03.637229: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:25:03.637375: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:25:03.637672: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:25:03.637804: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:25:03.637942: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:25:03.638194: testing HMAC_MD5: Sep 21 07:25:03.638198: RFC 2104: MD5_HMAC test 1 Sep 21 07:25:03.638469: RFC 2104: MD5_HMAC test 2 Sep 21 07:25:03.638629: RFC 2104: MD5_HMAC test 3 Sep 21 07:25:03.638840: 8 CPU cores online Sep 21 07:25:03.638847: starting up 7 crypto helpers Sep 21 07:25:03.638888: started thread for crypto helper 0 Sep 21 07:25:03.638911: started thread for crypto helper 1 Sep 21 07:25:03.638928: started thread for crypto helper 2 Sep 21 07:25:03.638951: started thread for crypto helper 3 Sep 21 07:25:03.638969: started thread for crypto helper 4 Sep 21 07:25:03.638993: started thread for crypto helper 5 Sep 21 07:25:03.639014: started thread for crypto helper 6 Sep 21 07:25:03.639018: | checking IKEv1 state table Sep 21 07:25:03.639025: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639028: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:25:03.639030: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639033: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:25:03.639035: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:25:03.639038: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:25:03.639040: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:03.639042: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:03.639045: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:25:03.639047: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:25:03.639049: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:03.639051: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:03.639054: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:25:03.639056: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:03.639058: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:03.639061: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:03.639063: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:25:03.639065: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:03.639067: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:03.639070: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:03.639072: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:25:03.639074: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639077: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:25:03.639079: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639082: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639084: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:25:03.639087: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639089: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:03.639091: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:03.639093: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:25:03.639096: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:03.639098: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:03.639100: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:25:03.639103: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639105: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:25:03.639107: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639110: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:25:03.639112: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:25:03.639115: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:25:03.639117: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:25:03.639119: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:25:03.639122: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:25:03.639125: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:25:03.639127: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639129: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:25:03.639132: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639134: | INFO: category: informational flags: 0: Sep 21 07:25:03.639136: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639139: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:25:03.639141: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639144: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:25:03.639146: | -> XAUTH_R1 EVENT_NULL Sep 21 07:25:03.639149: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:25:03.639151: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:03.639153: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:25:03.639156: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:25:03.639158: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:25:03.639160: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:25:03.639163: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:25:03.639165: | -> UNDEFINED EVENT_NULL Sep 21 07:25:03.639168: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:25:03.639172: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:03.639175: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:25:03.639177: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:25:03.639179: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:25:03.639182: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:25:03.639188: | checking IKEv2 state table Sep 21 07:25:03.639194: | PARENT_I0: category: ignore flags: 0: Sep 21 07:25:03.639197: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:25:03.639200: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639202: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:25:03.639205: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:25:03.639208: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:25:03.639210: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:25:03.639213: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:25:03.639215: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:25:03.639218: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:25:03.639220: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:25:03.639223: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:25:03.639225: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:25:03.639228: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:25:03.639230: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:25:03.639233: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:25:03.639235: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639238: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:25:03.639240: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:25:03.639243: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:25:03.639245: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:25:03.639248: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:25:03.639251: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:25:03.639253: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:25:03.639256: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:25:03.639258: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:25:03.639261: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:25:03.639263: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:25:03.639266: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:25:03.639269: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:25:03.639271: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:25:03.639274: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:03.639277: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:25:03.639279: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:25:03.639282: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:25:03.639284: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:25:03.639287: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:25:03.639290: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:25:03.639292: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:25:03.639297: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:25:03.639300: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:03.639302: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:25:03.639305: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:25:03.639308: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:25:03.639311: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:25:03.639313: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:25:03.639316: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:25:03.639413: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:25:03.640317: | Hard-wiring algorithms Sep 21 07:25:03.640327: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:25:03.640332: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:25:03.640335: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:25:03.640337: | adding 3DES_CBC to kernel algorithm db Sep 21 07:25:03.640339: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:25:03.640342: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:25:03.640344: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:25:03.640346: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:25:03.640348: | adding AES_CTR to kernel algorithm db Sep 21 07:25:03.640351: | adding AES_CBC to kernel algorithm db Sep 21 07:25:03.640353: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:25:03.640355: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:25:03.640358: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:25:03.640360: | adding NULL to kernel algorithm db Sep 21 07:25:03.640363: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:25:03.640366: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:25:03.640368: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:25:03.640370: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:25:03.640373: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:25:03.640375: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:25:03.640378: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:25:03.640380: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:25:03.640382: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:25:03.640384: | adding NONE to kernel algorithm db Sep 21 07:25:03.640406: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:25:03.640413: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:25:03.640415: | setup kernel fd callback Sep 21 07:25:03.640418: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55d43f5a1890 Sep 21 07:25:03.640422: | libevent_malloc: new ptr-libevent@0x55d43f5a8960 size 128 Sep 21 07:25:03.640425: | libevent_malloc: new ptr-libevent@0x55d43f5a17f0 size 16 Sep 21 07:25:03.640432: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55d43f59bd40 Sep 21 07:25:03.640435: | libevent_malloc: new ptr-libevent@0x55d43f5a89f0 size 128 Sep 21 07:25:03.640437: | libevent_malloc: new ptr-libevent@0x55d43f5a17d0 size 16 Sep 21 07:25:03.640678: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:25:03.640687: selinux support is enabled. Sep 21 07:25:03.640764: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:25:03.640942: | unbound context created - setting debug level to 5 Sep 21 07:25:03.640973: | /etc/hosts lookups activated Sep 21 07:25:03.640988: | /etc/resolv.conf usage activated Sep 21 07:25:03.641053: | outgoing-port-avoid set 0-65535 Sep 21 07:25:03.641084: | outgoing-port-permit set 32768-60999 Sep 21 07:25:03.641087: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:25:03.641090: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:25:03.641093: | Setting up events, loop start Sep 21 07:25:03.641096: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55d43f59bb00 Sep 21 07:25:03.641102: | libevent_malloc: new ptr-libevent@0x55d43f5b2f70 size 128 Sep 21 07:25:03.641106: | libevent_malloc: new ptr-libevent@0x55d43f5b3000 size 16 Sep 21 07:25:03.641111: | libevent_realloc: new ptr-libevent@0x55d43f5b3020 size 256 Sep 21 07:25:03.641114: | libevent_malloc: new ptr-libevent@0x55d43f5b3130 size 8 Sep 21 07:25:03.641117: | libevent_realloc: new ptr-libevent@0x55d43f5a7c60 size 144 Sep 21 07:25:03.641120: | libevent_malloc: new ptr-libevent@0x55d43f5b3150 size 152 Sep 21 07:25:03.641123: | libevent_malloc: new ptr-libevent@0x55d43f5b31f0 size 16 Sep 21 07:25:03.641127: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:25:03.641129: | libevent_malloc: new ptr-libevent@0x55d43f5b3210 size 8 Sep 21 07:25:03.641132: | libevent_malloc: new ptr-libevent@0x55d43f5b3230 size 152 Sep 21 07:25:03.641135: | signal event handler PLUTO_SIGTERM installed Sep 21 07:25:03.641137: | libevent_malloc: new ptr-libevent@0x55d43f5b32d0 size 8 Sep 21 07:25:03.641140: | libevent_malloc: new ptr-libevent@0x55d43f5b32f0 size 152 Sep 21 07:25:03.641143: | signal event handler PLUTO_SIGHUP installed Sep 21 07:25:03.641145: | libevent_malloc: new ptr-libevent@0x55d43f5b3390 size 8 Sep 21 07:25:03.641148: | libevent_realloc: release ptr-libevent@0x55d43f5a7c60 Sep 21 07:25:03.641150: | libevent_realloc: new ptr-libevent@0x55d43f5b33b0 size 256 Sep 21 07:25:03.641153: | libevent_malloc: new ptr-libevent@0x55d43f5a7c60 size 152 Sep 21 07:25:03.641155: | signal event handler PLUTO_SIGSYS installed Sep 21 07:25:03.641540: | starting up helper thread 2 Sep 21 07:25:03.641551: | created addconn helper (pid:18821) using fork+execve Sep 21 07:25:03.641585: | forked child 18821 Sep 21 07:25:03.641602: | starting up helper thread 1 Sep 21 07:25:03.641615: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:25:03.641632: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:03.641585: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:25:03.641643: | crypto helper 2 waiting (nothing to do) Sep 21 07:25:03.641648: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:03.641663: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:03.641669: listening for IKE messages Sep 21 07:25:03.641707: | Inspecting interface lo Sep 21 07:25:03.641713: | found lo with address 127.0.0.1 Sep 21 07:25:03.641715: | Inspecting interface eth0 Sep 21 07:25:03.641719: | found eth0 with address 192.0.2.254 Sep 21 07:25:03.641723: | Inspecting interface eth0 Sep 21 07:25:03.641727: | found eth0 with address 192.0.22.254 Sep 21 07:25:03.641730: | Inspecting interface eth1 Sep 21 07:25:03.641733: | found eth1 with address 192.1.2.23 Sep 21 07:25:03.641779: Kernel supports NIC esp-hw-offload Sep 21 07:25:03.641797: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:25:03.641821: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:03.641826: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:03.641830: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:03.641853: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.254:500 Sep 21 07:25:03.641873: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:03.641876: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:03.641880: adding interface eth0/eth0 192.0.22.254:4500 Sep 21 07:25:03.641902: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:25:03.641921: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:03.641924: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:03.641928: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:03.641951: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:25:03.641970: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:03.641977: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:03.641980: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:25:03.642058: | no interfaces to sort Sep 21 07:25:03.642062: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:03.642073: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3870 Sep 21 07:25:03.642076: | libevent_malloc: new ptr-libevent@0x55d43f5b38b0 size 128 Sep 21 07:25:03.642079: | libevent_malloc: new ptr-libevent@0x55d43f5b3940 size 16 Sep 21 07:25:03.642088: | setup callback for interface lo 127.0.0.1:4500 fd 24 Sep 21 07:25:03.642091: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3960 Sep 21 07:25:03.642094: | libevent_malloc: new ptr-libevent@0x55d43f5b39a0 size 128 Sep 21 07:25:03.642096: | libevent_malloc: new ptr-libevent@0x55d43f5b3a30 size 16 Sep 21 07:25:03.642101: | setup callback for interface lo 127.0.0.1:500 fd 23 Sep 21 07:25:03.642103: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3a50 Sep 21 07:25:03.642106: | libevent_malloc: new ptr-libevent@0x55d43f5b3a90 size 128 Sep 21 07:25:03.642108: | libevent_malloc: new ptr-libevent@0x55d43f5b3b20 size 16 Sep 21 07:25:03.642113: | setup callback for interface eth0 192.0.2.254:4500 fd 22 Sep 21 07:25:03.642115: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3b40 Sep 21 07:25:03.642118: | libevent_malloc: new ptr-libevent@0x55d43f5b3b80 size 128 Sep 21 07:25:03.642120: | libevent_malloc: new ptr-libevent@0x55d43f5b3c10 size 16 Sep 21 07:25:03.642125: | setup callback for interface eth0 192.0.2.254:500 fd 21 Sep 21 07:25:03.642127: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3c30 Sep 21 07:25:03.642130: | libevent_malloc: new ptr-libevent@0x55d43f5b3c70 size 128 Sep 21 07:25:03.642132: | libevent_malloc: new ptr-libevent@0x55d43f5b3d00 size 16 Sep 21 07:25:03.642137: | setup callback for interface eth0 192.0.22.254:4500 fd 20 Sep 21 07:25:03.642139: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3d20 Sep 21 07:25:03.642142: | libevent_malloc: new ptr-libevent@0x55d43f5b3d60 size 128 Sep 21 07:25:03.642144: | libevent_malloc: new ptr-libevent@0x55d43f5b3df0 size 16 Sep 21 07:25:03.642149: | setup callback for interface eth0 192.0.22.254:500 fd 19 Sep 21 07:25:03.642151: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3e10 Sep 21 07:25:03.642154: | libevent_malloc: new ptr-libevent@0x55d43f5b4480 size 128 Sep 21 07:25:03.642157: | libevent_malloc: new ptr-libevent@0x55d43f5b3e50 size 16 Sep 21 07:25:03.642161: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:03.642164: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3e70 Sep 21 07:25:03.642167: | libevent_malloc: new ptr-libevent@0x55d43f5b4510 size 128 Sep 21 07:25:03.642169: | libevent_malloc: new ptr-libevent@0x55d43f5b3eb0 size 16 Sep 21 07:25:03.642174: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:03.642178: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:03.642181: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:03.642199: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:03.642215: | saving Modulus Sep 21 07:25:03.642222: | saving PublicExponent Sep 21 07:25:03.642225: | ignoring PrivateExponent Sep 21 07:25:03.642228: | ignoring Prime1 Sep 21 07:25:03.642231: | ignoring Prime2 Sep 21 07:25:03.642235: | ignoring Exponent1 Sep 21 07:25:03.642238: | ignoring Exponent2 Sep 21 07:25:03.642240: | ignoring Coefficient Sep 21 07:25:03.642243: | ignoring CKAIDNSS Sep 21 07:25:03.642376: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:03.642382: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:25:03.642385: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:25:03.642391: | certs and keys locked by 'process_secret' Sep 21 07:25:03.642394: | certs and keys unlocked by 'process_secret' Sep 21 07:25:03.642399: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:03.642406: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:03.642416: | spent 0.7 milliseconds in whack Sep 21 07:25:03.641569: | starting up helper thread 0 Sep 21 07:25:03.642430: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:25:03.642433: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:03.665800: | starting up helper thread 6 Sep 21 07:25:03.665818: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:25:03.665821: | crypto helper 6 waiting (nothing to do) Sep 21 07:25:03.665832: | starting up helper thread 5 Sep 21 07:25:03.665837: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:25:03.665840: | crypto helper 5 waiting (nothing to do) Sep 21 07:25:03.672807: | starting up helper thread 3 Sep 21 07:25:03.672829: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:25:03.672832: | crypto helper 3 waiting (nothing to do) Sep 21 07:25:03.672843: | starting up helper thread 4 Sep 21 07:25:03.672849: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:25:03.672851: | crypto helper 4 waiting (nothing to do) Sep 21 07:25:03.732805: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:03.732836: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:03.732841: listening for IKE messages Sep 21 07:25:03.732879: | Inspecting interface lo Sep 21 07:25:03.732885: | found lo with address 127.0.0.1 Sep 21 07:25:03.732888: | Inspecting interface eth0 Sep 21 07:25:03.732892: | found eth0 with address 192.0.2.254 Sep 21 07:25:03.732894: | Inspecting interface eth0 Sep 21 07:25:03.732898: | found eth0 with address 192.0.22.254 Sep 21 07:25:03.732900: | Inspecting interface eth1 Sep 21 07:25:03.732904: | found eth1 with address 192.1.2.23 Sep 21 07:25:03.732986: | no interfaces to sort Sep 21 07:25:03.732995: | libevent_free: release ptr-libevent@0x55d43f5b38b0 Sep 21 07:25:03.732998: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3870 Sep 21 07:25:03.733001: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3870 Sep 21 07:25:03.733004: | libevent_malloc: new ptr-libevent@0x55d43f5b38b0 size 128 Sep 21 07:25:03.733011: | setup callback for interface lo 127.0.0.1:4500 fd 24 Sep 21 07:25:03.733015: | libevent_free: release ptr-libevent@0x55d43f5b39a0 Sep 21 07:25:03.733018: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3960 Sep 21 07:25:03.733020: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3960 Sep 21 07:25:03.733023: | libevent_malloc: new ptr-libevent@0x55d43f5b39a0 size 128 Sep 21 07:25:03.733028: | setup callback for interface lo 127.0.0.1:500 fd 23 Sep 21 07:25:03.733032: | libevent_free: release ptr-libevent@0x55d43f5b3a90 Sep 21 07:25:03.733034: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3a50 Sep 21 07:25:03.733037: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3a50 Sep 21 07:25:03.733039: | libevent_malloc: new ptr-libevent@0x55d43f5b3a90 size 128 Sep 21 07:25:03.733044: | setup callback for interface eth0 192.0.2.254:4500 fd 22 Sep 21 07:25:03.733048: | libevent_free: release ptr-libevent@0x55d43f5b3b80 Sep 21 07:25:03.733051: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3b40 Sep 21 07:25:03.733053: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3b40 Sep 21 07:25:03.733056: | libevent_malloc: new ptr-libevent@0x55d43f5b3b80 size 128 Sep 21 07:25:03.733061: | setup callback for interface eth0 192.0.2.254:500 fd 21 Sep 21 07:25:03.733064: | libevent_free: release ptr-libevent@0x55d43f5b3c70 Sep 21 07:25:03.733067: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3c30 Sep 21 07:25:03.733069: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3c30 Sep 21 07:25:03.733072: | libevent_malloc: new ptr-libevent@0x55d43f5b3c70 size 128 Sep 21 07:25:03.733077: | setup callback for interface eth0 192.0.22.254:4500 fd 20 Sep 21 07:25:03.733081: | libevent_free: release ptr-libevent@0x55d43f5b3d60 Sep 21 07:25:03.733089: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3d20 Sep 21 07:25:03.733092: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3d20 Sep 21 07:25:03.733094: | libevent_malloc: new ptr-libevent@0x55d43f5b3d60 size 128 Sep 21 07:25:03.733100: | setup callback for interface eth0 192.0.22.254:500 fd 19 Sep 21 07:25:03.733103: | libevent_free: release ptr-libevent@0x55d43f5b4480 Sep 21 07:25:03.733106: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3e10 Sep 21 07:25:03.733108: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3e10 Sep 21 07:25:03.733111: | libevent_malloc: new ptr-libevent@0x55d43f5b4480 size 128 Sep 21 07:25:03.733115: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:03.733119: | libevent_free: release ptr-libevent@0x55d43f5b4510 Sep 21 07:25:03.733121: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3e70 Sep 21 07:25:03.733124: | add_fd_read_event_handler: new ethX-pe@0x55d43f5b3e70 Sep 21 07:25:03.733126: | libevent_malloc: new ptr-libevent@0x55d43f5b4510 size 128 Sep 21 07:25:03.733131: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:03.733134: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:03.733136: forgetting secrets Sep 21 07:25:03.733144: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:03.733161: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:03.733176: | saving Modulus Sep 21 07:25:03.733179: | saving PublicExponent Sep 21 07:25:03.733182: | ignoring PrivateExponent Sep 21 07:25:03.733185: | ignoring Prime1 Sep 21 07:25:03.733188: | ignoring Prime2 Sep 21 07:25:03.733191: | ignoring Exponent1 Sep 21 07:25:03.733194: | ignoring Exponent2 Sep 21 07:25:03.733197: | ignoring Coefficient Sep 21 07:25:03.733200: | ignoring CKAIDNSS Sep 21 07:25:03.733222: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:03.733224: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:25:03.733228: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:25:03.733232: | certs and keys locked by 'process_secret' Sep 21 07:25:03.733235: | certs and keys unlocked by 'process_secret' Sep 21 07:25:03.733239: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:03.733246: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:03.733252: | spent 0.459 milliseconds in whack Sep 21 07:25:03.738416: | processing signal PLUTO_SIGCHLD Sep 21 07:25:03.738437: | waitpid returned pid 18821 (exited with status 0) Sep 21 07:25:03.738442: | reaped addconn helper child (status 0) Sep 21 07:25:03.738447: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:03.738453: | spent 0.0199 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:03.884014: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:03.884044: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.884048: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:03.884051: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.884054: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:03.884058: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.884067: | Added new connection northnet-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:03.884070: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:25:03.884148: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:03.884152: | from whack: got --esp= Sep 21 07:25:03.884209: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:03.885058: | setting ID to ID_DER_ASN1_DN: 'E=user-north@testing.libreswan.org,CN=north.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' Sep 21 07:25:03.885075: | loading left certificate 'north' pubkey Sep 21 07:25:03.885177: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6900 Sep 21 07:25:03.885182: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6420 Sep 21 07:25:03.885186: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6330 Sep 21 07:25:03.885322: | unreference key: 0x55d43f5b5fb0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:03.885432: | warning: no secret key loaded for left certificate with nickname north: NSS: cert private key not found Sep 21 07:25:03.885445: | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org is 0 Sep 21 07:25:03.885772: | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' Sep 21 07:25:03.885778: | loading right certificate 'east' pubkey Sep 21 07:25:03.885866: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6780 Sep 21 07:25:03.885874: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6420 Sep 21 07:25:03.885877: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6330 Sep 21 07:25:03.885880: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b74a0 Sep 21 07:25:03.885883: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6a20 Sep 21 07:25:03.886100: | unreference key: 0x55d43f5ba430 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:03.886273: | certs and keys locked by 'lsw_add_rsa_secret' Sep 21 07:25:03.886277: | certs and keys unlocked by 'lsw_add_rsa_secret' Sep 21 07:25:03.886289: | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 Sep 21 07:25:03.886301: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:25:03.886304: | new hp@0x55d43f5ba7d0 Sep 21 07:25:03.886308: added connection description "northnet-eastnets/0x1" Sep 21 07:25:03.886320: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:03.886345: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...192.1.3.33<192.1.3.33>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org]===192.0.3.0/24 Sep 21 07:25:03.886354: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:03.886361: | spent 2.35 milliseconds in whack Sep 21 07:25:03.886607: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:03.886624: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.886627: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:03.886630: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.886633: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:03.886637: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:03.886643: | Added new connection northnet-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:03.886647: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:25:03.886724: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:03.886732: | from whack: got --esp= Sep 21 07:25:03.886795: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:03.886897: | setting ID to ID_DER_ASN1_DN: 'E=user-north@testing.libreswan.org,CN=north.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' Sep 21 07:25:03.886903: | loading left certificate 'north' pubkey Sep 21 07:25:03.886961: | unreference key: 0x55d43f5ba370 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:03.886973: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5bf140 Sep 21 07:25:03.886976: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5bf000 Sep 21 07:25:03.886979: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6780 Sep 21 07:25:03.887027: | unreference key: 0x55d43f5b64b0 @north.testing.libreswan.org cnt 1-- Sep 21 07:25:03.887075: | unreference key: 0x55d43f5b9f10 user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887130: | unreference key: 0x55d43f5bf2f0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887240: | warning: no secret key loaded for left certificate with nickname north: NSS: cert private key not found Sep 21 07:25:03.887253: | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org is 0 Sep 21 07:25:03.887332: | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' Sep 21 07:25:03.887337: | loading right certificate 'east' pubkey Sep 21 07:25:03.887392: | unreference key: 0x55d43f5c03b0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887405: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5bf140 Sep 21 07:25:03.887408: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5bf000 Sep 21 07:25:03.887411: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6780 Sep 21 07:25:03.887414: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6420 Sep 21 07:25:03.887417: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5b6330 Sep 21 07:25:03.887469: | unreference key: 0x55d43f5bf490 192.1.2.23 cnt 1-- Sep 21 07:25:03.887517: | unreference key: 0x55d43f5bf8b0 east@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887565: | unreference key: 0x55d43f5bfc90 @east.testing.libreswan.org cnt 1-- Sep 21 07:25:03.887612: | unreference key: 0x55d43f5bffa0 user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887667: | unreference key: 0x55d43f5c1370 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:03.887714: | secrets entry for east already exists Sep 21 07:25:03.887727: | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 Sep 21 07:25:03.887735: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:03.887741: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x55d43f5ba7d0: northnet-eastnets/0x1 Sep 21 07:25:03.887744: added connection description "northnet-eastnets/0x2" Sep 21 07:25:03.887754: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:03.887780: | 192.0.22.0/24===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...192.1.3.33<192.1.3.33>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org]===192.0.3.0/24 Sep 21 07:25:03.887792: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:03.887800: | spent 1.18 milliseconds in whack Sep 21 07:25:04.047108: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:04.047313: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:04.047319: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:04.047490: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:04.047501: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:04.047508: | spent 0.408 milliseconds in whack Sep 21 07:25:04.136600: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:04.136624: | old debugging base+cpu-usage + none Sep 21 07:25:04.136628: | base debugging = base+cpu-usage Sep 21 07:25:04.136632: | old impairing none + suppress-retransmits Sep 21 07:25:04.136634: | base impairing = suppress-retransmits Sep 21 07:25:04.136641: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:04.136648: | spent 0.0574 milliseconds in whack Sep 21 07:25:07.102774: | spent 0.00301 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.102806: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.102811: | 9e f0 dc 87 3c 6f c0 43 00 00 00 00 00 00 00 00 Sep 21 07:25:07.102813: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:25:07.102815: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:25:07.102817: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:25:07.102818: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:25:07.102820: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:25:07.102822: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:25:07.102824: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:25:07.102826: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:25:07.102828: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:25:07.102830: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:25:07.102832: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:25:07.102834: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:25:07.102836: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:25:07.102838: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:25:07.102840: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:25:07.102842: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:25:07.102845: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:25:07.102847: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:25:07.102849: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:25:07.102851: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:25:07.102852: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:25:07.102854: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:25:07.102856: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:25:07.102858: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:25:07.102860: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:25:07.102862: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:25:07.102864: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:25:07.102866: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:25:07.102872: | 28 00 01 08 00 0e 00 00 5a 28 85 5b 85 7a 66 1b Sep 21 07:25:07.102875: | f8 4d 4c 7d 6d 8f 0c 0f 27 3b 15 04 e6 22 9d 08 Sep 21 07:25:07.102877: | 1d e5 75 9a 9e 1e 8d 0f 46 c2 05 9a a9 63 22 dc Sep 21 07:25:07.102879: | 49 21 dc dc b7 37 91 c5 07 d9 2b 62 ab 95 d6 ec Sep 21 07:25:07.102881: | 1a 4a 66 e1 b0 5d fc e2 5b ad 09 8e ad c6 3a e4 Sep 21 07:25:07.102883: | b2 d7 55 9f 88 0d 76 82 51 84 20 2b 4e 0c 94 45 Sep 21 07:25:07.102885: | 2c bf 77 35 7a 3c 06 14 41 e8 72 f6 5a 54 41 4f Sep 21 07:25:07.102887: | 73 83 a5 c4 a7 10 03 d1 2f 77 02 5f 60 ac a0 7a Sep 21 07:25:07.102889: | d7 22 58 2c b6 ab 75 31 f9 fa ad cf 1d 1a 1f 11 Sep 21 07:25:07.102891: | 56 d2 c5 c6 89 99 19 6d 4c 41 24 e2 b6 79 9b 7f Sep 21 07:25:07.102893: | 3a 68 14 be 9f 5c 7e 68 9c bc dd 38 ae 4f 61 e6 Sep 21 07:25:07.102896: | 3d 91 f5 48 aa 43 f6 f8 8d 8e 2b 65 2d ed a5 00 Sep 21 07:25:07.102898: | 8a aa eb 80 ee 6c 8d 06 05 70 73 4e 79 e7 eb 31 Sep 21 07:25:07.102900: | e3 f9 0c 68 73 be 64 41 86 2a 56 5f 23 80 fc cc Sep 21 07:25:07.102902: | 65 61 30 91 da 38 a2 22 d6 7e b0 d2 e7 f0 50 09 Sep 21 07:25:07.102904: | a9 54 0a ed ea 9e 70 d1 6b 1b 2d 13 a3 d5 95 79 Sep 21 07:25:07.102906: | d5 a2 f5 de 44 0c ad c1 29 00 00 24 b7 b4 eb 8e Sep 21 07:25:07.102908: | 73 49 da b4 69 eb 0a e2 eb 69 ef 71 3b b3 dd 8b Sep 21 07:25:07.102910: | e8 1a 6a 27 cf f5 b7 64 ba 76 34 5d 29 00 00 08 Sep 21 07:25:07.102912: | 00 00 40 2e 29 00 00 1c 00 00 40 04 a1 fe d2 ef Sep 21 07:25:07.102914: | 9a 0e 63 6c b4 59 75 67 f0 75 53 66 9d a4 70 14 Sep 21 07:25:07.102916: | 00 00 00 1c 00 00 40 05 56 e2 29 ba b8 5b cb 8c Sep 21 07:25:07.102918: | fe bd 2e 5d 2a 54 0d fe a7 13 50 9e Sep 21 07:25:07.102925: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.102928: | **parse ISAKMP Message: Sep 21 07:25:07.102931: | initiator cookie: Sep 21 07:25:07.102933: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.102935: | responder cookie: Sep 21 07:25:07.102937: | 00 00 00 00 00 00 00 00 Sep 21 07:25:07.102940: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:07.102942: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.102944: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:07.102947: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.102949: | Message ID: 0 (0x0) Sep 21 07:25:07.102951: | length: 828 (0x33c) Sep 21 07:25:07.102954: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:25:07.102961: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:25:07.102965: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:25:07.102968: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:07.102971: | ***parse IKEv2 Security Association Payload: Sep 21 07:25:07.102973: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:07.102974: | flags: none (0x0) Sep 21 07:25:07.102976: | length: 436 (0x1b4) Sep 21 07:25:07.102978: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:25:07.102980: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:07.102982: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:25:07.102985: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:07.102987: | flags: none (0x0) Sep 21 07:25:07.102989: | length: 264 (0x108) Sep 21 07:25:07.102991: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.102993: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:07.102995: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:07.102997: | ***parse IKEv2 Nonce Payload: Sep 21 07:25:07.102999: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:07.103001: | flags: none (0x0) Sep 21 07:25:07.103003: | length: 36 (0x24) Sep 21 07:25:07.103005: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:07.103007: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:07.103012: | ***parse IKEv2 Notify Payload: Sep 21 07:25:07.103014: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:07.103016: | flags: none (0x0) Sep 21 07:25:07.103018: | length: 8 (0x8) Sep 21 07:25:07.103021: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.103023: | SPI size: 0 (0x0) Sep 21 07:25:07.103025: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:07.103027: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:25:07.103029: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:07.103031: | ***parse IKEv2 Notify Payload: Sep 21 07:25:07.103033: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:07.103035: | flags: none (0x0) Sep 21 07:25:07.103037: | length: 28 (0x1c) Sep 21 07:25:07.103039: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.103041: | SPI size: 0 (0x0) Sep 21 07:25:07.103043: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:07.103045: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:07.103047: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:07.103049: | ***parse IKEv2 Notify Payload: Sep 21 07:25:07.103051: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.103053: | flags: none (0x0) Sep 21 07:25:07.103055: | length: 28 (0x1c) Sep 21 07:25:07.103058: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.103060: | SPI size: 0 (0x0) Sep 21 07:25:07.103062: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:07.103064: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:07.103067: | DDOS disabled and no cookie sent, continuing Sep 21 07:25:07.103072: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:07.103077: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:07.103080: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:07.103083: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnets/0x2) Sep 21 07:25:07.103086: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnets/0x1) Sep 21 07:25:07.103089: | find_next_host_connection returns empty Sep 21 07:25:07.103093: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:07.103095: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:07.103097: | find_next_host_connection returns empty Sep 21 07:25:07.103100: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:25:07.103104: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:07.103108: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:07.103110: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:07.103113: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnets/0x2) Sep 21 07:25:07.103115: | find_next_host_connection returns northnet-eastnets/0x2 Sep 21 07:25:07.103117: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:07.103120: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnets/0x1) Sep 21 07:25:07.103122: | find_next_host_connection returns northnet-eastnets/0x1 Sep 21 07:25:07.103124: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:07.103126: | find_next_host_connection returns empty Sep 21 07:25:07.103128: | found connection: northnet-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Sep 21 07:25:07.103155: | creating state object #1 at 0x55d43f5c1780 Sep 21 07:25:07.103158: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:25:07.103166: | pstats #1 ikev2.ike started Sep 21 07:25:07.103173: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:25:07.103177: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:25:07.103181: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:07.103191: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.103194: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:07.103198: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:07.103201: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:25:07.103205: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:25:07.103208: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:25:07.103211: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:25:07.103213: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:25:07.103216: | Now let's proceed with state specific processing Sep 21 07:25:07.103218: | calling processor Respond to IKE_SA_INIT Sep 21 07:25:07.103224: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:07.103227: | constructing local IKE proposals for northnet-eastnets/0x2 (IKE SA responder matching remote proposals) Sep 21 07:25:07.103236: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:07.103244: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:07.103247: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:07.103252: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:07.103256: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:07.103261: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:07.103264: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:07.103269: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:07.103279: "northnet-eastnets/0x2": constructed local IKE proposals for northnet-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:07.103283: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:25:07.103287: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:07.103293: | local proposal 1 type PRF has 2 transforms Sep 21 07:25:07.103296: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:07.103299: | local proposal 1 type DH has 8 transforms Sep 21 07:25:07.103301: | local proposal 1 type ESN has 0 transforms Sep 21 07:25:07.103304: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:07.103307: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:07.103309: | local proposal 2 type PRF has 2 transforms Sep 21 07:25:07.103311: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:07.103313: | local proposal 2 type DH has 8 transforms Sep 21 07:25:07.103315: | local proposal 2 type ESN has 0 transforms Sep 21 07:25:07.103318: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:07.103320: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:07.103322: | local proposal 3 type PRF has 2 transforms Sep 21 07:25:07.103324: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:07.103326: | local proposal 3 type DH has 8 transforms Sep 21 07:25:07.103328: | local proposal 3 type ESN has 0 transforms Sep 21 07:25:07.103331: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:07.103333: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:07.103335: | local proposal 4 type PRF has 2 transforms Sep 21 07:25:07.103338: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:07.103340: | local proposal 4 type DH has 8 transforms Sep 21 07:25:07.103342: | local proposal 4 type ESN has 0 transforms Sep 21 07:25:07.103344: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:07.103347: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.103349: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.103352: | length: 100 (0x64) Sep 21 07:25:07.103354: | prop #: 1 (0x1) Sep 21 07:25:07.103356: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:07.103358: | spi size: 0 (0x0) Sep 21 07:25:07.103360: | # transforms: 11 (0xb) Sep 21 07:25:07.103363: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:07.103366: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103368: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103370: | length: 12 (0xc) Sep 21 07:25:07.103373: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.103375: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.103377: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.103380: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.103382: | length/value: 256 (0x100) Sep 21 07:25:07.103386: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:07.103388: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103390: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103392: | length: 8 (0x8) Sep 21 07:25:07.103394: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103396: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:07.103398: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:25:07.103401: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:25:07.103403: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:25:07.103405: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:25:07.103407: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103409: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103411: | length: 8 (0x8) Sep 21 07:25:07.103413: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103415: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:07.103419: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103421: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103422: | length: 8 (0x8) Sep 21 07:25:07.103424: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103426: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.103429: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:07.103432: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:07.103435: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:07.103438: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:07.103440: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103442: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103444: | length: 8 (0x8) Sep 21 07:25:07.103446: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103448: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:07.103450: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103452: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103454: | length: 8 (0x8) Sep 21 07:25:07.103456: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103458: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:07.103461: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103463: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103465: | length: 8 (0x8) Sep 21 07:25:07.103467: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103469: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:07.103472: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103476: | length: 8 (0x8) Sep 21 07:25:07.103478: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103480: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:07.103483: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103485: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103487: | length: 8 (0x8) Sep 21 07:25:07.103489: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103491: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:07.103494: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103496: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103498: | length: 8 (0x8) Sep 21 07:25:07.103500: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103503: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:07.103505: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103508: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.103510: | length: 8 (0x8) Sep 21 07:25:07.103512: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103514: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:07.103518: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:25:07.103523: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:25:07.103525: | remote proposal 1 matches local proposal 1 Sep 21 07:25:07.103528: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.103531: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.103533: | length: 100 (0x64) Sep 21 07:25:07.103535: | prop #: 2 (0x2) Sep 21 07:25:07.103538: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:07.103540: | spi size: 0 (0x0) Sep 21 07:25:07.103543: | # transforms: 11 (0xb) Sep 21 07:25:07.103546: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.103550: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103552: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103554: | length: 12 (0xc) Sep 21 07:25:07.103557: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.103559: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.103561: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.103564: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.103566: | length/value: 128 (0x80) Sep 21 07:25:07.103569: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103571: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103573: | length: 8 (0x8) Sep 21 07:25:07.103575: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103578: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:07.103580: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103582: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103584: | length: 8 (0x8) Sep 21 07:25:07.103587: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103589: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:07.103592: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103594: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103596: | length: 8 (0x8) Sep 21 07:25:07.103599: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103601: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.103604: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103606: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103609: | length: 8 (0x8) Sep 21 07:25:07.103611: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103613: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:07.103616: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103619: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103621: | length: 8 (0x8) Sep 21 07:25:07.103623: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103626: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:07.103628: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103631: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103633: | length: 8 (0x8) Sep 21 07:25:07.103636: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103638: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:07.103641: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103644: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103646: | length: 8 (0x8) Sep 21 07:25:07.103648: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103651: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:07.103654: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103656: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103658: | length: 8 (0x8) Sep 21 07:25:07.103661: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103663: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:07.103666: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103668: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103670: | length: 8 (0x8) Sep 21 07:25:07.103673: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103675: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:07.103678: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103680: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.103683: | length: 8 (0x8) Sep 21 07:25:07.103685: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103687: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:07.103691: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:25:07.103694: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:25:07.103698: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.103701: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.103703: | length: 116 (0x74) Sep 21 07:25:07.103705: | prop #: 3 (0x3) Sep 21 07:25:07.103707: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:07.103710: | spi size: 0 (0x0) Sep 21 07:25:07.103712: | # transforms: 13 (0xd) Sep 21 07:25:07.103715: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.103718: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103720: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103722: | length: 12 (0xc) Sep 21 07:25:07.103725: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.103728: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.103730: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.103733: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.103735: | length/value: 256 (0x100) Sep 21 07:25:07.103738: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103742: | length: 8 (0x8) Sep 21 07:25:07.103745: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103747: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:07.103750: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103752: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103754: | length: 8 (0x8) Sep 21 07:25:07.103757: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103759: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:07.103762: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103764: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103766: | length: 8 (0x8) Sep 21 07:25:07.103769: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.103771: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.103774: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103776: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103778: | length: 8 (0x8) Sep 21 07:25:07.103780: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.103787: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.103793: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103797: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103799: | length: 8 (0x8) Sep 21 07:25:07.103801: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103804: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.103806: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103808: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103811: | length: 8 (0x8) Sep 21 07:25:07.103813: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103815: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:07.103818: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103820: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103822: | length: 8 (0x8) Sep 21 07:25:07.103825: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103827: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:07.103830: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103834: | length: 8 (0x8) Sep 21 07:25:07.103836: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103839: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:07.103841: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103843: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103845: | length: 8 (0x8) Sep 21 07:25:07.103847: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103851: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:07.103853: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103856: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103857: | length: 8 (0x8) Sep 21 07:25:07.103860: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103862: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:07.103864: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103867: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103869: | length: 8 (0x8) Sep 21 07:25:07.103871: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103874: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:07.103876: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103879: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.103881: | length: 8 (0x8) Sep 21 07:25:07.103883: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103885: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:07.103889: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:07.103892: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:07.103895: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.103897: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.103899: | length: 116 (0x74) Sep 21 07:25:07.103901: | prop #: 4 (0x4) Sep 21 07:25:07.103904: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:07.103906: | spi size: 0 (0x0) Sep 21 07:25:07.103908: | # transforms: 13 (0xd) Sep 21 07:25:07.103912: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.103914: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103916: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103919: | length: 12 (0xc) Sep 21 07:25:07.103921: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.103923: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.103926: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.103928: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.103931: | length/value: 128 (0x80) Sep 21 07:25:07.103934: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103936: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103938: | length: 8 (0x8) Sep 21 07:25:07.103940: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103943: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:07.103946: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103948: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103950: | length: 8 (0x8) Sep 21 07:25:07.103952: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.103955: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:07.103957: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103960: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103962: | length: 8 (0x8) Sep 21 07:25:07.103965: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.103967: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.103970: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103972: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103974: | length: 8 (0x8) Sep 21 07:25:07.103977: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.103979: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.103982: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103984: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.103986: | length: 8 (0x8) Sep 21 07:25:07.103988: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.103991: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.103995: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.103997: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104000: | length: 8 (0x8) Sep 21 07:25:07.104002: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104004: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:07.104007: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104009: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104011: | length: 8 (0x8) Sep 21 07:25:07.104014: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104016: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:07.104019: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104021: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104023: | length: 8 (0x8) Sep 21 07:25:07.104026: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104028: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:07.104031: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104033: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104035: | length: 8 (0x8) Sep 21 07:25:07.104038: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104040: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:07.104042: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104044: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104046: | length: 8 (0x8) Sep 21 07:25:07.104048: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104051: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:07.104053: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104056: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.104058: | length: 8 (0x8) Sep 21 07:25:07.104060: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104063: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:07.104065: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.104067: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.104069: | length: 8 (0x8) Sep 21 07:25:07.104071: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.104074: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:07.104078: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:07.104080: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:07.104086: "northnet-eastnets/0x2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:25:07.104090: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:25:07.104093: | converting proposal to internal trans attrs Sep 21 07:25:07.104099: | natd_hash: rcookie is zero Sep 21 07:25:07.104117: | natd_hash: hasher=0x55d43e0e07a0(20) Sep 21 07:25:07.104121: | natd_hash: icookie= 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.104123: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:07.104125: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:07.104126: | natd_hash: port= 01 f4 Sep 21 07:25:07.104131: | natd_hash: hash= 56 e2 29 ba b8 5b cb 8c fe bd 2e 5d 2a 54 0d fe Sep 21 07:25:07.104133: | natd_hash: hash= a7 13 50 9e Sep 21 07:25:07.104135: | natd_hash: rcookie is zero Sep 21 07:25:07.104141: | natd_hash: hasher=0x55d43e0e07a0(20) Sep 21 07:25:07.104143: | natd_hash: icookie= 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.104146: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:07.104148: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:07.104150: | natd_hash: port= 01 f4 Sep 21 07:25:07.104152: | natd_hash: hash= a1 fe d2 ef 9a 0e 63 6c b4 59 75 67 f0 75 53 66 Sep 21 07:25:07.104154: | natd_hash: hash= 9d a4 70 14 Sep 21 07:25:07.104156: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:25:07.104159: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:25:07.104161: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:25:07.104164: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:25:07.104170: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:25:07.104173: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d43f5c24f0 Sep 21 07:25:07.104177: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:07.104181: | libevent_malloc: new ptr-libevent@0x55d43f5b6390 size 128 Sep 21 07:25:07.104197: | #1 spent 0.969 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:25:07.104196: | crypto helper 1 resuming Sep 21 07:25:07.104219: | crypto helper 1 starting work-order 1 for state #1 Sep 21 07:25:07.104225: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:25:07.105297: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001071 seconds Sep 21 07:25:07.105310: | (#1) spent 1.05 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:25:07.105314: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Sep 21 07:25:07.105317: | scheduling resume sending helper answer for #1 Sep 21 07:25:07.105320: | libevent_malloc: new ptr-libevent@0x7f9fdc006900 size 128 Sep 21 07:25:07.105327: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:07.104209: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.105337: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:07.105340: | suspending state #1 and saving MD Sep 21 07:25:07.105342: | #1 is busy; has a suspended MD Sep 21 07:25:07.105348: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:07.105351: | "northnet-eastnets/0x2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:07.105357: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.105362: | #1 spent 1.45 milliseconds in ikev2_process_packet() Sep 21 07:25:07.105366: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.105369: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.105372: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.105376: | spent 1.46 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.105385: | processing resume sending helper answer for #1 Sep 21 07:25:07.105390: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:07.105394: | crypto helper 1 replies to request ID 1 Sep 21 07:25:07.105396: | calling continuation function 0x55d43e00a630 Sep 21 07:25:07.105399: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:25:07.105429: | **emit ISAKMP Message: Sep 21 07:25:07.105432: | initiator cookie: Sep 21 07:25:07.105435: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.105439: | responder cookie: Sep 21 07:25:07.105442: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.105444: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.105447: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.105450: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:07.105453: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.105456: | Message ID: 0 (0x0) Sep 21 07:25:07.105459: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.105462: | Emitting ikev2_proposal ... Sep 21 07:25:07.105464: | ***emit IKEv2 Security Association Payload: Sep 21 07:25:07.105467: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105469: | flags: none (0x0) Sep 21 07:25:07.105472: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:07.105475: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105478: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.105481: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.105483: | prop #: 1 (0x1) Sep 21 07:25:07.105486: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:07.105488: | spi size: 0 (0x0) Sep 21 07:25:07.105490: | # transforms: 3 (0x3) Sep 21 07:25:07.105493: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:07.105496: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.105499: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.105501: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.105504: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.105507: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.105509: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.105512: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.105514: | length/value: 256 (0x100) Sep 21 07:25:07.105517: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:07.105520: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.105522: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.105524: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:07.105527: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:07.105530: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.105533: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.105535: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:07.105538: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.105540: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.105542: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.105545: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.105548: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.105550: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.105553: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:07.105555: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:25:07.105558: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:07.105560: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:25:07.105565: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:07.105568: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:25:07.105571: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105573: | flags: none (0x0) Sep 21 07:25:07.105576: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.105579: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:07.105581: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105585: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:07.105587: | ikev2 g^x 1b be 77 e6 dc 25 7d ce f7 0b 4b 55 f6 10 54 d7 Sep 21 07:25:07.105590: | ikev2 g^x 25 b8 b3 e6 04 89 92 d0 10 8d 6b 32 10 9c 9b ec Sep 21 07:25:07.105592: | ikev2 g^x 51 76 7f ba e9 f5 e9 81 9e e2 5c f6 1d 72 d1 ae Sep 21 07:25:07.105594: | ikev2 g^x cd 5d 6b 4e 2f e6 ba 24 36 35 3f 02 e5 89 2e 32 Sep 21 07:25:07.105596: | ikev2 g^x 69 39 05 05 d9 e3 2d bb 16 f9 0c 33 b6 2d 37 90 Sep 21 07:25:07.105599: | ikev2 g^x 3f 6f ae 82 68 ab 2d 9c d9 f0 3a 06 dd 8e 6b dc Sep 21 07:25:07.105601: | ikev2 g^x f6 55 38 20 c2 e6 87 a5 e6 7f d9 13 5b 9b 2d a5 Sep 21 07:25:07.105603: | ikev2 g^x a8 2d 5a 1a 35 4e 93 26 27 a0 57 92 be 3f ad f0 Sep 21 07:25:07.105605: | ikev2 g^x fa 8a d6 65 be fc 5c c2 ed fe d8 e9 0d 72 45 cc Sep 21 07:25:07.105607: | ikev2 g^x 79 60 60 eb 15 8a 65 8a 61 8b 20 d3 96 5f e6 db Sep 21 07:25:07.105610: | ikev2 g^x 11 fe 1c d8 73 d9 b3 29 09 73 5b 8d b0 2e 1b b7 Sep 21 07:25:07.105612: | ikev2 g^x 03 74 20 67 a9 a1 15 d7 ab 90 53 2c fb 5f ce 48 Sep 21 07:25:07.105614: | ikev2 g^x 11 a7 f0 83 e7 e1 1a 8c 27 1f 81 e1 f0 51 72 dd Sep 21 07:25:07.105617: | ikev2 g^x 78 ed ad 54 e4 78 f7 6e ea b1 63 59 47 25 90 16 Sep 21 07:25:07.105619: | ikev2 g^x 02 52 05 69 60 76 f6 e7 ac 0e f8 19 1a 80 35 66 Sep 21 07:25:07.105621: | ikev2 g^x c2 33 66 97 fc 41 85 9c 39 f8 69 03 3f 06 62 bd Sep 21 07:25:07.105623: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:07.105626: | ***emit IKEv2 Nonce Payload: Sep 21 07:25:07.105629: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:07.105631: | flags: none (0x0) Sep 21 07:25:07.105634: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:25:07.105637: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:07.105639: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105642: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:07.105644: | IKEv2 nonce e6 10 f0 2c 26 ab b2 01 67 a7 9b 77 d1 af 0b 5e Sep 21 07:25:07.105647: | IKEv2 nonce 68 0e 36 35 e8 6d 65 10 4b 6b 79 97 f6 cc d2 11 Sep 21 07:25:07.105649: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:07.105653: | Adding a v2N Payload Sep 21 07:25:07.105655: | ***emit IKEv2 Notify Payload: Sep 21 07:25:07.105658: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105660: | flags: none (0x0) Sep 21 07:25:07.105663: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.105665: | SPI size: 0 (0x0) Sep 21 07:25:07.105668: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:07.105671: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:07.105673: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105676: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:25:07.105679: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:25:07.105688: | natd_hash: hasher=0x55d43e0e07a0(20) Sep 21 07:25:07.105692: | natd_hash: icookie= 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.105694: | natd_hash: rcookie= 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.105696: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:07.105698: | natd_hash: port= 01 f4 Sep 21 07:25:07.105701: | natd_hash: hash= 69 3a 01 af a2 c4 e3 58 bd 00 b8 ae 51 4f e3 c1 Sep 21 07:25:07.105703: | natd_hash: hash= bf c2 67 b2 Sep 21 07:25:07.105705: | Adding a v2N Payload Sep 21 07:25:07.105707: | ***emit IKEv2 Notify Payload: Sep 21 07:25:07.105710: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105712: | flags: none (0x0) Sep 21 07:25:07.105714: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.105716: | SPI size: 0 (0x0) Sep 21 07:25:07.105719: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:07.105722: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:07.105724: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105727: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:07.105730: | Notify data 69 3a 01 af a2 c4 e3 58 bd 00 b8 ae 51 4f e3 c1 Sep 21 07:25:07.105732: | Notify data bf c2 67 b2 Sep 21 07:25:07.105734: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:07.105740: | natd_hash: hasher=0x55d43e0e07a0(20) Sep 21 07:25:07.105743: | natd_hash: icookie= 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.105745: | natd_hash: rcookie= 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.105747: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:07.105749: | natd_hash: port= 01 f4 Sep 21 07:25:07.105751: | natd_hash: hash= b2 34 8c bf 4b 91 ba cb 7f d6 14 7a 74 bb 6e f3 Sep 21 07:25:07.105753: | natd_hash: hash= 1b 66 3e f2 Sep 21 07:25:07.105756: | Adding a v2N Payload Sep 21 07:25:07.105758: | ***emit IKEv2 Notify Payload: Sep 21 07:25:07.105760: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105763: | flags: none (0x0) Sep 21 07:25:07.105765: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:07.105767: | SPI size: 0 (0x0) Sep 21 07:25:07.105769: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:07.105772: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:07.105775: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.105777: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:07.105780: | Notify data b2 34 8c bf 4b 91 ba cb 7f d6 14 7a 74 bb 6e f3 Sep 21 07:25:07.105782: | Notify data 1b 66 3e f2 Sep 21 07:25:07.105792: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:07.105794: | going to send a certreq Sep 21 07:25:07.105797: | connection->kind is CK_PERMANENT so send CERTREQ Sep 21 07:25:07.105800: | ***emit IKEv2 Certificate Request Payload: Sep 21 07:25:07.105802: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.105804: | flags: none (0x0) Sep 21 07:25:07.105807: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Sep 21 07:25:07.105809: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) Sep 21 07:25:07.105812: | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.106499: | located CA cert E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA for CERTREQ Sep 21 07:25:07.106512: | emitting 20 raw bytes of CA cert public key hash into IKEv2 Certificate Request Payload Sep 21 07:25:07.106515: | CA cert public key hash Sep 21 07:25:07.106518: | 4e cf af 8c 44 87 de 90 be 28 67 b9 ce 53 17 3f Sep 21 07:25:07.106520: | 8e eb 22 c0 Sep 21 07:25:07.106522: | emitting length of IKEv2 Certificate Request Payload: 25 Sep 21 07:25:07.106528: | emitting length of ISAKMP Message: 457 Sep 21 07:25:07.106536: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.106540: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:25:07.106543: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:25:07.106547: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:25:07.106550: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:25:07.106555: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:25:07.106559: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:25:07.106565: "northnet-eastnets/0x2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:25:07.106570: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:07.106580: | sending 457 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.106582: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.106585: | 21 20 22 20 00 00 00 00 00 00 01 c9 22 00 00 28 Sep 21 07:25:07.106587: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:25:07.106589: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:25:07.106591: | 04 00 00 0e 28 00 01 08 00 0e 00 00 1b be 77 e6 Sep 21 07:25:07.106594: | dc 25 7d ce f7 0b 4b 55 f6 10 54 d7 25 b8 b3 e6 Sep 21 07:25:07.106596: | 04 89 92 d0 10 8d 6b 32 10 9c 9b ec 51 76 7f ba Sep 21 07:25:07.106598: | e9 f5 e9 81 9e e2 5c f6 1d 72 d1 ae cd 5d 6b 4e Sep 21 07:25:07.106600: | 2f e6 ba 24 36 35 3f 02 e5 89 2e 32 69 39 05 05 Sep 21 07:25:07.106602: | d9 e3 2d bb 16 f9 0c 33 b6 2d 37 90 3f 6f ae 82 Sep 21 07:25:07.106605: | 68 ab 2d 9c d9 f0 3a 06 dd 8e 6b dc f6 55 38 20 Sep 21 07:25:07.106607: | c2 e6 87 a5 e6 7f d9 13 5b 9b 2d a5 a8 2d 5a 1a Sep 21 07:25:07.106609: | 35 4e 93 26 27 a0 57 92 be 3f ad f0 fa 8a d6 65 Sep 21 07:25:07.106611: | be fc 5c c2 ed fe d8 e9 0d 72 45 cc 79 60 60 eb Sep 21 07:25:07.106613: | 15 8a 65 8a 61 8b 20 d3 96 5f e6 db 11 fe 1c d8 Sep 21 07:25:07.106616: | 73 d9 b3 29 09 73 5b 8d b0 2e 1b b7 03 74 20 67 Sep 21 07:25:07.106618: | a9 a1 15 d7 ab 90 53 2c fb 5f ce 48 11 a7 f0 83 Sep 21 07:25:07.106620: | e7 e1 1a 8c 27 1f 81 e1 f0 51 72 dd 78 ed ad 54 Sep 21 07:25:07.106622: | e4 78 f7 6e ea b1 63 59 47 25 90 16 02 52 05 69 Sep 21 07:25:07.106624: | 60 76 f6 e7 ac 0e f8 19 1a 80 35 66 c2 33 66 97 Sep 21 07:25:07.106627: | fc 41 85 9c 39 f8 69 03 3f 06 62 bd 29 00 00 24 Sep 21 07:25:07.106629: | e6 10 f0 2c 26 ab b2 01 67 a7 9b 77 d1 af 0b 5e Sep 21 07:25:07.106631: | 68 0e 36 35 e8 6d 65 10 4b 6b 79 97 f6 cc d2 11 Sep 21 07:25:07.106633: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:25:07.106636: | 69 3a 01 af a2 c4 e3 58 bd 00 b8 ae 51 4f e3 c1 Sep 21 07:25:07.106638: | bf c2 67 b2 26 00 00 1c 00 00 40 05 b2 34 8c bf Sep 21 07:25:07.106640: | 4b 91 ba cb 7f d6 14 7a 74 bb 6e f3 1b 66 3e f2 Sep 21 07:25:07.106642: | 00 00 00 19 04 4e cf af 8c 44 87 de 90 be 28 67 Sep 21 07:25:07.106644: | b9 ce 53 17 3f 8e eb 22 c0 Sep 21 07:25:07.106702: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:07.106707: | libevent_free: release ptr-libevent@0x55d43f5b6390 Sep 21 07:25:07.106710: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d43f5c24f0 Sep 21 07:25:07.106713: | event_schedule: new EVENT_SO_DISCARD-pe@0x55d43f5c24f0 Sep 21 07:25:07.106717: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:25:07.106722: | libevent_malloc: new ptr-libevent@0x55d43f5b6390 size 128 Sep 21 07:25:07.106726: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:07.106732: | #1 spent 1.3 milliseconds in resume sending helper answer Sep 21 07:25:07.106738: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:07.106740: | libevent_free: release ptr-libevent@0x7f9fdc006900 Sep 21 07:25:07.126836: | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.126858: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.126862: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.126865: | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff Sep 21 07:25:07.126868: | 00 01 00 05 65 1f bc 81 9b 7d b3 7f 64 e6 bc 6b Sep 21 07:25:07.126871: | fb ec 1b 2d 4d 0e 60 e7 b6 91 a2 ca 1d b0 6c 6c Sep 21 07:25:07.126874: | 53 55 6b 97 cc 58 e2 23 7f a9 20 b1 4b 1a 7e 8e Sep 21 07:25:07.126877: | aa da 9b 10 19 e8 20 1f e1 09 aa 9b e5 28 9a 20 Sep 21 07:25:07.126880: | 61 f1 41 cc ab 00 df ec 45 e7 83 1b 25 85 b6 26 Sep 21 07:25:07.126882: | 14 7e 66 35 e8 c0 fb c0 0e c6 f9 37 82 e7 b3 5a Sep 21 07:25:07.126885: | da 2f 5c ed 70 87 79 37 e4 c3 e6 6e 02 da ba ec Sep 21 07:25:07.126888: | 68 05 e4 1e 17 bf 0b 74 c2 bd ae 60 54 11 5d 4e Sep 21 07:25:07.126891: | 2f 7e 57 c4 8b 1c 2b b7 90 bc 0a d8 a6 5c 36 39 Sep 21 07:25:07.126894: | 4d 39 f6 3a 40 d1 8b 9e c1 78 db 17 e6 77 f2 98 Sep 21 07:25:07.126896: | 33 5b 14 46 c6 fc 29 9f 49 15 44 0f cc 7c ea 4e Sep 21 07:25:07.126899: | ac 35 93 38 9a aa cf 4a e7 e9 11 d7 52 34 05 b3 Sep 21 07:25:07.126902: | 07 8d fd e5 52 55 a3 2f ae c4 72 6d f9 9b 77 9e Sep 21 07:25:07.126905: | 88 fb d4 aa ee 02 27 75 74 f9 a4 90 7a 45 19 6f Sep 21 07:25:07.126907: | 43 8a c7 57 47 5c da 33 64 52 e1 db 82 ee a6 98 Sep 21 07:25:07.126910: | 62 89 5f 55 6d 6c 72 25 11 3f dd e8 61 3c 71 1f Sep 21 07:25:07.126913: | b0 83 d6 d3 96 aa df 23 21 3b 6e ab 39 db d9 9e Sep 21 07:25:07.126916: | 6f ff 2b 2a f5 89 ef 5c 5f c5 f7 0e de c8 6a 97 Sep 21 07:25:07.126918: | 8e 45 13 98 ac 27 da 2d f9 66 32 c0 f5 70 ff dd Sep 21 07:25:07.126921: | d8 20 c5 46 cb 9f 90 25 9a 7b eb f3 19 c6 98 3e Sep 21 07:25:07.126924: | ec 23 ee fe ae 67 6c cd d8 3a 5a 3b d6 77 54 01 Sep 21 07:25:07.126927: | 76 31 32 dd 70 03 33 ca 25 4c 7c 6d 86 64 2f 92 Sep 21 07:25:07.126930: | 71 4d 84 1d b0 60 d7 0f 96 29 47 6a 94 d5 89 b4 Sep 21 07:25:07.126932: | a6 9b 9f 4e 4a d3 85 e8 80 23 cc 69 99 72 65 7a Sep 21 07:25:07.126935: | 2a 16 33 0a 54 ed e3 d8 c9 ab 0b f5 5e 73 12 97 Sep 21 07:25:07.126938: | 56 46 56 5e 2b aa 67 f4 dd 51 4e 63 49 0a fa d2 Sep 21 07:25:07.126941: | ff 06 3e 64 f1 3c eb d3 b8 99 f3 84 b2 26 30 9e Sep 21 07:25:07.126943: | 97 b6 02 60 54 0e e1 c1 86 92 9c b9 3a 9f 53 18 Sep 21 07:25:07.126946: | 29 52 8f 54 39 0d 59 80 51 ab 19 ae a5 d9 05 3e Sep 21 07:25:07.126949: | 55 8a a9 26 24 b6 cc 1e 99 0f 4e 74 71 9e af 97 Sep 21 07:25:07.126952: | a1 64 79 68 31 d2 a7 37 0a ab 2f 0b 13 63 43 08 Sep 21 07:25:07.126955: | 44 c4 ae 59 81 6f c2 18 ef 97 b8 Sep 21 07:25:07.126960: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.126964: | **parse ISAKMP Message: Sep 21 07:25:07.126967: | initiator cookie: Sep 21 07:25:07.126970: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.126972: | responder cookie: Sep 21 07:25:07.126975: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.126978: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:07.126982: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.126985: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.126988: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.126991: | Message ID: 1 (0x1) Sep 21 07:25:07.126994: | length: 539 (0x21b) Sep 21 07:25:07.127000: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:07.127004: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:07.127009: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:07.127017: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.127020: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:07.127026: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:07.127030: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:07.127036: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:25:07.127039: | unpacking clear payload Sep 21 07:25:07.127042: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.127045: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:07.127048: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:25:07.127051: | flags: none (0x0) Sep 21 07:25:07.127054: | length: 511 (0x1ff) Sep 21 07:25:07.127057: | fragment number: 1 (0x1) Sep 21 07:25:07.127059: | total fragments: 5 (0x5) Sep 21 07:25:07.127063: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Sep 21 07:25:07.127069: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:07.127072: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.127076: | received IKE encrypted fragment number '1', total number '5', next payload '35' Sep 21 07:25:07.127080: | updated IKE fragment state to respond using fragments without waiting for re-transmits Sep 21 07:25:07.127087: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.127093: | #1 spent 0.244 milliseconds in ikev2_process_packet() Sep 21 07:25:07.127098: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.127102: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.127105: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.127110: | spent 0.261 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.127689: | spent 0.0027 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.127704: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.127708: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.127711: | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.127714: | 00 02 00 05 24 6d 6e 2e 87 d0 1f 24 2d 88 f6 d9 Sep 21 07:25:07.127717: | c8 7b 91 a8 a1 41 b9 95 81 26 2c 19 54 91 0d b1 Sep 21 07:25:07.127720: | f2 b6 7c dd 2c 95 c3 27 93 d2 68 66 91 d0 90 6b Sep 21 07:25:07.127722: | 2b aa 48 a7 1e ee c1 46 6a a9 b9 b2 a1 ca b6 c5 Sep 21 07:25:07.127725: | 30 0c 99 4c fc ff e6 54 de f3 58 ab 0e 05 b6 78 Sep 21 07:25:07.127728: | f0 3e 0e 4a 16 2a a8 7f da 24 9e 57 64 85 f1 d2 Sep 21 07:25:07.127731: | 1c fa 94 3b 8b 5d 90 86 80 a8 f6 91 ce 35 4f 87 Sep 21 07:25:07.127733: | 29 62 bb 1f 3c d9 fb 38 49 f8 6a 75 f6 af 8a aa Sep 21 07:25:07.127736: | a7 a4 9a 4f 06 0a aa 62 b0 d5 15 cd 86 1b db 0c Sep 21 07:25:07.127739: | ab 7c 32 6b f2 45 57 06 b9 ac ec 56 16 6c b7 0e Sep 21 07:25:07.127742: | c2 00 b8 5c ef 8e f9 08 1e 0a de a1 01 61 d7 f3 Sep 21 07:25:07.127745: | 53 1b f4 68 3d 1a ff 62 37 5d 11 4f 15 c9 1d 9f Sep 21 07:25:07.127747: | b8 05 5c 55 87 a0 c7 c5 b5 a0 87 37 f1 6a 26 cf Sep 21 07:25:07.127750: | 57 2c 91 10 ad 8d fd 02 3b 66 ca c6 27 54 9f b2 Sep 21 07:25:07.127753: | 2b 72 f7 e9 b5 d5 10 8f 82 46 d5 0f 5a db df aa Sep 21 07:25:07.127756: | d1 0c c0 ab be 89 86 6a 8d bb ce 81 c2 4d 97 f4 Sep 21 07:25:07.127761: | fe 95 21 91 0c b5 dc fd ef 07 46 3b 62 35 69 52 Sep 21 07:25:07.127764: | 00 17 e0 6f 57 ce 76 01 ad 59 67 12 fa 8b b8 3e Sep 21 07:25:07.128064: | 48 e6 45 4a 81 a0 0b 32 d9 ae b3 7c 1f da 37 17 Sep 21 07:25:07.128072: | ff f7 60 86 7a cc 47 ff 2e f0 3c d8 f5 e7 46 b5 Sep 21 07:25:07.128075: | ad b7 85 87 38 64 7f b8 f6 06 d8 c0 23 5b 63 6e Sep 21 07:25:07.128078: | 7b 22 5e b4 98 c2 a7 9c cf 6b fa 90 53 3a 4d ca Sep 21 07:25:07.128081: | 98 ec fe 7e 52 b3 bf 5a 1b c2 ac f5 fa 59 23 7f Sep 21 07:25:07.128084: | d5 12 71 1a 21 96 ce 05 45 b1 8f db 3d 37 89 dd Sep 21 07:25:07.128086: | da 5a f3 dc 60 25 dd d7 29 ea f5 3f a1 88 43 a4 Sep 21 07:25:07.128089: | fb 96 54 d8 8b 56 d4 01 12 34 f9 73 1a f3 49 e4 Sep 21 07:25:07.128092: | 92 d9 84 91 b0 e2 03 1a 79 13 e9 2e 48 4d 6a 11 Sep 21 07:25:07.128095: | f6 f2 c3 02 2f cb df c0 a3 ed bc e2 8b 22 31 02 Sep 21 07:25:07.128098: | b3 1c 76 e8 3b a8 87 f7 3c 21 f4 15 d9 c4 18 90 Sep 21 07:25:07.128100: | f8 12 08 e0 05 4d 26 72 55 27 e5 b6 b8 98 ca fe Sep 21 07:25:07.128103: | b5 12 f5 2f fa 62 73 0c 76 a0 29 f1 f9 1b a0 0a Sep 21 07:25:07.128106: | a8 8c 13 74 6c 7f 7c 3b dd 52 43 Sep 21 07:25:07.128112: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.128116: | **parse ISAKMP Message: Sep 21 07:25:07.128118: | initiator cookie: Sep 21 07:25:07.128121: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.128124: | responder cookie: Sep 21 07:25:07.128126: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128130: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:07.128133: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.128136: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.128139: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.128142: | Message ID: 1 (0x1) Sep 21 07:25:07.128145: | length: 539 (0x21b) Sep 21 07:25:07.128149: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:07.128152: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:07.128156: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:07.128164: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.128170: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:25:07.128174: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:07.128177: | #1 is idle Sep 21 07:25:07.128179: | #1 idle Sep 21 07:25:07.128186: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:25:07.128188: | unpacking clear payload Sep 21 07:25:07.128191: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.128195: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:07.128201: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.128204: | flags: none (0x0) Sep 21 07:25:07.128207: | length: 511 (0x1ff) Sep 21 07:25:07.128210: | fragment number: 2 (0x2) Sep 21 07:25:07.128213: | total fragments: 5 (0x5) Sep 21 07:25:07.128216: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Sep 21 07:25:07.128219: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.128223: | received IKE encrypted fragment number '2', total number '5', next payload '0' Sep 21 07:25:07.128230: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.128236: | #1 spent 0.243 milliseconds in ikev2_process_packet() Sep 21 07:25:07.128241: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.128245: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.128251: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.128256: | spent 0.264 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.128266: | spent 0.00161 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.128276: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.128279: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128282: | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.128285: | 00 03 00 05 dd d7 99 f6 ea b1 b1 68 12 fb 4f de Sep 21 07:25:07.128288: | 7c 6f e3 d0 fd 98 87 2c 23 cc 45 9a b6 f9 fd ec Sep 21 07:25:07.128291: | 42 3f 07 96 1d bd f0 57 df e5 21 58 1f 21 6b 8e Sep 21 07:25:07.128294: | 34 13 af 4f 30 22 e3 16 72 6b 22 ba 05 32 2f 68 Sep 21 07:25:07.128297: | a0 b2 77 1b c8 9f 65 72 d3 85 3a 04 7e 75 4e 2e Sep 21 07:25:07.128299: | f1 f9 f4 a5 52 6f 2a ea 21 71 a8 ce 30 b5 40 a5 Sep 21 07:25:07.128302: | 13 6a d7 c7 ae 62 ec fd 95 f9 0d 1c d0 53 1c e0 Sep 21 07:25:07.128305: | a3 19 09 a5 09 e6 53 f3 25 f2 3f d6 11 e5 0a 0b Sep 21 07:25:07.128308: | a5 e1 2c 6f 97 31 ae 3a 63 e7 2c 66 fc 11 86 a4 Sep 21 07:25:07.128310: | 18 3e e8 5b ec 06 6e 77 60 1a b8 8e d1 dd 7b 9e Sep 21 07:25:07.128313: | 43 1d 5a 24 5d 81 d2 42 70 ef 28 24 0f 37 dc 03 Sep 21 07:25:07.128316: | 56 b9 e2 ce da 0b 93 37 81 8e a9 d0 3a 04 d7 30 Sep 21 07:25:07.128319: | b0 5e 01 26 8d 97 18 0c 37 28 a1 7d 95 2b f5 62 Sep 21 07:25:07.128322: | bd 7f 67 dc 0f 39 d2 0a bf 52 a3 b7 7d 8d f6 d9 Sep 21 07:25:07.128325: | 64 c3 70 8c 7b ee ef e8 70 26 7d 42 ab e5 20 6c Sep 21 07:25:07.128327: | 82 ec e8 49 0c e8 83 37 c0 89 6f 7f d0 12 c3 15 Sep 21 07:25:07.128330: | c5 29 3e 83 ad 32 e9 83 e1 28 05 ef 0b 93 a8 e3 Sep 21 07:25:07.128333: | db e6 37 e7 9f 5c b9 5c d4 de a8 99 6d d0 b9 20 Sep 21 07:25:07.128336: | 4e 09 a6 64 84 66 cd a9 4e ca 0d 3d 4d f4 8e 1c Sep 21 07:25:07.128338: | 81 56 16 0b a6 7b 71 99 98 90 ea 89 dc 53 7b c7 Sep 21 07:25:07.128341: | d3 2d 7f 55 f2 50 c3 0c 28 ad 7e be 16 d2 ef 5a Sep 21 07:25:07.128344: | dc e7 1e 3c 3d 4d b2 ca 95 f7 6f e9 e8 fd da 50 Sep 21 07:25:07.128347: | 53 7a 66 6d 56 6d 01 34 8a ae d6 1e d4 9c c6 44 Sep 21 07:25:07.128349: | 96 f6 c0 9e 0c 65 4c a3 88 8f b7 04 6d 47 aa 38 Sep 21 07:25:07.128352: | 1c 44 88 84 31 e6 f4 50 40 72 29 0d 9f ed 88 af Sep 21 07:25:07.128355: | 16 e3 08 d7 fb fb 9d 39 ae 43 d7 47 9c 2a 27 06 Sep 21 07:25:07.128358: | 76 5a 9b 95 3b e7 55 c7 9d a0 e5 b5 1a e9 52 8e Sep 21 07:25:07.128361: | d6 01 59 bb 9d f1 f9 eb c3 71 f6 21 3b 9a 8c 97 Sep 21 07:25:07.128363: | 11 80 f1 8e 01 38 72 d3 60 93 08 c3 64 49 9f 77 Sep 21 07:25:07.128366: | 9b 08 02 87 6e 44 e5 be 1e fe b8 ab 4d 06 37 10 Sep 21 07:25:07.128369: | ef 02 65 15 01 d6 1f b7 51 9f 55 7e 16 66 35 14 Sep 21 07:25:07.128371: | d2 34 d3 56 7b 40 64 58 a6 02 4b Sep 21 07:25:07.128376: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.128380: | **parse ISAKMP Message: Sep 21 07:25:07.128382: | initiator cookie: Sep 21 07:25:07.128385: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.128388: | responder cookie: Sep 21 07:25:07.128391: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128394: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:07.128397: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.128400: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.128403: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.128406: | Message ID: 1 (0x1) Sep 21 07:25:07.128409: | length: 539 (0x21b) Sep 21 07:25:07.128412: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:07.128416: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:07.128419: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:07.128430: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.128436: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:25:07.128439: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:07.128442: | #1 is idle Sep 21 07:25:07.128445: | #1 idle Sep 21 07:25:07.128450: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:25:07.128453: | unpacking clear payload Sep 21 07:25:07.128457: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.128460: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:07.128463: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.128466: | flags: none (0x0) Sep 21 07:25:07.128468: | length: 511 (0x1ff) Sep 21 07:25:07.128471: | fragment number: 3 (0x3) Sep 21 07:25:07.128474: | total fragments: 5 (0x5) Sep 21 07:25:07.128477: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Sep 21 07:25:07.128480: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.128484: | received IKE encrypted fragment number '3', total number '5', next payload '0' Sep 21 07:25:07.128490: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.128495: | #1 spent 0.224 milliseconds in ikev2_process_packet() Sep 21 07:25:07.128500: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.128504: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.128507: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.128511: | spent 0.241 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.128519: | spent 0.00133 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.128529: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.128532: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128535: | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.128537: | 00 04 00 05 96 73 a1 43 44 cf 44 15 ae 73 1d dc Sep 21 07:25:07.128540: | 28 87 c1 8d 3d a6 46 e9 9e 84 33 7f 03 60 44 28 Sep 21 07:25:07.128543: | 46 da bb c9 77 61 c6 80 c6 2a 93 bc bd 4d 52 ae Sep 21 07:25:07.128546: | 61 be 75 a0 f5 71 fb 4f 42 08 fc b0 78 52 46 52 Sep 21 07:25:07.128549: | 45 53 1a de 21 6a 5a 05 64 0f 97 be 8b a5 79 0f Sep 21 07:25:07.128552: | 0d e6 d1 6d e2 01 b7 6d 51 a8 5b 84 61 76 8b 24 Sep 21 07:25:07.128554: | d3 48 4d 32 8f bf b1 9a b3 7d c4 22 df 66 a6 2c Sep 21 07:25:07.128557: | eb b1 51 67 0f 4b 86 0e 2a 7e 3f 07 53 90 a5 bd Sep 21 07:25:07.128560: | eb 81 a6 c8 5b fb d6 7d 38 92 b4 c9 a1 c7 8b f1 Sep 21 07:25:07.128563: | 31 e9 f9 72 7a 5a db 8c 87 47 98 87 dc 4f 2e 7c Sep 21 07:25:07.128566: | c2 97 bb 09 70 18 43 cd c6 14 c2 04 da d3 f8 5b Sep 21 07:25:07.128568: | 0a b3 05 e8 fe e3 98 32 c6 cc 60 10 91 ce ba a7 Sep 21 07:25:07.128571: | 02 7e 20 15 57 a4 2e 72 e8 1f d5 b7 2e 3e 82 1d Sep 21 07:25:07.128574: | be 19 e8 13 88 fb 67 26 d0 cf d2 a0 d5 79 13 83 Sep 21 07:25:07.128577: | ec 30 0e ed c1 f0 48 1e 08 42 d3 e6 dd 72 74 88 Sep 21 07:25:07.128580: | 1b 83 88 67 d0 91 40 8a 3b 6d 78 d9 48 73 3a f1 Sep 21 07:25:07.128582: | b3 3c 61 35 a1 ef ad c5 8b 5e ce e8 7a b5 e6 90 Sep 21 07:25:07.128586: | 3f 18 f6 c2 30 d8 57 2f 42 fd a1 91 fb e5 05 16 Sep 21 07:25:07.128588: | d0 84 89 84 ff d4 17 c6 6f cd c5 8e 2f 05 43 73 Sep 21 07:25:07.128591: | d2 e5 bc f1 7e 41 b5 a9 a5 d6 a0 f2 35 f0 c9 ec Sep 21 07:25:07.128594: | d0 2d b2 7f ce 6a 9a 80 d5 85 87 fb 6f d9 9f d7 Sep 21 07:25:07.128597: | f1 31 f0 de 8c 51 ae df e4 86 a9 40 e1 40 cc b5 Sep 21 07:25:07.128602: | b0 53 29 2d 41 98 5b 42 1c 61 52 0a ff 8e 1b 18 Sep 21 07:25:07.128604: | af aa cf 01 7a 9c d1 93 c1 9e d9 02 8b a0 22 69 Sep 21 07:25:07.128607: | a8 c0 19 75 c6 5d 34 ac f0 1d 9f 1a 76 fd fc eb Sep 21 07:25:07.128610: | 4c 90 28 15 f2 01 68 a7 4e 77 92 a4 52 4c 7f 37 Sep 21 07:25:07.128613: | 85 a4 c0 02 a5 c5 17 1d 9d 7a bf 59 ad 3f e5 33 Sep 21 07:25:07.128616: | 57 b8 0b 55 bb 33 bd d1 f0 a6 70 a0 f8 93 dd 8d Sep 21 07:25:07.128619: | 1e a5 19 a2 97 5b db 50 92 5b 9d d4 e5 ae d1 f8 Sep 21 07:25:07.128621: | d7 17 42 82 4b 38 4d d7 b1 fe 94 1c 27 ce b0 af Sep 21 07:25:07.128624: | 73 62 28 07 05 74 f4 51 36 dd 4d b3 ec e2 32 0c Sep 21 07:25:07.128627: | 23 27 ff 94 92 c8 ff b3 82 21 ed Sep 21 07:25:07.128632: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.128635: | **parse ISAKMP Message: Sep 21 07:25:07.128638: | initiator cookie: Sep 21 07:25:07.128640: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.128643: | responder cookie: Sep 21 07:25:07.128646: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128649: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:07.128652: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.128655: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.128658: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.128661: | Message ID: 1 (0x1) Sep 21 07:25:07.128664: | length: 539 (0x21b) Sep 21 07:25:07.128667: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:07.128671: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:07.128674: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:07.128681: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.128687: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:25:07.128690: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:07.128693: | #1 is idle Sep 21 07:25:07.128696: | #1 idle Sep 21 07:25:07.128702: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:25:07.128704: | unpacking clear payload Sep 21 07:25:07.128707: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.128710: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:07.128713: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.128716: | flags: none (0x0) Sep 21 07:25:07.128719: | length: 511 (0x1ff) Sep 21 07:25:07.128722: | fragment number: 4 (0x4) Sep 21 07:25:07.128725: | total fragments: 5 (0x5) Sep 21 07:25:07.128728: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Sep 21 07:25:07.128731: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.128734: | received IKE encrypted fragment number '4', total number '5', next payload '0' Sep 21 07:25:07.128740: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.128745: | #1 spent 0.221 milliseconds in ikev2_process_packet() Sep 21 07:25:07.128750: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.128753: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.128757: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.128761: | spent 0.237 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.128769: | spent 0.00126 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.128778: | *received 394 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.128781: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128792: | 35 20 23 08 00 00 00 01 00 00 01 8a 00 00 01 6e Sep 21 07:25:07.128798: | 00 05 00 05 e9 e6 f2 be 7b 10 07 f8 11 af 12 4d Sep 21 07:25:07.128801: | e3 4b 41 6e 08 08 d1 31 03 48 e0 20 b8 f8 6d 75 Sep 21 07:25:07.128803: | 0b 0e f8 33 bd f7 7d ef 9f 1c 07 c1 60 c5 21 74 Sep 21 07:25:07.128805: | e7 12 00 20 67 6a 03 46 98 11 18 78 d2 95 39 5d Sep 21 07:25:07.128807: | 99 ce 3c 76 af 1c 2d 89 fc cb 66 fb 62 c4 f4 f7 Sep 21 07:25:07.128809: | ff a5 1f 2d 47 a0 61 15 bb 43 a1 5f d6 ea f2 8a Sep 21 07:25:07.128811: | 2d 6e 78 7d 64 f2 71 b2 15 44 1a c2 3c f5 e6 88 Sep 21 07:25:07.128813: | 66 98 e0 2a 92 50 b3 32 8b 8a d0 31 b5 2c 2c f4 Sep 21 07:25:07.128815: | e7 dc 0f 5a 4f 04 ad 6c e4 1e 5a 9d 96 45 c4 c9 Sep 21 07:25:07.128817: | b1 4e a9 28 65 f2 68 5b 43 4d 61 70 32 15 53 11 Sep 21 07:25:07.128819: | 25 27 7b fb 6c 46 9b 27 b5 f5 2b c1 5b 02 f3 81 Sep 21 07:25:07.128821: | a2 00 35 ea 0d d7 76 3f 3f ff b2 a9 4c e7 cb 33 Sep 21 07:25:07.128823: | 62 79 41 cc 94 11 f2 e4 93 48 bf ba 87 94 6b 62 Sep 21 07:25:07.128825: | eb 7f 67 12 5c 3b 45 b0 e7 21 e1 c2 a2 33 b7 f2 Sep 21 07:25:07.128827: | 94 5c da fb a7 b3 2c ed 63 31 68 cd 22 e5 d2 fb Sep 21 07:25:07.128829: | d6 81 59 de aa ed b3 32 50 e7 9c 37 1b dc 2d bf Sep 21 07:25:07.128831: | 37 7d 99 c2 d0 a9 d7 c0 f5 e7 7c f4 65 45 a9 21 Sep 21 07:25:07.128833: | c8 53 19 d3 85 c5 ab f8 67 9b e1 f3 bb 6a c3 3b Sep 21 07:25:07.128835: | b7 f7 56 0d ac 5b 4d c5 a6 aa 8f 8b 5c 24 5e a1 Sep 21 07:25:07.128837: | f7 0e a8 4b 11 62 6c c1 94 e1 54 1b ed 3c 6a a9 Sep 21 07:25:07.128839: | 8f d9 92 43 08 40 da 8c a4 86 71 df c4 42 2c 63 Sep 21 07:25:07.128841: | 2f 3f e4 f4 25 47 25 f4 bf 7a cb 5f 53 72 f6 14 Sep 21 07:25:07.128843: | 31 f1 32 40 b2 f4 06 4d 76 ba Sep 21 07:25:07.128848: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.128850: | **parse ISAKMP Message: Sep 21 07:25:07.128852: | initiator cookie: Sep 21 07:25:07.128854: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.128856: | responder cookie: Sep 21 07:25:07.128858: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.128860: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:07.128862: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.128864: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.128866: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.128868: | Message ID: 1 (0x1) Sep 21 07:25:07.128869: | length: 394 (0x18a) Sep 21 07:25:07.128872: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:07.128875: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:07.128877: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:07.128882: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.128886: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:25:07.128889: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:07.128890: | #1 is idle Sep 21 07:25:07.128892: | #1 idle Sep 21 07:25:07.128896: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:25:07.128898: | unpacking clear payload Sep 21 07:25:07.128900: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.128902: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:07.128904: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.128906: | flags: none (0x0) Sep 21 07:25:07.128909: | length: 366 (0x16e) Sep 21 07:25:07.128911: | fragment number: 5 (0x5) Sep 21 07:25:07.128913: | total fragments: 5 (0x5) Sep 21 07:25:07.128916: | processing payload: ISAKMP_NEXT_v2SKF (len=358) Sep 21 07:25:07.128918: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.128922: | received IKE encrypted fragment number '5', total number '5', next payload '0' Sep 21 07:25:07.128927: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:07.128930: | Now let's proceed with state specific processing Sep 21 07:25:07.128932: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:07.128935: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:25:07.128940: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:25:07.128943: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:25:07.128945: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:25:07.128950: | libevent_free: release ptr-libevent@0x55d43f5b6390 Sep 21 07:25:07.128952: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55d43f5c24f0 Sep 21 07:25:07.128955: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d43f5c24f0 Sep 21 07:25:07.128958: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:07.128961: | libevent_malloc: new ptr-libevent@0x55d43f5b6390 size 128 Sep 21 07:25:07.128971: | #1 spent 0.0347 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:25:07.128977: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.128980: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:07.128983: | suspending state #1 and saving MD Sep 21 07:25:07.128985: | #1 is busy; has a suspended MD Sep 21 07:25:07.128989: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:07.128993: | "northnet-eastnets/0x2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:07.128997: | stop processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.129001: | #1 spent 0.225 milliseconds in ikev2_process_packet() Sep 21 07:25:07.129005: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.129008: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.129010: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.129014: | spent 0.238 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.129023: | crypto helper 2 resuming Sep 21 07:25:07.129028: | crypto helper 2 starting work-order 2 for state #1 Sep 21 07:25:07.129032: | crypto helper 2 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:25:07.129951: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:25:07.130389: | crypto helper 2 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001355 seconds Sep 21 07:25:07.130399: | (#1) spent 1.36 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:25:07.130403: | crypto helper 2 sending results from work-order 2 for state #1 to event queue Sep 21 07:25:07.130406: | scheduling resume sending helper answer for #1 Sep 21 07:25:07.130411: | libevent_malloc: new ptr-libevent@0x7f9fd4006b90 size 128 Sep 21 07:25:07.130419: | crypto helper 2 waiting (nothing to do) Sep 21 07:25:07.131349: | processing resume sending helper answer for #1 Sep 21 07:25:07.131364: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:07.131370: | crypto helper 2 replies to request ID 2 Sep 21 07:25:07.131373: | calling continuation function 0x55d43e00a630 Sep 21 07:25:07.131377: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:25:07.131380: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:07.131387: | already have all fragments, skipping fragment collection Sep 21 07:25:07.131390: | already have all fragments, skipping fragment collection Sep 21 07:25:07.131417: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:25:07.131421: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:25:07.131425: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:25:07.131428: | next payload type: ISAKMP_NEXT_v2CERT (0x25) Sep 21 07:25:07.131431: | flags: none (0x0) Sep 21 07:25:07.131434: | length: 193 (0xc1) Sep 21 07:25:07.131437: | ID type: ID_DER_ASN1_DN (0x9) Sep 21 07:25:07.131441: | processing payload: ISAKMP_NEXT_v2IDi (len=185) Sep 21 07:25:07.131444: | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) Sep 21 07:25:07.131447: | **parse IKEv2 Certificate Payload: Sep 21 07:25:07.131450: | next payload type: ISAKMP_NEXT_v2CERTREQ (0x26) Sep 21 07:25:07.131453: | flags: none (0x0) Sep 21 07:25:07.131456: | length: 1232 (0x4d0) Sep 21 07:25:07.131459: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Sep 21 07:25:07.131462: | processing payload: ISAKMP_NEXT_v2CERT (len=1227) Sep 21 07:25:07.131465: | Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ) Sep 21 07:25:07.131468: | **parse IKEv2 Certificate Request Payload: Sep 21 07:25:07.131471: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:07.131474: | flags: none (0x0) Sep 21 07:25:07.131477: | length: 25 (0x19) Sep 21 07:25:07.131480: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Sep 21 07:25:07.131483: | processing payload: ISAKMP_NEXT_v2CERTREQ (len=20) Sep 21 07:25:07.131486: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:25:07.131489: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:25:07.131492: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:25:07.131495: | flags: none (0x0) Sep 21 07:25:07.131498: | length: 191 (0xbf) Sep 21 07:25:07.131500: | ID type: ID_DER_ASN1_DN (0x9) Sep 21 07:25:07.131503: | processing payload: ISAKMP_NEXT_v2IDr (len=183) Sep 21 07:25:07.131506: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:25:07.131509: | **parse IKEv2 Authentication Payload: Sep 21 07:25:07.131512: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:07.131515: | flags: none (0x0) Sep 21 07:25:07.131518: | length: 392 (0x188) Sep 21 07:25:07.131521: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:25:07.131524: | processing payload: ISAKMP_NEXT_v2AUTH (len=384) Sep 21 07:25:07.131527: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:07.131530: | **parse IKEv2 Security Association Payload: Sep 21 07:25:07.131533: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:07.131535: | flags: none (0x0) Sep 21 07:25:07.131538: | length: 164 (0xa4) Sep 21 07:25:07.131541: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:25:07.131544: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:07.131547: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:07.131550: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:07.131553: | flags: none (0x0) Sep 21 07:25:07.131556: | length: 24 (0x18) Sep 21 07:25:07.131559: | number of TS: 1 (0x1) Sep 21 07:25:07.131562: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:07.131565: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:07.131568: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:07.131571: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.131573: | flags: none (0x0) Sep 21 07:25:07.131576: | length: 24 (0x18) Sep 21 07:25:07.131579: | number of TS: 1 (0x1) Sep 21 07:25:07.131582: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:07.131585: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:25:07.131588: | Now let's proceed with state specific processing Sep 21 07:25:07.131591: | calling processor Responder: process IKE_AUTH request Sep 21 07:25:07.131598: "northnet-eastnets/0x2" #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,IDr,AUTH,SA,TSi,TSr} Sep 21 07:25:07.131608: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:07.131614: | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds Sep 21 07:25:07.131617: loading root certificate cache Sep 21 07:25:07.134614: | spent 2.93 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() Sep 21 07:25:07.134658: | spent 0.0264 milliseconds in get_root_certs() filtering CAs Sep 21 07:25:07.134665: | #1 spent 3 milliseconds in find_and_verify_certs() calling get_root_certs() Sep 21 07:25:07.134669: | checking for known CERT payloads Sep 21 07:25:07.134673: | saving certificate of type 'X509_SIGNATURE' Sep 21 07:25:07.134715: | decoded cert: E=user-north@testing.libreswan.org,CN=north.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA Sep 21 07:25:07.134722: | #1 spent 0.0508 milliseconds in find_and_verify_certs() calling decode_cert_payloads() Sep 21 07:25:07.134728: | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA Sep 21 07:25:07.134779: | #1 spent 0.0499 milliseconds in find_and_verify_certs() calling crl_update_check() Sep 21 07:25:07.134788: | missing or expired CRL Sep 21 07:25:07.134794: | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 Sep 21 07:25:07.134797: | verify_end_cert trying profile IPsec Sep 21 07:25:07.134912: | certificate is valid (profile IPsec) Sep 21 07:25:07.134920: | #1 spent 0.124 milliseconds in find_and_verify_certs() calling verify_end_cert() Sep 21 07:25:07.134925: "northnet-eastnets/0x2" #1: certificate verified OK: E=user-north@testing.libreswan.org,CN=north.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA Sep 21 07:25:07.134988: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5c24c0 Sep 21 07:25:07.134994: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5d8370 Sep 21 07:25:07.134997: | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55d43f5bfa90 Sep 21 07:25:07.135132: | unreference key: 0x55d43f5d8af0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:07.135142: | #1 spent 0.211 milliseconds in decode_certs() calling add_pubkey_from_nss_cert() Sep 21 07:25:07.135146: | #1 spent 3.48 milliseconds in decode_certs() Sep 21 07:25:07.135151: | DER ASN1 DN: 30 81 b6 31 0b 30 09 06 03 55 04 06 13 02 43 41 Sep 21 07:25:07.135154: | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 Sep 21 07:25:07.135157: | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 Sep 21 07:25:07.135160: | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c Sep 21 07:25:07.135163: | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 Sep 21 07:25:07.135165: | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 Sep 21 07:25:07.135169: | DER ASN1 DN: 6e 74 31 24 30 22 06 03 55 04 03 0c 1b 6e 6f 72 Sep 21 07:25:07.135171: | DER ASN1 DN: 74 68 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 Sep 21 07:25:07.135174: | DER ASN1 DN: 73 77 61 6e 2e 6f 72 67 31 2f 30 2d 06 09 2a 86 Sep 21 07:25:07.135177: | DER ASN1 DN: 48 86 f7 0d 01 09 01 16 20 75 73 65 72 2d 6e 6f Sep 21 07:25:07.135180: | DER ASN1 DN: 72 74 68 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 Sep 21 07:25:07.135183: | DER ASN1 DN: 65 73 77 61 6e 2e 6f 72 67 Sep 21 07:25:07.135186: | received IDr payload - extracting our alleged ID Sep 21 07:25:07.135189: | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 Sep 21 07:25:07.135192: | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 Sep 21 07:25:07.135195: | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 Sep 21 07:25:07.135198: | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c Sep 21 07:25:07.135204: | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 Sep 21 07:25:07.135207: | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 Sep 21 07:25:07.135210: | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 Sep 21 07:25:07.135213: | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 Sep 21 07:25:07.135216: | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 Sep 21 07:25:07.135219: | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 Sep 21 07:25:07.135222: | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 Sep 21 07:25:07.135225: | DER ASN1 DN: 77 61 6e 2e 6f 72 67 Sep 21 07:25:07.135243: | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' Sep 21 07:25:07.135250: | ID_DER_ASN1_DN 'E=user-north@testing.libreswan.org,CN=north.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' matched our ID 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' Sep 21 07:25:07.135253: | X509: CERT and ID matches current connection Sep 21 07:25:07.135256: | CERT_X509_SIGNATURE CR: Sep 21 07:25:07.135259: | 4e cf af 8c 44 87 de 90 be 28 67 b9 ce 53 17 3f Sep 21 07:25:07.135261: | 8e eb 22 c0 Sep 21 07:25:07.135264: | cert blob content is not binary ASN.1 Sep 21 07:25:07.135268: | refine_host_connection for IKEv2: starting with "northnet-eastnets/0x2" Sep 21 07:25:07.135279: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135289: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135293: | refine_host_connection: happy with starting point: "northnet-eastnets/0x2" Sep 21 07:25:07.135305: "northnet-eastnets/0x2" #1: No matching subjectAltName found for '=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' Sep 21 07:25:07.135310: | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection Sep 21 07:25:07.135313: | The remote specified our ID in its IDr payload Sep 21 07:25:07.135323: | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135333: "northnet-eastnets/0x2" #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' Sep 21 07:25:07.135361: | received CERTREQ payload; going to decode it Sep 21 07:25:07.135365: | CERT_X509_SIGNATURE CR: Sep 21 07:25:07.135368: | 4e cf af 8c 44 87 de 90 be 28 67 b9 ce 53 17 3f Sep 21 07:25:07.135370: | 8e eb 22 c0 Sep 21 07:25:07.135373: | cert blob content is not binary ASN.1 Sep 21 07:25:07.135375: | verifying AUTH payload Sep 21 07:25:07.135395: | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135414: | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' Sep 21 07:25:07.135424: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135436: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135446: | RSA key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.135620: | an RSA Sig check passed with *AwEAAbrCE [remote certificates] Sep 21 07:25:07.135626: | #1 spent 0.175 milliseconds in try_all_keys() trying a pubkey Sep 21 07:25:07.135629: "northnet-eastnets/0x2" #1: Authenticated using RSA Sep 21 07:25:07.135634: | #1 spent 0.254 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:25:07.135639: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:25:07.135644: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:07.135648: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:07.135653: | libevent_free: release ptr-libevent@0x55d43f5b6390 Sep 21 07:25:07.135657: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d43f5c24f0 Sep 21 07:25:07.135661: | event_schedule: new EVENT_SA_REKEY-pe@0x55d43f5cc550 Sep 21 07:25:07.135665: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:25:07.135669: | libevent_malloc: new ptr-libevent@0x55d43f5b6390 size 128 Sep 21 07:25:07.135768: | pstats #1 ikev2.ike established Sep 21 07:25:07.135775: | **emit ISAKMP Message: Sep 21 07:25:07.135778: | initiator cookie: Sep 21 07:25:07.135781: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.135787: | responder cookie: Sep 21 07:25:07.135792: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.135796: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.135799: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.135802: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.135805: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.135808: | Message ID: 1 (0x1) Sep 21 07:25:07.135812: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.135815: | IKEv2 CERT: send a certificate? Sep 21 07:25:07.135818: | IKEv2 CERT: OK to send a certificate (always) Sep 21 07:25:07.135821: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:07.135824: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.135827: | flags: none (0x0) Sep 21 07:25:07.135832: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:07.135835: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.135839: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:07.135847: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:07.135862: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:25:07.135865: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.135868: | flags: none (0x0) Sep 21 07:25:07.135871: | ID type: ID_DER_ASN1_DN (0x9) Sep 21 07:25:07.135875: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:25:07.135879: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.135883: | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:25:07.135886: | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 Sep 21 07:25:07.135889: | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 Sep 21 07:25:07.135892: | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 Sep 21 07:25:07.135895: | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c Sep 21 07:25:07.135898: | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 Sep 21 07:25:07.135903: | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 Sep 21 07:25:07.135906: | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 Sep 21 07:25:07.135909: | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 Sep 21 07:25:07.135912: | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 Sep 21 07:25:07.135915: | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 Sep 21 07:25:07.135917: | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 Sep 21 07:25:07.135920: | my identity 77 61 6e 2e 6f 72 67 Sep 21 07:25:07.135923: | emitting length of IKEv2 Identification - Responder - Payload: 191 Sep 21 07:25:07.135932: | assembled IDr payload Sep 21 07:25:07.135937: | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA Sep 21 07:25:07.135940: | ****emit IKEv2 Certificate Payload: Sep 21 07:25:07.135943: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.135946: | flags: none (0x0) Sep 21 07:25:07.135949: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Sep 21 07:25:07.135953: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) Sep 21 07:25:07.135957: | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.135961: | emitting 1260 raw bytes of CERT into IKEv2 Certificate Payload Sep 21 07:25:07.135964: | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 Sep 21 07:25:07.135966: | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 Sep 21 07:25:07.135969: | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 Sep 21 07:25:07.135972: | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 Sep 21 07:25:07.135975: | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f Sep 21 07:25:07.135978: | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 Sep 21 07:25:07.135980: | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b Sep 21 07:25:07.135983: | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e Sep 21 07:25:07.135986: | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 Sep 21 07:25:07.135989: | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f Sep 21 07:25:07.135992: | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 Sep 21 07:25:07.135995: | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 Sep 21 07:25:07.135997: | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 Sep 21 07:25:07.136000: | CERT 18 0f 32 30 31 39 30 39 31 35 31 39 34 34 35 39 Sep 21 07:25:07.136003: | CERT 5a 18 0f 32 30 32 32 30 39 31 34 31 39 34 34 35 Sep 21 07:25:07.136006: | CERT 39 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 Sep 21 07:25:07.136009: | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 Sep 21 07:25:07.136011: | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 Sep 21 07:25:07.136014: | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c Sep 21 07:25:07.136018: | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 Sep 21 07:25:07.136021: | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 Sep 21 07:25:07.136023: | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 Sep 21 07:25:07.136026: | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 Sep 21 07:25:07.136029: | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a Sep 21 07:25:07.136032: | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 Sep 21 07:25:07.136035: | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 Sep 21 07:25:07.136038: | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 Sep 21 07:25:07.136040: | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f Sep 21 07:25:07.136043: | CERT 00 30 82 01 8a 02 82 01 81 00 b0 0d 9e ca 2d 55 Sep 21 07:25:07.136046: | CERT 24 59 06 37 09 58 0d 06 ab 90 5e 98 7c 00 0b 66 Sep 21 07:25:07.136050: | CERT 73 f4 12 27 69 75 6e d4 8d 13 e9 c6 e9 4f c4 b1 Sep 21 07:25:07.136053: | CERT 19 1a 1a 4f e6 4e 06 da 29 ec cf 8d 4c c3 c3 57 Sep 21 07:25:07.136056: | CERT c0 24 57 83 7a 1b 7f 96 a3 21 66 67 52 68 8e 77 Sep 21 07:25:07.136059: | CERT b9 bb f6 9b d2 43 11 57 c9 d6 ca e2 39 73 93 ea Sep 21 07:25:07.136062: | CERT 99 99 f7 52 38 4d 58 69 7f a5 18 9b ff 66 72 6c Sep 21 07:25:07.136064: | CERT df 6d df 18 50 cf 10 98 a3 f5 f9 69 27 5b 3f bd Sep 21 07:25:07.136067: | CERT 0f 34 18 93 99 1a be 8a 46 84 37 69 71 7f a7 df Sep 21 07:25:07.136070: | CERT d0 9d b2 9d ad 80 0f d0 1a 40 cb ff 37 20 ac ac Sep 21 07:25:07.136073: | CERT 3d a9 8e 56 56 cf 25 c0 5e 55 52 86 5a c5 b4 ce Sep 21 07:25:07.136076: | CERT a8 dd 95 cf ab 38 91 f6 1f 9f 83 36 d5 3f 8c d3 Sep 21 07:25:07.136079: | CERT 1d f5 3f 23 3c d2 5c 87 23 bc 6a 67 f7 00 c3 96 Sep 21 07:25:07.136081: | CERT 3f 76 5c b9 8e 6f 2b 16 90 2c 00 c0 05 a0 e2 8d Sep 21 07:25:07.136085: | CERT 57 d5 76 34 7f 6f be e8 48 79 08 91 a8 17 72 1f Sep 21 07:25:07.136087: | CERT c0 1c 8a 52 a8 18 aa 32 3c 9a e4 d9 90 58 25 5e Sep 21 07:25:07.136090: | CERT 4c 49 8e cb 7a 33 19 d2 87 1a 2a 8e b5 04 f7 f9 Sep 21 07:25:07.136093: | CERT cd 80 8c 59 ae 34 61 c5 1d de 53 65 fe 4f f3 f4 Sep 21 07:25:07.136096: | CERT 09 f2 b4 21 7a 2b eb 1f 4a f2 5f 85 3a f0 f8 2b Sep 21 07:25:07.136099: | CERT 3b 42 5b da 89 c1 ef b2 81 18 2a 4b 57 a2 ca 63 Sep 21 07:25:07.136102: | CERT 8b a7 60 8e 54 95 c3 20 5c e5 53 f0 4a 57 df 41 Sep 21 07:25:07.136104: | CERT fa 06 e6 ab 4e 0b 46 49 14 0d db b0 dc 10 2e 6d Sep 21 07:25:07.136107: | CERT 5f 52 cb 75 36 1b e2 1d 9d 77 0f 73 9d 0a 64 07 Sep 21 07:25:07.136110: | CERT 84 f4 0e 0a 98 97 58 c4 40 f6 1b ac a3 be 21 aa Sep 21 07:25:07.136113: | CERT 67 3a 2b b1 0e b7 9a 36 ff 67 02 03 01 00 01 a3 Sep 21 07:25:07.136116: | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 Sep 21 07:25:07.136119: | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 Sep 21 07:25:07.136121: | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 Sep 21 07:25:07.136124: | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 Sep 21 07:25:07.136127: | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 Sep 21 07:25:07.136130: | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 Sep 21 07:25:07.136133: | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 Sep 21 07:25:07.136135: | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b Sep 21 07:25:07.136138: | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 Sep 21 07:25:07.136141: | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 Sep 21 07:25:07.136144: | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e Sep 21 07:25:07.136147: | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 Sep 21 07:25:07.136149: | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d Sep 21 07:25:07.136153: | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 Sep 21 07:25:07.136155: | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e Sep 21 07:25:07.136158: | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 Sep 21 07:25:07.136161: | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 Sep 21 07:25:07.136164: | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 bf 3c 12 c5 Sep 21 07:25:07.136167: | CERT 00 3e 71 2a 2b 2b 60 83 b9 b9 f2 4d b1 ca 0e fd Sep 21 07:25:07.136170: | CERT b4 e0 0b 6a ad 54 d7 c9 98 57 e0 5c 26 4d bf 11 Sep 21 07:25:07.136172: | CERT 23 20 79 05 b6 1b 9b 09 ed 4f 2e fd 7e da 55 53 Sep 21 07:25:07.136175: | CERT b6 8c 88 fa f3 9b ce ec ef 95 37 11 70 ce 1c 98 Sep 21 07:25:07.136178: | CERT d3 d5 cf f6 30 71 44 78 fb 45 03 69 50 d5 a5 c3 Sep 21 07:25:07.136181: | CERT de 00 4c f7 0a 7d 00 cb 3a ab 11 74 6b 57 67 4d Sep 21 07:25:07.136184: | CERT e7 c0 3a 97 98 44 e2 15 9d f2 6f 1b c7 b1 15 d0 Sep 21 07:25:07.136186: | CERT 88 c4 dc 32 b7 72 1d 9c ac 1b 37 63 Sep 21 07:25:07.136189: | emitting length of IKEv2 Certificate Payload: 1265 Sep 21 07:25:07.136198: | CHILD SA proposals received Sep 21 07:25:07.136201: | going to assemble AUTH payload Sep 21 07:25:07.136204: | ****emit IKEv2 Authentication Payload: Sep 21 07:25:07.136207: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:07.136210: | flags: none (0x0) Sep 21 07:25:07.136213: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:25:07.136217: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:25:07.136221: | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:25:07.136225: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.136244: | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org of kind PKK_RSA Sep 21 07:25:07.136303: | searching for certificate PKK_RSA:AwEAAbANn vs PKK_RSA:AwEAAbANn Sep 21 07:25:07.158615: | #1 spent 9.64 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:25:07.158629: | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:25:07.158633: | rsa signature 7b a3 73 0b c9 50 56 76 ec 4a 4b b3 7b 07 96 87 Sep 21 07:25:07.158636: | rsa signature 1c 61 d3 d6 a8 ce 12 3e 1c 15 61 09 d6 5e 5a d8 Sep 21 07:25:07.158638: | rsa signature c4 31 e1 ff 5c b5 2c bb 4e ad 83 8f 6b 9a 6f 2f Sep 21 07:25:07.158641: | rsa signature bb fc 73 0d 7d 59 f3 20 cd ab 77 53 b0 f6 ed 43 Sep 21 07:25:07.158643: | rsa signature a0 21 b8 49 e3 46 97 4a 02 73 22 8e 48 ec 63 fa Sep 21 07:25:07.158646: | rsa signature bb ca b1 12 5b de fb 40 47 46 d0 81 12 f5 9a 82 Sep 21 07:25:07.158648: | rsa signature 57 ec fa da cd d5 71 d2 f2 57 d5 69 d6 11 72 1a Sep 21 07:25:07.158651: | rsa signature 9f dd b8 c1 11 5b d6 f9 41 11 15 bd 62 1f d8 94 Sep 21 07:25:07.158653: | rsa signature d6 c8 3b 32 c8 e1 65 17 a7 06 7e 60 f7 55 b9 d5 Sep 21 07:25:07.158656: | rsa signature 2b 8d a2 c8 21 44 1f d7 b5 95 72 fd ea 2a 24 04 Sep 21 07:25:07.158658: | rsa signature 78 62 b6 e9 a1 e9 52 83 66 8c 42 3c 47 66 15 45 Sep 21 07:25:07.158660: | rsa signature 75 fd 22 15 bc 4d 12 0e f4 85 fb 43 40 d7 71 bb Sep 21 07:25:07.158662: | rsa signature bd 73 f7 2b 6a aa 60 bb 3e d3 f4 81 a0 68 58 21 Sep 21 07:25:07.158665: | rsa signature 8e 72 67 44 5e 96 1a a0 1b ca 0f d3 da ff 9a 47 Sep 21 07:25:07.158667: | rsa signature 57 35 49 b7 7e e3 d5 db 03 99 28 02 2a d9 a3 df Sep 21 07:25:07.158669: | rsa signature 32 2d a7 c8 1c 74 0d c8 59 06 ec 1b 17 7a 36 25 Sep 21 07:25:07.158671: | rsa signature 28 be 42 bc d9 01 49 f6 66 ff a6 b8 43 4a 70 36 Sep 21 07:25:07.158674: | rsa signature d4 aa 35 c6 5e 3a 46 b0 36 0a dc 55 fd 19 90 51 Sep 21 07:25:07.158676: | rsa signature 5a f8 5f d1 2a 64 92 08 25 35 60 fd 85 2d 17 25 Sep 21 07:25:07.158678: | rsa signature 4c c8 2b dd d8 42 d8 a2 66 79 b6 0f 4d 9e b7 21 Sep 21 07:25:07.158681: | rsa signature 8b 37 1d 14 e5 2e 92 24 f8 b7 fd bd a0 11 55 3e Sep 21 07:25:07.158683: | rsa signature 3a fc bb 6c 54 f1 18 a3 a1 da d4 ca ca 5d fe 17 Sep 21 07:25:07.158685: | rsa signature cf 58 e5 72 65 51 11 c0 0e 04 ca 27 b4 c0 d2 b9 Sep 21 07:25:07.158687: | rsa signature 8e de 41 fd f4 54 00 9d b4 85 95 77 40 55 df d0 Sep 21 07:25:07.158693: | #1 spent 9.81 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:25:07.158696: | emitting length of IKEv2 Authentication Payload: 392 Sep 21 07:25:07.158703: | creating state object #2 at 0x55d43f5ceed0 Sep 21 07:25:07.158706: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:25:07.158710: | pstats #2 ikev2.child started Sep 21 07:25:07.158714: | duplicating state object #1 "northnet-eastnets/0x2" as #2 for IPSEC SA Sep 21 07:25:07.158724: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:07.158732: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:07.158737: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:07.158742: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:07.158745: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:25:07.158748: | TSi: parsing 1 traffic selectors Sep 21 07:25:07.158751: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:07.158754: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.158756: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.158759: | length: 16 (0x10) Sep 21 07:25:07.158761: | start port: 0 (0x0) Sep 21 07:25:07.158764: | end port: 65535 (0xffff) Sep 21 07:25:07.158766: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:07.158769: | TS low c0 00 03 00 Sep 21 07:25:07.158771: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:07.158774: | TS high c0 00 03 ff Sep 21 07:25:07.158776: | TSi: parsed 1 traffic selectors Sep 21 07:25:07.158778: | TSr: parsing 1 traffic selectors Sep 21 07:25:07.158781: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:07.158791: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.158796: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.158798: | length: 16 (0x10) Sep 21 07:25:07.158800: | start port: 0 (0x0) Sep 21 07:25:07.158803: | end port: 65535 (0xffff) Sep 21 07:25:07.158805: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:07.158807: | TS low c0 00 02 00 Sep 21 07:25:07.158810: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:07.158812: | TS high c0 00 02 ff Sep 21 07:25:07.158814: | TSr: parsed 1 traffic selectors Sep 21 07:25:07.158817: | looking for best SPD in current connection Sep 21 07:25:07.158824: | evaluating our conn="northnet-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:25:07.158829: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.158837: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.158840: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.158843: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.158846: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.158849: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.158854: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.158859: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:25:07.158862: | looking for better host pair Sep 21 07:25:07.158867: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:07.158872: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:25:07.158874: | investigating connection "northnet-eastnets/0x2" as a better match Sep 21 07:25:07.158886: | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.158895: | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.158898: | results matched Sep 21 07:25:07.158906: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.158917: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.158923: | evaluating our conn="northnet-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:25:07.158928: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.158933: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.158936: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.158938: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.158941: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.158944: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.158948: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.158953: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:25:07.158956: | investigating connection "northnet-eastnets/0x1" as a better match Sep 21 07:25:07.158965: | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.158973: | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.158975: | results matched Sep 21 07:25:07.158983: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.158991: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.158997: | evaluating our conn="northnet-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:07.159001: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.159007: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.159010: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.159013: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.159015: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.159018: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.159022: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.159027: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:07.159030: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:07.159032: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:07.159034: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:07.159037: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.159039: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:07.159042: | protocol fitness found better match d northnet-eastnets/0x1, TSi[0],TSr[0] Sep 21 07:25:07.159045: | in connection_discard for connection northnet-eastnets/0x2 Sep 21 07:25:07.159047: | printing contents struct traffic_selector Sep 21 07:25:07.159049: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:07.159051: | ipprotoid: 0 Sep 21 07:25:07.159054: | port range: 0-65535 Sep 21 07:25:07.159057: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:25:07.159060: | printing contents struct traffic_selector Sep 21 07:25:07.159062: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:07.159064: | ipprotoid: 0 Sep 21 07:25:07.159066: | port range: 0-65535 Sep 21 07:25:07.159070: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:25:07.159073: | constructing ESP/AH proposals with all DH removed for northnet-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:25:07.159081: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:07.159088: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:07.159091: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:07.159095: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:07.159098: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:07.159102: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:07.159105: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:07.159109: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:07.159116: "northnet-eastnets/0x1": constructed local ESP/AH proposals for northnet-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:07.159120: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:07.159123: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:07.159125: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:07.159127: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:07.159130: | local proposal 1 type DH has 1 transforms Sep 21 07:25:07.159132: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:07.159135: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:07.159137: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:07.159139: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:07.159141: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:07.159143: | local proposal 2 type DH has 1 transforms Sep 21 07:25:07.159146: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:07.159148: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:07.159150: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:07.159153: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:07.159155: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:07.159157: | local proposal 3 type DH has 1 transforms Sep 21 07:25:07.159159: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:07.159162: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:07.159164: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:07.159167: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:07.159169: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:07.159171: | local proposal 4 type DH has 1 transforms Sep 21 07:25:07.159174: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:07.159176: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:07.159179: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.159182: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.159185: | length: 32 (0x20) Sep 21 07:25:07.159187: | prop #: 1 (0x1) Sep 21 07:25:07.159189: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.159192: | spi size: 4 (0x4) Sep 21 07:25:07.159194: | # transforms: 2 (0x2) Sep 21 07:25:07.159197: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.159199: | remote SPI 55 9b 23 61 Sep 21 07:25:07.159202: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:07.159205: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159208: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159210: | length: 12 (0xc) Sep 21 07:25:07.159212: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.159217: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.159220: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.159222: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.159225: | length/value: 256 (0x100) Sep 21 07:25:07.159229: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:07.159232: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159234: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.159236: | length: 8 (0x8) Sep 21 07:25:07.159239: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.159241: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.159245: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:07.159248: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:07.159251: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:07.159254: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:07.159257: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:25:07.159261: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:25:07.159264: | remote proposal 1 matches local proposal 1 Sep 21 07:25:07.159266: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.159269: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.159271: | length: 32 (0x20) Sep 21 07:25:07.159273: | prop #: 2 (0x2) Sep 21 07:25:07.159275: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.159278: | spi size: 4 (0x4) Sep 21 07:25:07.159280: | # transforms: 2 (0x2) Sep 21 07:25:07.159283: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.159285: | remote SPI 55 9b 23 61 Sep 21 07:25:07.159288: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.159290: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159293: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159295: | length: 12 (0xc) Sep 21 07:25:07.159297: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.159299: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.159302: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.159304: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.159307: | length/value: 128 (0x80) Sep 21 07:25:07.159310: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159312: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.159314: | length: 8 (0x8) Sep 21 07:25:07.159316: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.159319: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.159322: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:25:07.159325: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:25:07.159327: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.159330: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.159332: | length: 48 (0x30) Sep 21 07:25:07.159334: | prop #: 3 (0x3) Sep 21 07:25:07.159337: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.159339: | spi size: 4 (0x4) Sep 21 07:25:07.159341: | # transforms: 4 (0x4) Sep 21 07:25:07.159344: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.159346: | remote SPI 55 9b 23 61 Sep 21 07:25:07.159349: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.159351: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159356: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159358: | length: 12 (0xc) Sep 21 07:25:07.159360: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.159362: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.159365: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.159367: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.159370: | length/value: 256 (0x100) Sep 21 07:25:07.159372: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159375: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159377: | length: 8 (0x8) Sep 21 07:25:07.159379: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.159381: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.159384: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159387: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159389: | length: 8 (0x8) Sep 21 07:25:07.159391: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.159393: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.159395: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159397: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.159399: | length: 8 (0x8) Sep 21 07:25:07.159401: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.159404: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.159407: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:07.159410: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:07.159413: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.159415: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.159417: | length: 48 (0x30) Sep 21 07:25:07.159419: | prop #: 4 (0x4) Sep 21 07:25:07.159421: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.159423: | spi size: 4 (0x4) Sep 21 07:25:07.159425: | # transforms: 4 (0x4) Sep 21 07:25:07.159428: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.159431: | remote SPI 55 9b 23 61 Sep 21 07:25:07.159433: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.159436: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159438: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159440: | length: 12 (0xc) Sep 21 07:25:07.159442: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.159444: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.159447: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.159449: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.159451: | length/value: 128 (0x80) Sep 21 07:25:07.159454: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159456: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159458: | length: 8 (0x8) Sep 21 07:25:07.159460: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.159462: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.159465: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159467: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159469: | length: 8 (0x8) Sep 21 07:25:07.159471: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.159474: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.159476: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159479: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.159481: | length: 8 (0x8) Sep 21 07:25:07.159483: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.159485: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.159489: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:07.159492: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:07.159499: "northnet-eastnets/0x2" #1: proposal 1:ESP:SPI=559b2361;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:25:07.159504: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=559b2361;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:25:07.159507: | converting proposal to internal trans attrs Sep 21 07:25:07.159528: | netlink_get_spi: allocated 0xc8a37905 for esp.0@192.1.2.23 Sep 21 07:25:07.159531: | Emitting ikev2_proposal ... Sep 21 07:25:07.159533: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:07.159536: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.159539: | flags: none (0x0) Sep 21 07:25:07.159542: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:07.159545: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.159549: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.159551: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.159554: | prop #: 1 (0x1) Sep 21 07:25:07.159556: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.159558: | spi size: 4 (0x4) Sep 21 07:25:07.159561: | # transforms: 2 (0x2) Sep 21 07:25:07.159564: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:07.159567: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:07.159569: | our spi c8 a3 79 05 Sep 21 07:25:07.159572: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159574: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159577: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.159579: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.159582: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.159585: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.159588: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.159590: | length/value: 256 (0x100) Sep 21 07:25:07.159593: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:07.159595: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.159598: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.159600: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.159602: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.159605: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.159608: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.159611: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:07.159613: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:25:07.159616: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:07.159619: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:25:07.159621: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:07.159624: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:07.159627: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.159629: | flags: none (0x0) Sep 21 07:25:07.159631: | number of TS: 1 (0x1) Sep 21 07:25:07.159639: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:07.159643: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.159645: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:07.159648: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.159650: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.159652: | start port: 0 (0x0) Sep 21 07:25:07.159655: | end port: 65535 (0xffff) Sep 21 07:25:07.159658: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:07.159660: | IP start c0 00 03 00 Sep 21 07:25:07.159663: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:07.159665: | IP end c0 00 03 ff Sep 21 07:25:07.159668: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:07.159670: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:07.159673: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:07.159675: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.159678: | flags: none (0x0) Sep 21 07:25:07.159680: | number of TS: 1 (0x1) Sep 21 07:25:07.159683: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:07.159686: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.159688: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:07.159691: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.159693: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.159696: | start port: 0 (0x0) Sep 21 07:25:07.159698: | end port: 65535 (0xffff) Sep 21 07:25:07.159701: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:07.159703: | IP start c0 00 02 00 Sep 21 07:25:07.159706: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:07.159708: | IP end c0 00 02 ff Sep 21 07:25:07.159710: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:07.159713: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:07.159716: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:07.159719: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:07.159906: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:25:07.159919: | #1 spent 1.22 milliseconds Sep 21 07:25:07.159922: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:25:07.159925: | could_route called for northnet-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:25:07.159928: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:07.159931: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.159934: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:07.159937: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.159939: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:07.159945: | route owner of "northnet-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:25:07.159949: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:07.159953: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:07.159955: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:07.159958: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:07.159962: | setting IPsec SA replay-window to 32 Sep 21 07:25:07.159965: | NIC esp-hw-offload not for connection 'northnet-eastnets/0x1' not available on interface eth1 Sep 21 07:25:07.159968: | netlink: enabling tunnel mode Sep 21 07:25:07.159971: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:07.159973: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:07.160061: | netlink response for Add SA esp.559b2361@192.1.3.33 included non-error error Sep 21 07:25:07.160066: | set up outgoing SA, ref=0/0 Sep 21 07:25:07.160069: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:07.160286: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:07.160289: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:07.160292: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:07.160296: | setting IPsec SA replay-window to 32 Sep 21 07:25:07.160300: | NIC esp-hw-offload not for connection 'northnet-eastnets/0x1' not available on interface eth1 Sep 21 07:25:07.160302: | netlink: enabling tunnel mode Sep 21 07:25:07.160305: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:07.160308: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:07.160364: | netlink response for Add SA esp.c8a37905@192.1.2.23 included non-error error Sep 21 07:25:07.160369: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:07.160377: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:07.160380: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:07.160439: | raw_eroute result=success Sep 21 07:25:07.160443: | set up incoming SA, ref=0/0 Sep 21 07:25:07.160446: | sr for #2: unrouted Sep 21 07:25:07.160449: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:07.160451: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:07.160455: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.160457: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:07.160460: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.160463: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:07.160466: | route owner of "northnet-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:25:07.160470: | route_and_eroute with c: northnet-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:25:07.160473: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:07.160480: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:25:07.160483: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:07.160516: | raw_eroute result=success Sep 21 07:25:07.160520: | running updown command "ipsec _updown" for verb up Sep 21 07:25:07.160523: | command executing up-client Sep 21 07:25:07.160557: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.160566: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.160587: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RS Sep 21 07:25:07.160590: | popen cmd is 1403 chars long Sep 21 07:25:07.160596: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0: Sep 21 07:25:07.160599: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: Sep 21 07:25:07.160601: | cmd( 160):UTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east: Sep 21 07:25:07.160603: | cmd( 240):.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.: Sep 21 07:25:07.160606: | cmd( 320):0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' P: Sep 21 07:25:07.160608: | cmd( 400):LUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP: Sep 21 07:25:07.160611: | cmd( 480):' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswa: Sep 21 07:25:07.160613: | cmd( 560):n, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libr: Sep 21 07:25:07.160616: | cmd( 640):eswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Sep 21 07:25:07.160618: | cmd( 720):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:25:07.160621: | cmd( 800): PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN: Sep 21 07:25:07.160623: | cmd( 880):=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLU: Sep 21 07:25:07.160626: | cmd( 960):TO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TR: Sep 21 07:25:07.160628: | cmd(1040):ACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY=: Sep 21 07:25:07.160630: | cmd(1120):'ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_: Sep 21 07:25:07.160633: | cmd(1200):DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PL: Sep 21 07:25:07.160635: | cmd(1280):UTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x559: Sep 21 07:25:07.160637: | cmd(1360):b2361 SPI_OUT=0xc8a37905 ipsec _updown 2>&1: Sep 21 07:25:07.211462: | route_and_eroute: firewall_notified: true Sep 21 07:25:07.211480: | running updown command "ipsec _updown" for verb prepare Sep 21 07:25:07.211483: | command executing prepare-client Sep 21 07:25:07.211522: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.211531: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.211553: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_ Sep 21 07:25:07.211556: | popen cmd is 1408 chars long Sep 21 07:25:07.211559: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Sep 21 07:25:07.211562: | cmd( 80):ets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.2: Sep 21 07:25:07.211564: | cmd( 160):3' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN: Sep 21 07:25:07.211571: | cmd( 240):=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT=: Sep 21 07:25:07.211573: | cmd( 320):'192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255: Sep 21 07:25:07.211576: | cmd( 400):.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE: Sep 21 07:25:07.211579: | cmd( 480):='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Lib: Sep 21 07:25:07.211581: | cmd( 560):reswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing: Sep 21 07:25:07.211584: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Sep 21 07:25:07.211586: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Sep 21 07:25:07.211589: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: Sep 21 07:25:07.211591: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: Sep 21 07:25:07.211594: | cmd( 960):' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAR: Sep 21 07:25:07.211596: | cmd(1040):EF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFA: Sep 21 07:25:07.211599: | cmd(1120):MILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_: Sep 21 07:25:07.211601: | cmd(1200):PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT=': Sep 21 07:25:07.211603: | cmd(1280):0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: Sep 21 07:25:07.211606: | cmd(1360):0x559b2361 SPI_OUT=0xc8a37905 ipsec _updown 2>&1: Sep 21 07:25:07.356098: | running updown command "ipsec _updown" for verb route Sep 21 07:25:07.356115: | command executing route-client Sep 21 07:25:07.356156: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.356166: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.356189: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLI Sep 21 07:25:07.356193: | popen cmd is 1406 chars long Sep 21 07:25:07.356196: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet: Sep 21 07:25:07.356198: | cmd( 80):s/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23': Sep 21 07:25:07.356201: | cmd( 160): PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=e: Sep 21 07:25:07.356204: | cmd( 240):ast.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='1: Sep 21 07:25:07.356206: | cmd( 320):92.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0: Sep 21 07:25:07.356209: | cmd( 400):' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE=': Sep 21 07:25:07.356212: | cmd( 480):ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libre: Sep 21 07:25:07.356217: | cmd( 560):swan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.l: Sep 21 07:25:07.356219: | cmd( 640):ibreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Sep 21 07:25:07.356222: | cmd( 720): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Sep 21 07:25:07.356224: | cmd( 800):'0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department,: Sep 21 07:25:07.356227: | cmd( 880): CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' : Sep 21 07:25:07.356229: | cmd( 960):PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF: Sep 21 07:25:07.356232: | cmd(1040):_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMI: Sep 21 07:25:07.356234: | cmd(1120):LY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PE: Sep 21 07:25:07.356237: | cmd(1200):ER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0': Sep 21 07:25:07.356239: | cmd(1280): PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: Sep 21 07:25:07.356242: | cmd(1360):559b2361 SPI_OUT=0xc8a37905 ipsec _updown 2>&1: Sep 21 07:25:07.405482: | route_and_eroute: instance "northnet-eastnets/0x1", setting eroute_owner {spd=0x55d43f5b51b0,sr=0x55d43f5b51b0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:25:07.406314: | #1 spent 1.14 milliseconds in install_ipsec_sa() Sep 21 07:25:07.406327: | ISAKMP_v2_IKE_AUTH: instance northnet-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:25:07.406332: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.406336: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:07.406340: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:07.406343: | emitting length of IKEv2 Encryption Payload: 1961 Sep 21 07:25:07.406346: | emitting length of ISAKMP Message: 1989 Sep 21 07:25:07.406352: | **parse ISAKMP Message: Sep 21 07:25:07.406354: | initiator cookie: Sep 21 07:25:07.406357: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406359: | responder cookie: Sep 21 07:25:07.406362: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406365: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:25:07.406368: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406370: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406373: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406375: | Message ID: 1 (0x1) Sep 21 07:25:07.406378: | length: 1989 (0x7c5) Sep 21 07:25:07.406380: | **parse IKEv2 Encryption Payload: Sep 21 07:25:07.406383: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:07.406385: | flags: none (0x0) Sep 21 07:25:07.406388: | length: 1961 (0x7a9) Sep 21 07:25:07.406390: | **emit ISAKMP Message: Sep 21 07:25:07.406393: | initiator cookie: Sep 21 07:25:07.406395: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406397: | responder cookie: Sep 21 07:25:07.406399: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406402: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.406404: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406407: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406409: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406411: | Message ID: 1 (0x1) Sep 21 07:25:07.406415: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.406418: | ***emit IKEv2 Encrypted Fragment: Sep 21 07:25:07.406420: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:07.406423: | flags: none (0x0) Sep 21 07:25:07.406425: | fragment number: 1 (0x1) Sep 21 07:25:07.406428: | total fragments: 5 (0x5) Sep 21 07:25:07.406431: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr Sep 21 07:25:07.406437: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.406439: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Sep 21 07:25:07.406443: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Sep 21 07:25:07.406451: | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Sep 21 07:25:07.406453: | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 Sep 21 07:25:07.406456: | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 Sep 21 07:25:07.406458: | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 Sep 21 07:25:07.406460: | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 Sep 21 07:25:07.406462: | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e Sep 21 07:25:07.406465: | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 Sep 21 07:25:07.406467: | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 Sep 21 07:25:07.406469: | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e Sep 21 07:25:07.406471: | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 Sep 21 07:25:07.406473: | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f Sep 21 07:25:07.406475: | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e Sep 21 07:25:07.406477: | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 Sep 21 07:25:07.406480: | cleartext fragment 00 04 f1 04 30 82 04 e8 30 82 04 51 a0 03 02 01 Sep 21 07:25:07.406482: | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 Sep 21 07:25:07.406484: | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 Sep 21 07:25:07.406486: | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e Sep 21 07:25:07.406488: | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 Sep 21 07:25:07.406491: | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a Sep 21 07:25:07.406493: | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 Sep 21 07:25:07.406495: | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 Sep 21 07:25:07.406497: | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c Sep 21 07:25:07.406499: | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 Sep 21 07:25:07.406501: | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 Sep 21 07:25:07.406504: | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 Sep 21 07:25:07.406506: | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f Sep 21 07:25:07.406508: | cleartext fragment 72 67 30 22 18 0f 32 30 31 39 30 39 31 35 31 39 Sep 21 07:25:07.406510: | cleartext fragment 34 34 35 39 5a 18 0f 32 30 32 32 30 39 31 34 31 Sep 21 07:25:07.406512: | cleartext fragment 39 34 34 35 39 5a 30 81 b4 31 0b 30 09 06 03 55 Sep 21 07:25:07.406515: | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c Sep 21 07:25:07.406517: | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 Sep 21 07:25:07.406520: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.406523: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Sep 21 07:25:07.406526: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Sep 21 07:25:07.406528: | emitting length of IKEv2 Encrypted Fragment: 511 Sep 21 07:25:07.406531: | emitting length of ISAKMP Message: 539 Sep 21 07:25:07.406546: | **emit ISAKMP Message: Sep 21 07:25:07.406549: | initiator cookie: Sep 21 07:25:07.406551: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406555: | responder cookie: Sep 21 07:25:07.406557: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406560: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.406562: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406565: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406567: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406569: | Message ID: 1 (0x1) Sep 21 07:25:07.406572: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.406575: | ***emit IKEv2 Encrypted Fragment: Sep 21 07:25:07.406577: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.406579: | flags: none (0x0) Sep 21 07:25:07.406582: | fragment number: 2 (0x2) Sep 21 07:25:07.406584: | total fragments: 5 (0x5) Sep 21 07:25:07.406587: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE Sep 21 07:25:07.406590: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.406592: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Sep 21 07:25:07.406595: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Sep 21 07:25:07.406600: | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Sep 21 07:25:07.406602: | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 Sep 21 07:25:07.406605: | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e Sep 21 07:25:07.406607: | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 Sep 21 07:25:07.406609: | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 Sep 21 07:25:07.406611: | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e Sep 21 07:25:07.406613: | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 Sep 21 07:25:07.406616: | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f Sep 21 07:25:07.406618: | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e Sep 21 07:25:07.406620: | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 Sep 21 07:25:07.406623: | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 Sep 21 07:25:07.406625: | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 Sep 21 07:25:07.406627: | cleartext fragment b0 0d 9e ca 2d 55 24 59 06 37 09 58 0d 06 ab 90 Sep 21 07:25:07.406629: | cleartext fragment 5e 98 7c 00 0b 66 73 f4 12 27 69 75 6e d4 8d 13 Sep 21 07:25:07.406632: | cleartext fragment e9 c6 e9 4f c4 b1 19 1a 1a 4f e6 4e 06 da 29 ec Sep 21 07:25:07.406634: | cleartext fragment cf 8d 4c c3 c3 57 c0 24 57 83 7a 1b 7f 96 a3 21 Sep 21 07:25:07.406636: | cleartext fragment 66 67 52 68 8e 77 b9 bb f6 9b d2 43 11 57 c9 d6 Sep 21 07:25:07.406638: | cleartext fragment ca e2 39 73 93 ea 99 99 f7 52 38 4d 58 69 7f a5 Sep 21 07:25:07.406641: | cleartext fragment 18 9b ff 66 72 6c df 6d df 18 50 cf 10 98 a3 f5 Sep 21 07:25:07.406643: | cleartext fragment f9 69 27 5b 3f bd 0f 34 18 93 99 1a be 8a 46 84 Sep 21 07:25:07.406645: | cleartext fragment 37 69 71 7f a7 df d0 9d b2 9d ad 80 0f d0 1a 40 Sep 21 07:25:07.406647: | cleartext fragment cb ff 37 20 ac ac 3d a9 8e 56 56 cf 25 c0 5e 55 Sep 21 07:25:07.406649: | cleartext fragment 52 86 5a c5 b4 ce a8 dd 95 cf ab 38 91 f6 1f 9f Sep 21 07:25:07.406652: | cleartext fragment 83 36 d5 3f 8c d3 1d f5 3f 23 3c d2 5c 87 23 bc Sep 21 07:25:07.406654: | cleartext fragment 6a 67 f7 00 c3 96 3f 76 5c b9 8e 6f 2b 16 90 2c Sep 21 07:25:07.406656: | cleartext fragment 00 c0 05 a0 e2 8d 57 d5 76 34 7f 6f be e8 48 79 Sep 21 07:25:07.406659: | cleartext fragment 08 91 a8 17 72 1f c0 1c 8a 52 a8 18 aa 32 3c 9a Sep 21 07:25:07.406661: | cleartext fragment e4 d9 90 58 25 5e 4c 49 8e cb 7a 33 19 d2 87 1a Sep 21 07:25:07.406663: | cleartext fragment 2a 8e b5 04 f7 f9 cd 80 8c 59 ae 34 61 c5 1d de Sep 21 07:25:07.406667: | cleartext fragment 53 65 fe 4f f3 f4 09 f2 b4 21 7a 2b eb 1f 4a f2 Sep 21 07:25:07.406669: | cleartext fragment 5f 85 3a f0 f8 2b 3b 42 5b da 89 c1 ef b2 Sep 21 07:25:07.406672: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.406675: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Sep 21 07:25:07.406678: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Sep 21 07:25:07.406680: | emitting length of IKEv2 Encrypted Fragment: 511 Sep 21 07:25:07.406682: | emitting length of ISAKMP Message: 539 Sep 21 07:25:07.406689: | **emit ISAKMP Message: Sep 21 07:25:07.406692: | initiator cookie: Sep 21 07:25:07.406694: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406696: | responder cookie: Sep 21 07:25:07.406698: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406701: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.406703: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406705: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406708: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406710: | Message ID: 1 (0x1) Sep 21 07:25:07.406712: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.406715: | ***emit IKEv2 Encrypted Fragment: Sep 21 07:25:07.406717: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.406720: | flags: none (0x0) Sep 21 07:25:07.406722: | fragment number: 3 (0x3) Sep 21 07:25:07.406724: | total fragments: 5 (0x5) Sep 21 07:25:07.406727: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE Sep 21 07:25:07.406730: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.406733: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Sep 21 07:25:07.406735: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Sep 21 07:25:07.406740: | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Sep 21 07:25:07.406742: | cleartext fragment 81 18 2a 4b 57 a2 ca 63 8b a7 60 8e 54 95 c3 20 Sep 21 07:25:07.406744: | cleartext fragment 5c e5 53 f0 4a 57 df 41 fa 06 e6 ab 4e 0b 46 49 Sep 21 07:25:07.406746: | cleartext fragment 14 0d db b0 dc 10 2e 6d 5f 52 cb 75 36 1b e2 1d Sep 21 07:25:07.406749: | cleartext fragment 9d 77 0f 73 9d 0a 64 07 84 f4 0e 0a 98 97 58 c4 Sep 21 07:25:07.406751: | cleartext fragment 40 f6 1b ac a3 be 21 aa 67 3a 2b b1 0e b7 9a 36 Sep 21 07:25:07.406753: | cleartext fragment ff 67 02 03 01 00 01 a3 82 01 06 30 82 01 02 30 Sep 21 07:25:07.406755: | cleartext fragment 09 06 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d Sep 21 07:25:07.406757: | cleartext fragment 11 04 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 Sep 21 07:25:07.406759: | cleartext fragment 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 Sep 21 07:25:07.406761: | cleartext fragment 67 81 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e Sep 21 07:25:07.406763: | cleartext fragment 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 Sep 21 07:25:07.406764: | cleartext fragment 01 02 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 Sep 21 07:25:07.406766: | cleartext fragment 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 Sep 21 07:25:07.406769: | cleartext fragment 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 Sep 21 07:25:07.406771: | cleartext fragment 41 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 Sep 21 07:25:07.406773: | cleartext fragment 31 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 Sep 21 07:25:07.406775: | cleartext fragment 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e Sep 21 07:25:07.406777: | cleartext fragment 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 Sep 21 07:25:07.406779: | cleartext fragment 36 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 Sep 21 07:25:07.406787: | cleartext fragment 30 a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e Sep 21 07:25:07.406791: | cleartext fragment 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 Sep 21 07:25:07.406794: | cleartext fragment 6e 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 Sep 21 07:25:07.406796: | cleartext fragment 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 Sep 21 07:25:07.406798: | cleartext fragment 03 81 81 00 bf 3c 12 c5 00 3e 71 2a 2b 2b 60 83 Sep 21 07:25:07.406800: | cleartext fragment b9 b9 f2 4d b1 ca 0e fd b4 e0 0b 6a ad 54 d7 c9 Sep 21 07:25:07.406802: | cleartext fragment 98 57 e0 5c 26 4d bf 11 23 20 79 05 b6 1b 9b 09 Sep 21 07:25:07.406805: | cleartext fragment ed 4f 2e fd 7e da 55 53 b6 8c 88 fa f3 9b ce ec Sep 21 07:25:07.406807: | cleartext fragment ef 95 37 11 70 ce 1c 98 d3 d5 cf f6 30 71 44 78 Sep 21 07:25:07.406809: | cleartext fragment fb 45 03 69 50 d5 a5 c3 de 00 4c f7 0a 7d 00 cb Sep 21 07:25:07.406811: | cleartext fragment 3a ab 11 74 6b 57 67 4d e7 c0 3a 97 98 44 Sep 21 07:25:07.406814: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.406817: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Sep 21 07:25:07.406819: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Sep 21 07:25:07.406821: | emitting length of IKEv2 Encrypted Fragment: 511 Sep 21 07:25:07.406824: | emitting length of ISAKMP Message: 539 Sep 21 07:25:07.406832: | **emit ISAKMP Message: Sep 21 07:25:07.406834: | initiator cookie: Sep 21 07:25:07.406837: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406838: | responder cookie: Sep 21 07:25:07.406840: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406842: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.406845: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406847: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406849: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406851: | Message ID: 1 (0x1) Sep 21 07:25:07.406854: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.406856: | ***emit IKEv2 Encrypted Fragment: Sep 21 07:25:07.406859: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.406861: | flags: none (0x0) Sep 21 07:25:07.406863: | fragment number: 4 (0x4) Sep 21 07:25:07.406866: | total fragments: 5 (0x5) Sep 21 07:25:07.406868: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE Sep 21 07:25:07.406871: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.406874: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Sep 21 07:25:07.406876: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Sep 21 07:25:07.406884: | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Sep 21 07:25:07.406887: | cleartext fragment e2 15 9d f2 6f 1b c7 b1 15 d0 88 c4 dc 32 b7 72 Sep 21 07:25:07.406889: | cleartext fragment 1d 9c ac 1b 37 63 21 00 01 88 01 00 00 00 7b a3 Sep 21 07:25:07.406891: | cleartext fragment 73 0b c9 50 56 76 ec 4a 4b b3 7b 07 96 87 1c 61 Sep 21 07:25:07.406894: | cleartext fragment d3 d6 a8 ce 12 3e 1c 15 61 09 d6 5e 5a d8 c4 31 Sep 21 07:25:07.406896: | cleartext fragment e1 ff 5c b5 2c bb 4e ad 83 8f 6b 9a 6f 2f bb fc Sep 21 07:25:07.406898: | cleartext fragment 73 0d 7d 59 f3 20 cd ab 77 53 b0 f6 ed 43 a0 21 Sep 21 07:25:07.406901: | cleartext fragment b8 49 e3 46 97 4a 02 73 22 8e 48 ec 63 fa bb ca Sep 21 07:25:07.406903: | cleartext fragment b1 12 5b de fb 40 47 46 d0 81 12 f5 9a 82 57 ec Sep 21 07:25:07.406905: | cleartext fragment fa da cd d5 71 d2 f2 57 d5 69 d6 11 72 1a 9f dd Sep 21 07:25:07.406908: | cleartext fragment b8 c1 11 5b d6 f9 41 11 15 bd 62 1f d8 94 d6 c8 Sep 21 07:25:07.406911: | cleartext fragment 3b 32 c8 e1 65 17 a7 06 7e 60 f7 55 b9 d5 2b 8d Sep 21 07:25:07.406914: | cleartext fragment a2 c8 21 44 1f d7 b5 95 72 fd ea 2a 24 04 78 62 Sep 21 07:25:07.406916: | cleartext fragment b6 e9 a1 e9 52 83 66 8c 42 3c 47 66 15 45 75 fd Sep 21 07:25:07.406918: | cleartext fragment 22 15 bc 4d 12 0e f4 85 fb 43 40 d7 71 bb bd 73 Sep 21 07:25:07.406920: | cleartext fragment f7 2b 6a aa 60 bb 3e d3 f4 81 a0 68 58 21 8e 72 Sep 21 07:25:07.406922: | cleartext fragment 67 44 5e 96 1a a0 1b ca 0f d3 da ff 9a 47 57 35 Sep 21 07:25:07.406924: | cleartext fragment 49 b7 7e e3 d5 db 03 99 28 02 2a d9 a3 df 32 2d Sep 21 07:25:07.406926: | cleartext fragment a7 c8 1c 74 0d c8 59 06 ec 1b 17 7a 36 25 28 be Sep 21 07:25:07.406928: | cleartext fragment 42 bc d9 01 49 f6 66 ff a6 b8 43 4a 70 36 d4 aa Sep 21 07:25:07.406930: | cleartext fragment 35 c6 5e 3a 46 b0 36 0a dc 55 fd 19 90 51 5a f8 Sep 21 07:25:07.406932: | cleartext fragment 5f d1 2a 64 92 08 25 35 60 fd 85 2d 17 25 4c c8 Sep 21 07:25:07.406934: | cleartext fragment 2b dd d8 42 d8 a2 66 79 b6 0f 4d 9e b7 21 8b 37 Sep 21 07:25:07.406936: | cleartext fragment 1d 14 e5 2e 92 24 f8 b7 fd bd a0 11 55 3e 3a fc Sep 21 07:25:07.406938: | cleartext fragment bb 6c 54 f1 18 a3 a1 da d4 ca ca 5d fe 17 cf 58 Sep 21 07:25:07.406940: | cleartext fragment e5 72 65 51 11 c0 0e 04 ca 27 b4 c0 d2 b9 8e de Sep 21 07:25:07.406942: | cleartext fragment 41 fd f4 54 00 9d b4 85 95 77 40 55 df d0 2c 00 Sep 21 07:25:07.406945: | cleartext fragment 00 24 00 00 00 20 01 03 04 02 c8 a3 79 05 03 00 Sep 21 07:25:07.406947: | cleartext fragment 00 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 Sep 21 07:25:07.406949: | cleartext fragment 00 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 Sep 21 07:25:07.406951: | cleartext fragment ff ff c0 00 03 00 c0 00 03 ff 00 00 00 18 Sep 21 07:25:07.406954: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.406957: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Sep 21 07:25:07.406960: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Sep 21 07:25:07.406962: | emitting length of IKEv2 Encrypted Fragment: 511 Sep 21 07:25:07.406965: | emitting length of ISAKMP Message: 539 Sep 21 07:25:07.406972: | **emit ISAKMP Message: Sep 21 07:25:07.406975: | initiator cookie: Sep 21 07:25:07.406977: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.406979: | responder cookie: Sep 21 07:25:07.406981: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.406983: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.406985: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.406988: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:07.406990: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.406992: | Message ID: 1 (0x1) Sep 21 07:25:07.406995: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.406997: | ***emit IKEv2 Encrypted Fragment: Sep 21 07:25:07.406999: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.407001: | flags: none (0x0) Sep 21 07:25:07.407003: | fragment number: 5 (0x5) Sep 21 07:25:07.407005: | total fragments: 5 (0x5) Sep 21 07:25:07.407008: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE Sep 21 07:25:07.407010: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Sep 21 07:25:07.407013: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Sep 21 07:25:07.407016: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Sep 21 07:25:07.407020: | emitting 20 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Sep 21 07:25:07.407022: | cleartext fragment 01 00 00 00 07 00 00 10 00 00 ff ff c0 00 02 00 Sep 21 07:25:07.407026: | cleartext fragment c0 00 02 ff Sep 21 07:25:07.407029: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.407031: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Sep 21 07:25:07.407034: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Sep 21 07:25:07.407036: | emitting length of IKEv2 Encrypted Fragment: 53 Sep 21 07:25:07.407038: | emitting length of ISAKMP Message: 81 Sep 21 07:25:07.407049: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:25:07.407057: | #1 spent 17.5 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:25:07.407064: | suspend processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.407069: | start processing: state #2 connection "northnet-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.407074: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:25:07.407077: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:25:07.407080: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:07.407083: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:25:07.407088: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:07.407093: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:07.407095: | pstats #2 ikev2.child established Sep 21 07:25:07.407104: "northnet-eastnets/0x1" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:07.407108: | NAT-T: encaps is 'auto' Sep 21 07:25:07.407113: "northnet-eastnets/0x1" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x559b2361 <0xc8a37905 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:25:07.407118: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:07.407121: | sending fragments ... Sep 21 07:25:07.407126: | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.407128: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.407130: | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff Sep 21 07:25:07.407132: | 00 01 00 05 81 63 78 fa 38 a4 8e 01 47 d7 c2 d6 Sep 21 07:25:07.407134: | f4 99 99 00 c5 89 f1 2d e7 83 a0 34 5f ef 85 dc Sep 21 07:25:07.407136: | 04 bc ae cc da fb 0f 71 22 0e c4 d8 b5 e8 12 1c Sep 21 07:25:07.407139: | 76 43 7a d1 5d e4 08 42 12 8d a7 72 29 38 4a a4 Sep 21 07:25:07.407141: | c6 45 4c 0b fc 72 33 7d 9a b0 55 13 19 22 ef 5b Sep 21 07:25:07.407142: | 33 ed 5f bf a9 ee f8 5a 5e 35 d0 9b b8 f8 a8 79 Sep 21 07:25:07.407144: | 14 07 ac 38 36 ff 9d b8 ad 9d a7 63 87 89 9d 65 Sep 21 07:25:07.407147: | 14 f3 be c7 2b 77 ab 78 f8 5f 87 6e fd 1f 15 59 Sep 21 07:25:07.407149: | c2 77 59 cf 5c 65 e5 2f ab 54 ac f1 c1 45 bc 26 Sep 21 07:25:07.407150: | f4 99 d0 9e 6b 4c 64 fd fc 8f 33 2f 38 ee 4e a0 Sep 21 07:25:07.407152: | fb 34 84 c8 50 c9 62 27 8b 28 98 62 2e 28 d8 bf Sep 21 07:25:07.407154: | 54 92 eb dd 5c 3c a8 79 e7 4d 4b 5c 4b 7e ca 23 Sep 21 07:25:07.407156: | b5 12 4a cf 44 15 9c 19 b0 c4 e1 8a 1f dd ef 92 Sep 21 07:25:07.407158: | f4 0a 48 1d 2c 1e 34 b1 3a fc 80 fa 15 8d 25 ee Sep 21 07:25:07.407160: | 06 dd 3b a1 f1 4d 1f 74 74 28 4e 04 d2 2e dc 21 Sep 21 07:25:07.407162: | 83 17 bd 37 94 ed ce 49 cb 90 04 12 17 04 86 9b Sep 21 07:25:07.407164: | 5f c3 77 36 4d b8 dd 2c 73 c0 47 06 6e 61 5c 3d Sep 21 07:25:07.407168: | ff 49 66 2f 08 16 35 4e 93 ab 01 11 75 00 2e 1a Sep 21 07:25:07.407170: | 2c 9e 5b 3b 79 bc ea a4 97 84 c8 88 bc 2c 03 30 Sep 21 07:25:07.407172: | d0 b9 49 2e 97 17 78 83 e7 e5 3a 36 54 9b 94 47 Sep 21 07:25:07.407174: | 72 93 d6 7d 89 be a1 9b 35 b6 cf 38 39 6d 21 4a Sep 21 07:25:07.407176: | 3a 36 c0 c5 66 55 19 d9 33 78 b5 04 f3 c9 b7 03 Sep 21 07:25:07.407178: | 0b fc a6 09 91 a7 68 cc 9f fe 43 b2 0e 7a 13 fb Sep 21 07:25:07.407179: | 6a d0 33 18 9d 7c 1e bb 6a 01 24 5e ef 4c 83 66 Sep 21 07:25:07.407181: | 39 24 12 ee a8 08 2a 2d 82 bb 96 72 be 06 45 fc Sep 21 07:25:07.407183: | 0b 76 63 df ca 9a 47 a4 ef 33 4e f2 70 5e 56 f3 Sep 21 07:25:07.407185: | c4 d4 cd a7 9d d5 c7 77 07 13 07 11 84 77 f1 5c Sep 21 07:25:07.407187: | c9 8d c8 9d 7f 5a 4b 0d 9e 61 10 83 80 e6 8d 75 Sep 21 07:25:07.407190: | cd 78 59 16 3d d6 af fe c3 da 5c 7b e8 05 f0 11 Sep 21 07:25:07.407192: | 4c b8 8f ed 7c 85 42 90 6f 3e f6 22 81 98 0a 65 Sep 21 07:25:07.407194: | f0 88 de 7c 92 62 ce 5b 4d 58 06 6c b3 1b b8 b0 Sep 21 07:25:07.407196: | 9d 21 0b 17 20 93 18 4d a5 c7 85 Sep 21 07:25:07.407256: | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.407261: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.407263: | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.407265: | 00 02 00 05 99 5a 92 87 ed 33 11 f4 01 e6 49 19 Sep 21 07:25:07.407267: | 1d f5 b3 03 34 de ab f4 6e 30 08 28 fb 38 b7 47 Sep 21 07:25:07.407269: | a3 5b be 3d 91 32 43 a0 f9 c0 e5 15 0f 86 92 3e Sep 21 07:25:07.407271: | ae 3c fb f5 ac d5 e9 b7 c0 b1 54 4e d2 29 14 83 Sep 21 07:25:07.407273: | 91 25 71 12 e1 f2 d2 b2 9f 90 d0 90 1d b7 21 05 Sep 21 07:25:07.407275: | a5 12 ac b7 f6 74 b8 b7 4b 6a ec 4a 99 9a 4c 54 Sep 21 07:25:07.407277: | c2 16 61 85 3b 1e 14 69 0d d5 51 86 27 94 6e f9 Sep 21 07:25:07.407279: | 9e 46 4e fb d8 75 ab ab 2c 42 90 0a a9 fe d8 d5 Sep 21 07:25:07.407281: | ab 09 23 16 61 f4 ee 68 ea ee 5e 09 ec 1f bc 17 Sep 21 07:25:07.407283: | 2e ed 08 9f 2b 49 67 42 31 fc 6d b3 33 75 f7 64 Sep 21 07:25:07.407285: | 02 4f 14 3f 94 8b ca db bd 2c d6 6f c0 ab 22 86 Sep 21 07:25:07.407287: | 84 58 28 8f 4a 0f 71 55 8f 6a 2c af f7 60 86 8b Sep 21 07:25:07.407289: | 5f 1a fc 84 31 c8 86 c0 42 63 eb 07 6a 28 6f 7a Sep 21 07:25:07.407291: | 15 b4 6c 34 3f a4 40 bd 4e fb 40 86 ba 00 aa ac Sep 21 07:25:07.407293: | bb 5c 08 82 ea a9 2c 56 d0 e6 c6 4f ff 66 ce 66 Sep 21 07:25:07.407295: | 05 ba 25 23 d9 f9 0d 9a d0 99 96 6b c0 96 de 76 Sep 21 07:25:07.407297: | 56 c7 6d c1 e2 27 9e 16 2e 92 f0 9c 71 14 a4 78 Sep 21 07:25:07.407300: | 33 86 c0 03 7d 74 65 4f 34 17 1a 37 69 9e 45 e0 Sep 21 07:25:07.407302: | 5c 1b 13 18 f2 c7 51 8e 8d 65 6a d4 81 c2 0c 11 Sep 21 07:25:07.407304: | a3 5c e5 98 f4 ee 6c 6b 40 e5 48 94 d2 94 32 24 Sep 21 07:25:07.407306: | 8d 26 08 5d d8 51 75 38 88 9b a5 ad 4b a4 78 8c Sep 21 07:25:07.407308: | e8 7b cd 60 9b 25 e4 a1 95 46 5c 02 95 bd 0a ac Sep 21 07:25:07.407310: | 67 ca 09 14 ce 22 c7 a7 6f 40 9f c3 fb 5d 11 db Sep 21 07:25:07.407312: | 33 db 48 19 0d 0e 86 49 eb 55 39 b5 cc f3 f1 53 Sep 21 07:25:07.407315: | fe 6a dd 68 60 ef 08 5c 65 10 dd 23 72 4a ed 99 Sep 21 07:25:07.407317: | fa 3a ac 8a 1d 62 b3 0e 14 a9 e9 f5 9e c3 00 be Sep 21 07:25:07.407319: | 44 b0 38 71 b9 26 bc 49 f4 65 ce 26 10 a2 fd bb Sep 21 07:25:07.407321: | e9 17 be 54 0d 24 5f fa 90 bc 64 0b c0 e3 f4 94 Sep 21 07:25:07.407323: | 18 2f db 45 3b 12 a6 5d 51 2d ae db dd d0 50 8c Sep 21 07:25:07.407325: | 19 a6 63 d7 14 95 8a 07 02 38 bf 2f e9 de 57 e0 Sep 21 07:25:07.407327: | bb 4b a3 05 aa 04 e1 a1 58 92 60 e6 55 65 67 ea Sep 21 07:25:07.407329: | 7c 73 ce 4f 03 79 5a 8c 85 7e a0 Sep 21 07:25:07.407353: | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.407359: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.407362: | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.407364: | 00 03 00 05 d7 16 84 23 86 80 9b b2 93 cb 4a c9 Sep 21 07:25:07.407366: | e2 93 a8 17 1a 5a 4f 51 ec 84 b4 f6 a1 fb 8c 3f Sep 21 07:25:07.407368: | 52 7f b7 36 d6 50 71 36 e9 bd 0c 03 19 ce 5b e5 Sep 21 07:25:07.407370: | 0e e9 a5 f3 42 82 9a 10 90 4b 56 82 98 54 53 cc Sep 21 07:25:07.407372: | 49 0e 56 a7 98 81 17 0c 85 fe 06 97 b6 66 ce fb Sep 21 07:25:07.407374: | e3 0a 78 84 41 a3 6c 00 a7 87 ce a6 26 42 c4 e3 Sep 21 07:25:07.407376: | 16 ec a6 ed 2e 18 f2 b4 23 79 b2 87 b6 7c cc 3d Sep 21 07:25:07.407378: | d8 35 ba 1c 9c f0 31 f7 88 e8 73 45 7c 2d 4c 61 Sep 21 07:25:07.407381: | 0a 90 57 e2 ca 92 f2 33 f4 b6 df 9e 1d 90 a1 a4 Sep 21 07:25:07.407383: | 47 63 e4 0c 71 c4 ee a2 29 58 ef be b6 88 40 0b Sep 21 07:25:07.407385: | aa 59 98 bb e3 68 bd 21 27 d0 e0 70 ee c6 21 19 Sep 21 07:25:07.407387: | c1 e8 5d b2 43 4e a0 77 c6 64 89 4e cf ec e9 a4 Sep 21 07:25:07.407389: | 74 6b c2 c4 55 74 f8 f8 14 98 cd c5 83 14 e4 e2 Sep 21 07:25:07.407391: | 99 bb 4c 5d 67 a4 47 24 0d 2b a1 af 08 42 cc 06 Sep 21 07:25:07.407393: | c4 08 e1 ce c9 f4 b1 0c 17 03 3b 9e f0 a9 f6 5a Sep 21 07:25:07.407395: | 73 4c 8f 93 15 e1 1c 88 4e 48 20 ae f5 cd 49 9f Sep 21 07:25:07.407397: | 90 8f a7 f5 22 4b 5e e8 8e 78 c2 3a 81 05 d6 e0 Sep 21 07:25:07.407399: | 8e 95 42 c5 2b 17 d4 49 6f e5 3f 9a 4f c8 ce d1 Sep 21 07:25:07.407402: | ae 89 6c 84 79 ba 11 94 f0 c9 27 68 f9 92 aa 33 Sep 21 07:25:07.407404: | 7f 14 ff 59 74 2c de 53 17 36 b7 bb a8 3f 71 85 Sep 21 07:25:07.407406: | 10 01 28 78 c4 79 ef 27 46 3b db 6c 17 d8 3e 9c Sep 21 07:25:07.407409: | 22 1b 81 7a 00 6d 27 86 62 b6 37 93 62 d2 0b e0 Sep 21 07:25:07.407411: | e9 9e fa bb ce 37 8b e5 00 8f 34 1d e3 1b 4f ae Sep 21 07:25:07.407413: | 9c af 21 de d5 b5 fc 89 ef 92 ae 58 2e 03 a0 6a Sep 21 07:25:07.407415: | d2 9c 93 c0 44 a6 12 b3 1a ee b6 74 93 e9 77 d1 Sep 21 07:25:07.407417: | e8 4f 4d 61 11 f9 1b 95 af c1 8d 44 be cc d8 39 Sep 21 07:25:07.407420: | 37 03 bc 6f 8d 4b 9b a5 6f 3c 28 90 c3 bc 03 5e Sep 21 07:25:07.407422: | 2d ad 5f 55 d0 99 d6 36 8f 6f 54 bf 31 79 b6 8f Sep 21 07:25:07.407424: | 6b ca ca cc ad ef 9f 14 72 7b 61 bc d1 c9 16 90 Sep 21 07:25:07.407426: | 99 f4 20 97 44 00 ff a8 43 0b c8 24 8e 7d 6f b2 Sep 21 07:25:07.407428: | 35 c6 42 2f 4e f0 7b bc c3 73 af 63 ef 7d 63 b3 Sep 21 07:25:07.407430: | b5 5e b5 60 f7 40 ce 64 bf 7f 4d Sep 21 07:25:07.407449: | sending 539 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.407453: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.407455: | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff Sep 21 07:25:07.407457: | 00 04 00 05 90 5c 85 92 a3 fa 60 6c 05 23 4b 41 Sep 21 07:25:07.407459: | 61 f2 19 3b a9 65 85 e6 59 0e 23 1c 85 18 ae 04 Sep 21 07:25:07.407461: | e9 d7 d8 1d 2f 7a 19 40 22 7a a3 8b 80 c5 a3 ed Sep 21 07:25:07.407464: | 9b 6d eb cc 3e c5 fb ca f8 38 de 3c a9 41 91 e3 Sep 21 07:25:07.407466: | 70 23 79 3b b7 98 43 a3 34 fe 0a 7e a0 31 24 80 Sep 21 07:25:07.407468: | 48 f9 c7 a9 1e ef 6a 01 3c fd 9b 0c f5 a6 de d7 Sep 21 07:25:07.407470: | bc 6b 85 40 6e bc 73 19 8a f3 c5 52 d7 c6 e8 91 Sep 21 07:25:07.407473: | 8c f7 09 bc e7 4c ef 50 02 3e b3 9a ac 70 05 a4 Sep 21 07:25:07.407475: | 6c ae a5 e6 8b 37 bc d0 77 43 7e 71 40 b4 4e 73 Sep 21 07:25:07.407477: | 02 89 49 7f 10 df fb 93 b5 5b 93 ab 4d 55 ff 97 Sep 21 07:25:07.407479: | 81 12 16 07 e7 1a c2 5e 7d a0 37 59 e8 6b 4d 83 Sep 21 07:25:07.407481: | d4 35 4e 87 a6 f3 35 99 29 f9 cc 94 6c 68 0a f7 Sep 21 07:25:07.407484: | 7f a9 2e 66 6d c5 ff c8 63 e5 68 dc fa 6b 1b 61 Sep 21 07:25:07.407485: | 19 5b 69 3a 7a 87 ba 9f 49 d7 dc f7 06 08 1b 15 Sep 21 07:25:07.407487: | 2b bd 8e 67 0d f2 08 dc 3f 08 e7 50 3b af a4 00 Sep 21 07:25:07.407492: | f3 76 e9 6e 6c 3a 06 c5 9c b3 b2 a9 fe b0 44 c7 Sep 21 07:25:07.407494: | ee 4b b9 b7 05 07 3b c7 94 07 4f 66 30 74 56 37 Sep 21 07:25:07.407496: | 76 54 0a af 64 ad d8 11 fe 93 da ca 48 7c e6 4b Sep 21 07:25:07.407498: | 6b f9 13 cc 8f 23 a2 86 f1 d0 b4 8d 2f 72 b6 aa Sep 21 07:25:07.407500: | 3d 5d 30 ac 13 63 ae 37 5a 04 fe 6f 57 4b d3 0a Sep 21 07:25:07.407502: | 2a f3 91 91 10 db 3e f4 8c 85 03 59 c0 c5 91 4c Sep 21 07:25:07.407504: | a5 08 0b b4 2d 08 14 e6 bd fd 59 28 cb 5d 9e 40 Sep 21 07:25:07.407506: | d6 8c fc ec 64 ce 79 bd 25 8f 47 d0 2b 0f 47 44 Sep 21 07:25:07.407508: | 63 fa 47 8c d4 05 f7 b9 60 ea b2 db b7 bd 3e 37 Sep 21 07:25:07.407510: | 01 4e 73 42 11 45 d8 bd fb 72 aa 51 47 73 8a 99 Sep 21 07:25:07.407513: | 3e e8 fa 35 1f 2d 08 67 66 e0 69 68 56 54 ae 9b Sep 21 07:25:07.407515: | d6 22 e0 2c de 12 6c 06 02 e3 4d 2a cc 0c c3 9d Sep 21 07:25:07.407517: | b4 97 55 77 ee c9 71 eb 23 15 87 89 12 15 36 9f Sep 21 07:25:07.407519: | 38 76 c5 c5 5a cd 0b 2d 21 9a 75 1e 2a 83 54 c9 Sep 21 07:25:07.407521: | 9f 91 a4 13 de 6b eb fb 55 95 24 7e 98 ee 8e 90 Sep 21 07:25:07.407523: | d3 65 7b 82 81 9a 92 90 52 6d 0c b5 43 f0 ed 6d Sep 21 07:25:07.407526: | 19 be ca 53 03 64 69 a5 f4 a2 63 Sep 21 07:25:07.407543: | sending 81 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.407547: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.407550: | 35 20 23 20 00 00 00 01 00 00 00 51 00 00 00 35 Sep 21 07:25:07.407552: | 00 05 00 05 45 81 e2 74 2c 14 ea ea 1a 6d 86 20 Sep 21 07:25:07.407554: | 1c a3 24 7f ae 42 da 3d c1 33 b4 a1 ae 12 49 57 Sep 21 07:25:07.407556: | 26 a8 de 0b 46 8c 1c cd 0d f3 5e 1f a9 38 3f a7 Sep 21 07:25:07.407558: | 37 Sep 21 07:25:07.407570: | sent 5 fragments Sep 21 07:25:07.407574: | releasing whack for #2 (sock=fd@-1) Sep 21 07:25:07.407576: | releasing whack and unpending for parent #1 Sep 21 07:25:07.407580: | unpending state #1 connection "northnet-eastnets/0x1" Sep 21 07:25:07.407584: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:07.407588: | event_schedule: new EVENT_SA_REKEY-pe@0x55d43f5da130 Sep 21 07:25:07.407592: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:25:07.407596: | libevent_malloc: new ptr-libevent@0x55d43f5d9bd0 size 128 Sep 21 07:25:07.407603: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:07.407609: | #1 spent 18.2 milliseconds in resume sending helper answer Sep 21 07:25:07.407615: | stop processing: state #2 connection "northnet-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:07.407619: | libevent_free: release ptr-libevent@0x7f9fd4006b90 Sep 21 07:25:07.407633: | processing signal PLUTO_SIGCHLD Sep 21 07:25:07.407639: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:07.407643: | spent 0.00586 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:07.407646: | processing signal PLUTO_SIGCHLD Sep 21 07:25:07.407649: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:07.407653: | spent 0.00338 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:07.407655: | processing signal PLUTO_SIGCHLD Sep 21 07:25:07.407659: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:07.407662: | spent 0.00326 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:07.561256: | spent 0.00283 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:07.561279: | *received 601 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:07.561282: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.561284: | 2e 20 24 08 00 00 00 02 00 00 02 59 21 00 02 3d Sep 21 07:25:07.561287: | b5 89 5b 3d c2 f1 af ed b9 a1 ab 18 2e 4b 2d 0e Sep 21 07:25:07.561289: | 3b 45 35 2f 67 97 46 40 56 ed 5a d1 e3 fa 34 54 Sep 21 07:25:07.561293: | 5a 25 d8 46 b7 f9 25 ab 38 b7 d0 1a 2b 87 ca bd Sep 21 07:25:07.561296: | be 00 6d 61 6e 50 38 74 61 fc 81 f1 5b ee be 2d Sep 21 07:25:07.561298: | aa c8 93 ed 96 88 88 ce 0b fa e7 1c 08 6d a6 69 Sep 21 07:25:07.561300: | 5a a5 5a 21 96 44 c0 0d 7c d1 91 63 d0 05 fc 31 Sep 21 07:25:07.561302: | 9f 17 ac 38 3d b2 db 45 3e b8 b4 d4 77 e3 45 a0 Sep 21 07:25:07.561304: | 18 5f 83 5d 3d 7f 7a bb 36 0d 9a 31 69 8a d4 15 Sep 21 07:25:07.561306: | f1 9b b2 89 fc e7 5a 51 2b 91 5e b6 34 f5 e6 28 Sep 21 07:25:07.561309: | 94 29 20 a6 dc e5 78 55 d9 78 4a 88 60 b4 bb 9a Sep 21 07:25:07.561311: | 20 4b e8 58 0b b3 17 38 c1 c6 a6 4a e3 3e d3 fa Sep 21 07:25:07.561313: | 35 34 c6 ff 87 cf 03 c5 df f2 5a 80 2a f6 e6 29 Sep 21 07:25:07.561315: | 13 4f a5 da 11 d6 3e ff 1c 83 0f e0 f8 81 a2 29 Sep 21 07:25:07.561317: | 83 9a 4e c2 95 cc ad f7 cb 8b 63 16 a4 6b af 31 Sep 21 07:25:07.561320: | 50 f0 22 bb 45 b3 b6 da f7 0c ad 28 b6 f6 8b 23 Sep 21 07:25:07.561322: | cf fd f6 c1 c8 38 2b d8 6a b1 f6 dc 8d 62 5f 45 Sep 21 07:25:07.561324: | 01 b0 1a 4d e3 7c 04 45 69 30 e1 86 ed 0e 8e 1a Sep 21 07:25:07.561326: | 45 bc 79 bf e0 92 7c 30 83 b0 a3 54 68 2f 03 70 Sep 21 07:25:07.561328: | 46 ba ee 29 8b c9 8b 52 54 21 4d da 33 32 55 92 Sep 21 07:25:07.561330: | 9a 66 9a 4a b3 8a 6f 96 25 09 a2 fb 94 80 82 3f Sep 21 07:25:07.561333: | 7a 7f 7a 13 2f 91 94 3d 7f 69 e7 53 e9 01 84 c3 Sep 21 07:25:07.561335: | 0e 34 0f d2 02 fd 7a 38 1a db c7 11 cf b2 c3 3f Sep 21 07:25:07.561337: | 65 c8 e5 6c 81 e2 26 cf 6c 7d 07 3a 28 39 11 1f Sep 21 07:25:07.561339: | 6f f6 fe fd 45 29 7d 59 70 05 41 69 f1 fd 74 2c Sep 21 07:25:07.561341: | dc 98 8f 6e 86 fc bf 59 78 0e 91 e3 bf ec eb cf Sep 21 07:25:07.561344: | 1d 5c 79 d9 e7 0e 93 76 10 47 f1 00 8f 44 6c 7f Sep 21 07:25:07.561346: | 1e 01 82 f9 26 de 0f 7c a1 f7 3e 2f b5 fc 8e b4 Sep 21 07:25:07.561348: | b1 88 c7 46 90 29 98 6c ec b8 9d f5 c2 5c 0d 5b Sep 21 07:25:07.561350: | b2 f2 97 89 6b f8 c8 ba c8 4a 19 5d b0 19 a9 0d Sep 21 07:25:07.561352: | 11 c3 19 19 f6 b8 0c b8 e3 f5 29 38 e5 f2 94 d4 Sep 21 07:25:07.561354: | 29 13 c9 47 af a7 7e cc 9b 88 cc d7 45 7f 08 ae Sep 21 07:25:07.561357: | c5 50 86 ef ef f2 6e cd 9e 21 a0 71 79 5f 2f 53 Sep 21 07:25:07.561359: | 45 1a 43 d5 68 76 f9 b4 57 d7 96 14 b8 e7 30 c3 Sep 21 07:25:07.561361: | 4d 5c 1f 2f f5 5b 89 6f 38 80 e8 61 04 29 f5 68 Sep 21 07:25:07.561363: | 7e 8c d6 92 84 94 eb 5e 16 1b 45 0e 0e d9 a3 5e Sep 21 07:25:07.561365: | ee 0d 92 d2 46 41 0b 33 74 Sep 21 07:25:07.561370: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:07.561373: | **parse ISAKMP Message: Sep 21 07:25:07.561376: | initiator cookie: Sep 21 07:25:07.561378: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.561380: | responder cookie: Sep 21 07:25:07.561382: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.561385: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:25:07.561387: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.561390: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:25:07.561392: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:07.561395: | Message ID: 2 (0x2) Sep 21 07:25:07.561397: | length: 601 (0x259) Sep 21 07:25:07.561400: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:25:07.561403: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Sep 21 07:25:07.561407: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:25:07.561414: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:07.561416: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:07.561421: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:07.561426: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:25:07.561430: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:25:07.561432: | unpacking clear payload Sep 21 07:25:07.561435: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:25:07.561437: | ***parse IKEv2 Encryption Payload: Sep 21 07:25:07.561440: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:07.561442: | flags: none (0x0) Sep 21 07:25:07.561444: | length: 573 (0x23d) Sep 21 07:25:07.561447: | processing payload: ISAKMP_NEXT_v2SK (len=569) Sep 21 07:25:07.561451: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:25:07.561454: | #1 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:25:07.561468: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:25:07.561471: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:07.561473: | **parse IKEv2 Security Association Payload: Sep 21 07:25:07.561476: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:07.561478: | flags: none (0x0) Sep 21 07:25:07.561480: | length: 196 (0xc4) Sep 21 07:25:07.561483: | processing payload: ISAKMP_NEXT_v2SA (len=192) Sep 21 07:25:07.561485: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:07.561487: | **parse IKEv2 Nonce Payload: Sep 21 07:25:07.561490: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:07.561492: | flags: none (0x0) Sep 21 07:25:07.561494: | length: 36 (0x24) Sep 21 07:25:07.561496: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:07.561498: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:07.561501: | **parse IKEv2 Key Exchange Payload: Sep 21 07:25:07.561503: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:07.561505: | flags: none (0x0) Sep 21 07:25:07.561508: | length: 264 (0x108) Sep 21 07:25:07.561510: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.561512: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:07.561514: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:07.561517: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:07.561519: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:07.561521: | flags: none (0x0) Sep 21 07:25:07.561523: | length: 24 (0x18) Sep 21 07:25:07.561526: | number of TS: 1 (0x1) Sep 21 07:25:07.561528: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:07.561530: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:07.561533: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:07.561535: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.561537: | flags: none (0x0) Sep 21 07:25:07.561539: | length: 24 (0x18) Sep 21 07:25:07.561541: | number of TS: 1 (0x1) Sep 21 07:25:07.561544: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:07.561547: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Sep 21 07:25:07.561549: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:25:07.561555: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:07.561559: | creating state object #3 at 0x55d43f5c4d60 Sep 21 07:25:07.561561: | State DB: adding IKEv2 state #3 in UNDEFINED Sep 21 07:25:07.561568: | pstats #3 ikev2.child started Sep 21 07:25:07.561571: | duplicating state object #1 "northnet-eastnets/0x2" as #3 for IPSEC SA Sep 21 07:25:07.561576: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:07.561582: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:07.561588: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Sep 21 07:25:07.561593: | "northnet-eastnets/0x2" #1 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "northnet-eastnets/0x2" #3 in STATE_V2_CREATE_R will process it further Sep 21 07:25:07.561597: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:25:07.561602: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Sep 21 07:25:07.561604: | forcing ST #1 to CHILD #1.#3 in FSM processor Sep 21 07:25:07.561606: | Now let's proceed with state specific processing Sep 21 07:25:07.561609: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:25:07.561613: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:25:07.561617: | constructing ESP/AH proposals with default DH MODP2048 for northnet-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Sep 21 07:25:07.561621: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:07.561627: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.561629: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:07.561633: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.561636: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:07.561641: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.561644: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:07.561648: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.561655: "northnet-eastnets/0x2": constructed local ESP/AH proposals for northnet-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.561659: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:07.561662: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:07.561665: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:07.561667: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:07.561669: | local proposal 1 type DH has 1 transforms Sep 21 07:25:07.561672: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:07.561675: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Sep 21 07:25:07.561677: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:07.561679: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:07.561682: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:07.561684: | local proposal 2 type DH has 1 transforms Sep 21 07:25:07.561686: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:07.561689: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Sep 21 07:25:07.561691: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:07.561694: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:07.561696: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:07.561698: | local proposal 3 type DH has 1 transforms Sep 21 07:25:07.561700: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:07.561703: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:25:07.561706: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:07.561708: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:07.561712: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:07.561714: | local proposal 4 type DH has 1 transforms Sep 21 07:25:07.561717: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:07.561719: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:25:07.561722: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.561725: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.561727: | length: 40 (0x28) Sep 21 07:25:07.561729: | prop #: 1 (0x1) Sep 21 07:25:07.561731: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.561734: | spi size: 4 (0x4) Sep 21 07:25:07.561736: | # transforms: 3 (0x3) Sep 21 07:25:07.561739: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.561741: | remote SPI ce a9 d9 04 Sep 21 07:25:07.561744: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:07.561747: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561750: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561752: | length: 12 (0xc) Sep 21 07:25:07.561754: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.561756: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.561759: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.561762: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.561764: | length/value: 256 (0x100) Sep 21 07:25:07.561768: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:07.561771: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561773: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561775: | length: 8 (0x8) Sep 21 07:25:07.561778: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.561780: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.561787: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:07.561793: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:07.561796: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:07.561799: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:07.561801: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561804: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.561806: | length: 8 (0x8) Sep 21 07:25:07.561808: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.561810: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.561814: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:07.561817: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:07.561820: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:07.561823: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:07.561826: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Sep 21 07:25:07.561830: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Sep 21 07:25:07.561833: | remote proposal 1 matches local proposal 1 Sep 21 07:25:07.561835: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.561838: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.561840: | length: 40 (0x28) Sep 21 07:25:07.561842: | prop #: 2 (0x2) Sep 21 07:25:07.561844: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.561846: | spi size: 4 (0x4) Sep 21 07:25:07.561849: | # transforms: 3 (0x3) Sep 21 07:25:07.561851: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.561855: | remote SPI ce a9 d9 04 Sep 21 07:25:07.561858: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.561861: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561863: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561865: | length: 12 (0xc) Sep 21 07:25:07.561867: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.561870: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.561872: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.561874: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.561877: | length/value: 128 (0x80) Sep 21 07:25:07.561879: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561882: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561884: | length: 8 (0x8) Sep 21 07:25:07.561886: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.561889: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.561891: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561893: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.561896: | length: 8 (0x8) Sep 21 07:25:07.561898: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.561900: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.561903: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Sep 21 07:25:07.561906: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Sep 21 07:25:07.561909: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.561911: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:07.561913: | length: 56 (0x38) Sep 21 07:25:07.561915: | prop #: 3 (0x3) Sep 21 07:25:07.561918: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.561920: | spi size: 4 (0x4) Sep 21 07:25:07.561922: | # transforms: 5 (0x5) Sep 21 07:25:07.561925: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.561927: | remote SPI ce a9 d9 04 Sep 21 07:25:07.561929: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.561932: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561934: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561936: | length: 12 (0xc) Sep 21 07:25:07.561939: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.561941: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.561943: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.561946: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.561948: | length/value: 256 (0x100) Sep 21 07:25:07.561951: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561953: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561955: | length: 8 (0x8) Sep 21 07:25:07.561958: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.561960: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.561962: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561965: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561967: | length: 8 (0x8) Sep 21 07:25:07.561969: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.561971: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.561974: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561976: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.561978: | length: 8 (0x8) Sep 21 07:25:07.561981: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.561983: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.561986: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.561988: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.561990: | length: 8 (0x8) Sep 21 07:25:07.561992: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.561996: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.561999: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Sep 21 07:25:07.562002: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Sep 21 07:25:07.562004: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.562007: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.562009: | length: 56 (0x38) Sep 21 07:25:07.562011: | prop #: 4 (0x4) Sep 21 07:25:07.562013: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.562015: | spi size: 4 (0x4) Sep 21 07:25:07.562018: | # transforms: 5 (0x5) Sep 21 07:25:07.562020: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:07.562023: | remote SPI ce a9 d9 04 Sep 21 07:25:07.562025: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:07.562028: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.562030: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.562032: | length: 12 (0xc) Sep 21 07:25:07.562034: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.562037: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:07.562039: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.562041: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.562044: | length/value: 128 (0x80) Sep 21 07:25:07.562046: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.562049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.562051: | length: 8 (0x8) Sep 21 07:25:07.562053: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.562055: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:07.562058: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.562060: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.562062: | length: 8 (0x8) Sep 21 07:25:07.562065: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:07.562067: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:07.562069: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.562072: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.562074: | length: 8 (0x8) Sep 21 07:25:07.562076: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.562078: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.562081: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:07.562083: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.562085: | length: 8 (0x8) Sep 21 07:25:07.562088: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.562090: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.562093: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Sep 21 07:25:07.562096: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Sep 21 07:25:07.562101: "northnet-eastnets/0x2" #1: proposal 1:ESP:SPI=cea9d904;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.562106: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=cea9d904;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Sep 21 07:25:07.562108: | converting proposal to internal trans attrs Sep 21 07:25:07.562113: | updating #3's .st_oakley with preserved PRF, but why update? Sep 21 07:25:07.562116: | Child SA TS Request has child->sa == md->st; so using child connection Sep 21 07:25:07.562118: | TSi: parsing 1 traffic selectors Sep 21 07:25:07.562121: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:07.562124: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.562127: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.562129: | length: 16 (0x10) Sep 21 07:25:07.562131: | start port: 0 (0x0) Sep 21 07:25:07.562134: | end port: 65535 (0xffff) Sep 21 07:25:07.562136: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:07.562138: | TS low c0 00 03 00 Sep 21 07:25:07.562141: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:07.562143: | TS high c0 00 03 ff Sep 21 07:25:07.562146: | TSi: parsed 1 traffic selectors Sep 21 07:25:07.562148: | TSr: parsing 1 traffic selectors Sep 21 07:25:07.562150: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:07.562153: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.562155: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.562157: | length: 16 (0x10) Sep 21 07:25:07.562159: | start port: 0 (0x0) Sep 21 07:25:07.562161: | end port: 65535 (0xffff) Sep 21 07:25:07.562164: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:07.562166: | TS low c0 00 16 00 Sep 21 07:25:07.562168: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:07.562170: | TS high c0 00 16 ff Sep 21 07:25:07.562173: | TSr: parsed 1 traffic selectors Sep 21 07:25:07.562175: | looking for best SPD in current connection Sep 21 07:25:07.562181: | evaluating our conn="northnet-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:25:07.562186: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562193: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.562196: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.562198: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.562201: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.562204: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.562208: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562214: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:25:07.562217: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:07.562219: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:07.562221: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:07.562224: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.562227: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:07.562229: | found better spd route for TSi[0],TSr[0] Sep 21 07:25:07.562231: | looking for better host pair Sep 21 07:25:07.562236: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:07.562241: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:25:07.562244: | investigating connection "northnet-eastnets/0x2" as a better match Sep 21 07:25:07.562256: | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.562264: | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.562267: | results matched Sep 21 07:25:07.562274: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.562281: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.562291: | evaluating our conn="northnet-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:25:07.562299: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562304: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.562313: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.562318: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.562321: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.562324: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.562329: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562335: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:25:07.562338: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:07.562341: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:07.562344: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:07.562347: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.562349: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:07.562352: | investigating connection "northnet-eastnets/0x1" as a better match Sep 21 07:25:07.562362: | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.562371: | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org Sep 21 07:25:07.562373: | results matched Sep 21 07:25:07.562382: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.562390: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.562396: | evaluating our conn="northnet-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:07.562400: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562406: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:07.562409: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:07.562412: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:07.562414: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:07.562417: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:07.562422: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:07.562428: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: NO Sep 21 07:25:07.562430: | did not find a better connection using host pair Sep 21 07:25:07.562433: | printing contents struct traffic_selector Sep 21 07:25:07.562435: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:07.562437: | ipprotoid: 0 Sep 21 07:25:07.562440: | port range: 0-65535 Sep 21 07:25:07.562443: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:25:07.562446: | printing contents struct traffic_selector Sep 21 07:25:07.562448: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:07.562450: | ipprotoid: 0 Sep 21 07:25:07.562452: | port range: 0-65535 Sep 21 07:25:07.562456: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:25:07.562460: | adding Child Responder KE and nonce nr work-order 3 for state #3 Sep 21 07:25:07.562463: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f9fdc002b20 Sep 21 07:25:07.562467: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:25:07.562470: | libevent_malloc: new ptr-libevent@0x7f9fd4006b90 size 128 Sep 21 07:25:07.562473: | libevent_realloc: release ptr-libevent@0x55d43f5970d0 Sep 21 07:25:07.562476: | libevent_realloc: new ptr-libevent@0x55d43f590da0 size 128 Sep 21 07:25:07.562487: | #3 spent 0.87 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Sep 21 07:25:07.562492: | suspend processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.562491: | crypto helper 0 resuming Sep 21 07:25:07.562513: | crypto helper 0 starting work-order 3 for state #3 Sep 21 07:25:07.562519: | crypto helper 0 doing build KE and nonce (Child Responder KE and nonce nr); request ID 3 Sep 21 07:25:07.563536: | crypto helper 0 finished build KE and nonce (Child Responder KE and nonce nr); request ID 3 time elapsed 0.001017 seconds Sep 21 07:25:07.563547: | (#3) spent 1.02 milliseconds in crypto helper computing work-order 3: Child Responder KE and nonce nr (pcr) Sep 21 07:25:07.563551: | crypto helper 0 sending results from work-order 3 for state #3 to event queue Sep 21 07:25:07.563554: | scheduling resume sending helper answer for #3 Sep 21 07:25:07.563558: | libevent_malloc: new ptr-libevent@0x7f9fd8006900 size 128 Sep 21 07:25:07.563564: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:07.562501: | start processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.563575: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:25:07.563578: | suspending state #3 and saving MD Sep 21 07:25:07.563581: | #3 is busy; has a suspended MD Sep 21 07:25:07.563587: | [RE]START processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:07.563591: | "northnet-eastnets/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:07.563597: | stop processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:07.563602: | #1 spent 1.27 milliseconds in ikev2_process_packet() Sep 21 07:25:07.563607: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:07.563610: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:07.563613: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:07.563617: | spent 1.28 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:07.563626: | processing resume sending helper answer for #3 Sep 21 07:25:07.563632: | start processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:07.563635: | crypto helper 0 replies to request ID 3 Sep 21 07:25:07.563638: | calling continuation function 0x55d43e00a630 Sep 21 07:25:07.563641: | ikev2_child_inIoutR_continue for #3 STATE_V2_CREATE_R Sep 21 07:25:07.563646: | adding DHv2 for child sa work-order 4 for state #3 Sep 21 07:25:07.563650: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:07.563654: | libevent_free: release ptr-libevent@0x7f9fd4006b90 Sep 21 07:25:07.563657: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f9fdc002b20 Sep 21 07:25:07.563660: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f9fdc002b20 Sep 21 07:25:07.563664: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:25:07.563667: | libevent_malloc: new ptr-libevent@0x7f9fd4006b90 size 128 Sep 21 07:25:07.563677: | [RE]START processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.563680: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:25:07.563683: | suspending state #3 and saving MD Sep 21 07:25:07.563686: | #3 is busy; has a suspended MD Sep 21 07:25:07.563691: | [RE]START processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:07.563694: | "northnet-eastnets/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:07.563698: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Sep 21 07:25:07.563705: | #3 spent 0.0691 milliseconds in resume sending helper answer Sep 21 07:25:07.563711: | stop processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:07.563714: | libevent_free: release ptr-libevent@0x7f9fd8006900 Sep 21 07:25:07.563722: | crypto helper 6 resuming Sep 21 07:25:07.563727: | crypto helper 6 starting work-order 4 for state #3 Sep 21 07:25:07.563731: | crypto helper 6 doing crypto (DHv2 for child sa); request ID 4 Sep 21 07:25:07.564710: | crypto helper 6 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.000979 seconds Sep 21 07:25:07.564719: | (#3) spent 0.985 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Sep 21 07:25:07.564723: | crypto helper 6 sending results from work-order 4 for state #3 to event queue Sep 21 07:25:07.564726: | scheduling resume sending helper answer for #3 Sep 21 07:25:07.564729: | libevent_malloc: new ptr-libevent@0x7f9fcc001ef0 size 128 Sep 21 07:25:07.564736: | crypto helper 6 waiting (nothing to do) Sep 21 07:25:07.564744: | processing resume sending helper answer for #3 Sep 21 07:25:07.564750: | start processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:07.564753: | crypto helper 6 replies to request ID 4 Sep 21 07:25:07.564756: | calling continuation function 0x55d43e00b4f0 Sep 21 07:25:07.564759: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_CREATE_R Sep 21 07:25:07.564766: | **emit ISAKMP Message: Sep 21 07:25:07.564768: | initiator cookie: Sep 21 07:25:07.564771: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:07.564773: | responder cookie: Sep 21 07:25:07.564776: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.564779: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:07.564782: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:07.564792: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:25:07.564796: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:07.564798: | Message ID: 2 (0x2) Sep 21 07:25:07.564801: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:07.564805: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:07.564808: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.564810: | flags: none (0x0) Sep 21 07:25:07.564814: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:07.564817: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.564820: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:07.564845: | netlink_get_spi: allocated 0xa9c17fa2 for esp.0@192.1.2.23 Sep 21 07:25:07.564848: | Emitting ikev2_proposal ... Sep 21 07:25:07.564851: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:07.564854: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.564856: | flags: none (0x0) Sep 21 07:25:07.564860: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:07.564863: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.564866: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:07.564869: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:07.564871: | prop #: 1 (0x1) Sep 21 07:25:07.564874: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:07.564876: | spi size: 4 (0x4) Sep 21 07:25:07.564879: | # transforms: 3 (0x3) Sep 21 07:25:07.564882: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:07.564885: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:07.564888: | our spi a9 c1 7f a2 Sep 21 07:25:07.564893: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.564895: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.564898: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:07.564901: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:07.564904: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.564907: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:07.564910: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:07.564913: | length/value: 256 (0x100) Sep 21 07:25:07.564915: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:07.564918: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.564921: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.564923: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:07.564926: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.564929: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.564932: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.564935: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:07.564937: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:07.564940: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:07.564943: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:07.564945: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:07.564948: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:07.564951: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:07.564954: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:07.564956: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:25:07.564959: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:07.564962: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:25:07.564965: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:07.564967: | ****emit IKEv2 Nonce Payload: Sep 21 07:25:07.564970: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.564973: | flags: none (0x0) Sep 21 07:25:07.564976: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:07.564979: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.564982: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:07.564984: | IKEv2 nonce 59 44 a2 11 a7 8d 80 59 8a 5f 9b 90 d0 b6 8f 07 Sep 21 07:25:07.564987: | IKEv2 nonce b2 a0 6e 7d aa 93 0b de d9 4f fa a2 ad a6 f9 4e Sep 21 07:25:07.564990: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:07.564992: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:25:07.564995: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.564997: | flags: none (0x0) Sep 21 07:25:07.565000: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:07.565003: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:07.565006: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.565009: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:07.565012: | ikev2 g^x e3 cb d2 e5 0e ad e6 74 ca a6 db 46 93 af 72 95 Sep 21 07:25:07.565015: | ikev2 g^x a8 60 31 13 1f f7 a7 eb dc f7 d1 7e a5 74 eb d4 Sep 21 07:25:07.565018: | ikev2 g^x ac 27 82 6e f6 35 55 a7 f3 9f 52 c0 a6 8c f0 69 Sep 21 07:25:07.565020: | ikev2 g^x 31 ab ff 09 e6 30 29 69 df 3e fc 0c e4 df e3 61 Sep 21 07:25:07.565023: | ikev2 g^x 84 f5 86 a9 04 e9 95 e0 ec a2 a5 b4 f9 9f ba 3e Sep 21 07:25:07.565025: | ikev2 g^x a0 d3 55 29 c9 37 36 68 5d f7 f0 7c df 5c 6a 86 Sep 21 07:25:07.565028: | ikev2 g^x 6d f1 5b 84 0f 1f d2 b5 26 b7 e5 12 15 15 77 4c Sep 21 07:25:07.565030: | ikev2 g^x d3 a7 bb 31 51 20 4d 68 77 84 fa 1a 58 21 5a 6c Sep 21 07:25:07.565033: | ikev2 g^x 3a ba 3f b0 d1 00 8f 84 0d 34 9c cf aa 22 71 bb Sep 21 07:25:07.565035: | ikev2 g^x 6c 54 4f ef 5c 6a c9 8f d2 f6 02 61 fb 62 f8 22 Sep 21 07:25:07.565038: | ikev2 g^x 4c cd b9 c8 08 a7 f7 7b a7 29 53 97 c7 4f 9d 3e Sep 21 07:25:07.565040: | ikev2 g^x 4d a5 a9 d5 df 81 d0 d1 23 71 bf fa eb f7 90 79 Sep 21 07:25:07.565043: | ikev2 g^x f7 76 2b b3 ac bc 9b 1f 9f 92 8c eb 99 d7 ae 10 Sep 21 07:25:07.565045: | ikev2 g^x a7 ae 17 ee 9e c8 34 89 1b c8 3c 0f 12 3d f2 25 Sep 21 07:25:07.565047: | ikev2 g^x 57 88 79 fb bd 84 2d b8 0a ee 72 95 1a e6 17 a9 Sep 21 07:25:07.565050: | ikev2 g^x 47 2f ec 95 be b4 5b f8 7c 33 09 c2 e0 42 38 40 Sep 21 07:25:07.565052: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:07.565056: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:07.565058: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.565061: | flags: none (0x0) Sep 21 07:25:07.565063: | number of TS: 1 (0x1) Sep 21 07:25:07.565067: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:07.565070: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.565072: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:07.565075: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.565077: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.565080: | start port: 0 (0x0) Sep 21 07:25:07.565082: | end port: 65535 (0xffff) Sep 21 07:25:07.565086: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:07.565088: | IP start c0 00 03 00 Sep 21 07:25:07.565091: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:07.565093: | IP end c0 00 03 ff Sep 21 07:25:07.565096: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:07.565099: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:07.565101: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:07.565104: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:07.565106: | flags: none (0x0) Sep 21 07:25:07.565109: | number of TS: 1 (0x1) Sep 21 07:25:07.565112: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:07.565115: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:07.565117: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:07.565120: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:07.565123: | IP Protocol ID: 0 (0x0) Sep 21 07:25:07.565125: | start port: 0 (0x0) Sep 21 07:25:07.565128: | end port: 65535 (0xffff) Sep 21 07:25:07.565130: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:07.565133: | IP start c0 00 16 00 Sep 21 07:25:07.565135: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:07.565138: | IP end c0 00 16 ff Sep 21 07:25:07.565140: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:07.565143: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:07.565147: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:07.565151: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:07.565335: | install_ipsec_sa() for #3: inbound and outbound Sep 21 07:25:07.565340: | could_route called for northnet-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:25:07.565343: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:07.565346: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.565349: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:07.565352: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.565355: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:07.565361: | route owner of "northnet-eastnets/0x2" unrouted: "northnet-eastnets/0x1" erouted; eroute owner: NULL Sep 21 07:25:07.565365: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:07.565368: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:07.565371: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:07.565374: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:07.565378: | setting IPsec SA replay-window to 32 Sep 21 07:25:07.565381: | NIC esp-hw-offload not for connection 'northnet-eastnets/0x2' not available on interface eth1 Sep 21 07:25:07.565385: | netlink: enabling tunnel mode Sep 21 07:25:07.565388: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:07.565391: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:07.565636: | netlink response for Add SA esp.cea9d904@192.1.3.33 included non-error error Sep 21 07:25:07.565642: | set up outgoing SA, ref=0/0 Sep 21 07:25:07.565646: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:07.565650: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:07.565652: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:07.565655: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:07.565660: | setting IPsec SA replay-window to 32 Sep 21 07:25:07.565663: | NIC esp-hw-offload not for connection 'northnet-eastnets/0x2' not available on interface eth1 Sep 21 07:25:07.565666: | netlink: enabling tunnel mode Sep 21 07:25:07.565669: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:07.565672: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:07.565811: | netlink response for Add SA esp.a9c17fa2@192.1.2.23 included non-error error Sep 21 07:25:07.565820: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:07.565829: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:07.565833: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:07.566040: | raw_eroute result=success Sep 21 07:25:07.566046: | set up incoming SA, ref=0/0 Sep 21 07:25:07.566049: | sr for #3: unrouted Sep 21 07:25:07.566052: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:07.566055: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:07.566059: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.566062: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:07.566065: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:07.566068: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:07.566074: | route owner of "northnet-eastnets/0x2" unrouted: "northnet-eastnets/0x1" erouted; eroute owner: NULL Sep 21 07:25:07.566078: | route_and_eroute with c: northnet-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:northnet-eastnets/0x1 rosr:{0x55d43f5b51b0} and state: #3 Sep 21 07:25:07.566081: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:07.566090: | eroute_connection add eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:25:07.566093: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:07.566197: | raw_eroute result=success Sep 21 07:25:07.566203: | running updown command "ipsec _updown" for verb up Sep 21 07:25:07.566207: | command executing up-client Sep 21 07:25:07.566247: | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.566256: | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' Sep 21 07:25:07.566335: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=' Sep 21 07:25:07.566342: | popen cmd is 1405 chars long Sep 21 07:25:07.566345: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0: Sep 21 07:25:07.566348: | cmd( 80):x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: Sep 21 07:25:07.566351: | cmd( 160):UTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east: Sep 21 07:25:07.566355: | cmd( 240):.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.: Sep 21 07:25:07.566357: | cmd( 320):0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0': Sep 21 07:25:07.566360: | cmd( 400): PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='E: Sep 21 07:25:07.566363: | cmd( 480):SP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libres: Sep 21 07:25:07.566366: | cmd( 560):wan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.li: Sep 21 07:25:07.566369: | cmd( 640):breswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Sep 21 07:25:07.566372: | cmd( 720):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Sep 21 07:25:07.566375: | cmd( 800):0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : Sep 21 07:25:07.566378: | cmd( 880):CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' P: Sep 21 07:25:07.566381: | cmd( 960):LUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_: Sep 21 07:25:07.566384: | cmd(1040):TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMIL: Sep 21 07:25:07.566387: | cmd(1120):Y='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEE: Sep 21 07:25:07.566390: | cmd(1200):R_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' : Sep 21 07:25:07.566392: | cmd(1280):PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xc: Sep 21 07:25:07.566395: | cmd(1360):ea9d904 SPI_OUT=0xa9c17fa2 ipsec _updown 2>&1: Sep 21 07:25:07.582161: | route_and_eroute: firewall_notified: true Sep 21 07:25:07.582181: | route_and_eroute: instance "northnet-eastnets/0x2", setting eroute_owner {spd=0x55d43f5be4c0,sr=0x55d43f5be4c0} to #3 (was #0) (newest_ipsec_sa=#0) Sep 21 07:25:07.582369: | #1 spent 0.76 milliseconds in install_ipsec_sa() Sep 21 07:25:07.582377: | ISAKMP_v2_CREATE_CHILD_SA: instance northnet-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 Sep 21 07:25:07.582384: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:07.582389: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:07.582397: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:07.582401: | emitting length of IKEv2 Encryption Payload: 421 Sep 21 07:25:07.582404: | emitting length of ISAKMP Message: 449 Sep 21 07:25:07.582436: "northnet-eastnets/0x2" #3: negotiated new IPsec SA [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:07.582448: | [RE]START processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:07.582453: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Sep 21 07:25:07.582456: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Sep 21 07:25:07.582460: | child state #3: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:07.582463: | Message ID: updating counters for #3 to 2 after switching state Sep 21 07:25:07.582469: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Sep 21 07:25:07.582474: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:07.582476: | pstats #3 ikev2.child established Sep 21 07:25:07.582484: "northnet-eastnets/0x2" #3: negotiated connection [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:07.582487: | NAT-T: encaps is 'auto' Sep 21 07:25:07.582492: "northnet-eastnets/0x2" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xcea9d904 <0xa9c17fa2 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Sep 21 07:25:07.582498: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:07.582503: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:07.582506: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:07.582509: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Sep 21 07:25:07.582511: | a1 d8 8b 6a 0e ba db 18 4c b0 62 fc 2b 1f f3 53 Sep 21 07:25:07.582513: | d4 00 72 64 3c 13 e3 d0 7d b8 7c 32 59 bd 05 7c Sep 21 07:25:07.582515: | c2 5e 8b 3c b6 d7 a4 b4 ae c6 e2 6f c7 fd 24 e0 Sep 21 07:25:07.582518: | b5 bc 3e 46 0b ee 93 45 52 c7 f7 7a 67 ed 1d 45 Sep 21 07:25:07.582520: | e6 1d 2c 34 0f 9f 6a ac 17 b2 f0 ad aa 07 1b d9 Sep 21 07:25:07.582522: | 82 13 a3 dd 23 ea 40 cb 7d f2 d5 8e 06 83 bb 1f Sep 21 07:25:07.582524: | eb 6a 1b 5c a2 56 16 d2 0e f0 ec d1 c8 96 b8 ed Sep 21 07:25:07.582527: | f8 17 bf 46 59 13 d0 f6 75 52 33 5d a7 29 64 88 Sep 21 07:25:07.582529: | 2c 15 3a d4 28 b3 7b aa 0d 12 8d cd 4b d9 26 f4 Sep 21 07:25:07.582531: | 6d df c8 9c 3b bb 3b 3e 79 0c da 03 ba 64 8f 11 Sep 21 07:25:07.582533: | 46 9a 46 eb 12 12 8d ef 85 c5 94 80 f1 e4 42 a9 Sep 21 07:25:07.582535: | 84 bd 8a 2c 9d ff 66 d0 25 df 18 c1 11 89 85 a7 Sep 21 07:25:07.582537: | 37 6c 9a 3f 85 d6 dd cd ae 1c fa 51 f8 04 b3 cf Sep 21 07:25:07.582540: | 65 74 c7 4d 87 ff 10 fa ea 70 80 a5 8b eb b6 03 Sep 21 07:25:07.582542: | b3 93 7c 12 fe 48 9d c9 8c d8 41 81 8c e9 f9 c5 Sep 21 07:25:07.582544: | 16 a0 dd 94 70 01 c3 9b e9 0b 10 f1 c2 27 e6 64 Sep 21 07:25:07.582547: | 5b 85 af 57 9e 6b 68 63 08 0b 3f 12 cf 9b df 3b Sep 21 07:25:07.582549: | b8 50 ec 72 20 5c 1d 39 9f 7c 10 37 e7 4d 1d 21 Sep 21 07:25:07.582551: | de 8f 89 c2 50 62 76 d4 cd 91 7b 89 08 8e 1f 80 Sep 21 07:25:07.582554: | 39 5a 21 03 d8 99 8a b5 5c 3d fc ce 07 e8 ec 3e Sep 21 07:25:07.582558: | 32 ed 2c 1e 71 54 2f 7c 13 1d 5b 81 aa c8 5a 03 Sep 21 07:25:07.582561: | 0f 0c e5 eb 94 ae d5 1b 11 74 12 a5 37 c2 1e 4f Sep 21 07:25:07.582563: | a6 2b f5 44 48 60 55 ef 21 bf ab 62 e8 44 69 86 Sep 21 07:25:07.582565: | 24 34 fb 22 85 fa 97 72 3a e8 e3 b5 6d 6a 22 9e Sep 21 07:25:07.582567: | f3 09 b5 e0 d2 47 8e 98 a4 81 85 53 3f 05 e0 7b Sep 21 07:25:07.582569: | 70 64 79 5f 8c a7 d2 15 30 68 6c 2d 92 cd f8 6f Sep 21 07:25:07.582572: | cc Sep 21 07:25:07.582626: | releasing whack for #3 (sock=fd@-1) Sep 21 07:25:07.582631: | releasing whack and unpending for parent #1 Sep 21 07:25:07.582634: | unpending state #1 connection "northnet-eastnets/0x2" Sep 21 07:25:07.582638: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:07.582642: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:07.582647: | libevent_free: release ptr-libevent@0x7f9fd4006b90 Sep 21 07:25:07.582650: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f9fdc002b20 Sep 21 07:25:07.582654: | event_schedule: new EVENT_SA_REKEY-pe@0x7f9fd8002b20 Sep 21 07:25:07.582658: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Sep 21 07:25:07.582661: | libevent_malloc: new ptr-libevent@0x7f9fd4006b90 size 128 Sep 21 07:25:07.582669: | #3 spent 1.61 milliseconds in resume sending helper answer Sep 21 07:25:07.582675: | stop processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:07.582678: | libevent_free: release ptr-libevent@0x7f9fcc001ef0 Sep 21 07:25:07.582690: | processing signal PLUTO_SIGCHLD Sep 21 07:25:07.582697: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:07.582702: | spent 0.0059 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:10.273896: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:10.274124: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:10.274129: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:10.274369: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:10.274375: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:10.274386: | get_sa_info esp.c8a37905@192.1.2.23 Sep 21 07:25:10.274407: | get_sa_info esp.559b2361@192.1.3.33 Sep 21 07:25:10.274430: | get_sa_info esp.a9c17fa2@192.1.2.23 Sep 21 07:25:10.274440: | get_sa_info esp.cea9d904@192.1.3.33 Sep 21 07:25:10.274463: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:10.274471: | spent 0.553 milliseconds in whack Sep 21 07:25:11.427172: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:11.427194: shutting down Sep 21 07:25:11.427203: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:25:11.427206: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:25:11.427212: destroying root certificate cache Sep 21 07:25:11.427228: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:11.427231: forgetting secrets Sep 21 07:25:11.427236: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:11.427248: | unreference key: 0x55d43f5c0060 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:11.427253: | unreference key: 0x55d43f5bfee0 user-east@testing.libreswan.org cnt 1-- Sep 21 07:25:11.427257: | unreference key: 0x55d43f5bf990 @east.testing.libreswan.org cnt 1-- Sep 21 07:25:11.427261: | unreference key: 0x55d43f5bf550 east@testing.libreswan.org cnt 1-- Sep 21 07:25:11.427266: | unreference key: 0x55d43f5ba430 192.1.2.23 cnt 1-- Sep 21 07:25:11.427275: | unreference key: 0x55d43f5b9ff0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:11.427279: | unreference key: 0x55d43f5b6570 user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:11.427287: | unreference key: 0x55d43f5b5fb0 @north.testing.libreswan.org cnt 1-- Sep 21 07:25:11.427292: | start processing: connection "northnet-eastnets/0x2" (in delete_connection() at connections.c:189) Sep 21 07:25:11.427295: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:11.427297: | pass 0 Sep 21 07:25:11.427300: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:11.427302: | state #3 Sep 21 07:25:11.427306: | suspend processing: connection "northnet-eastnets/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:11.427311: | start processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:11.427314: | pstats #3 ikev2.child deleted completed Sep 21 07:25:11.427319: | #3 spent 4.56 milliseconds in total Sep 21 07:25:11.427323: | [RE]START processing: state #3 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:11.427327: "northnet-eastnets/0x2" #3: deleting state (STATE_V2_IPSEC_R) aged 3.865s and sending notification Sep 21 07:25:11.427330: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:11.427336: | get_sa_info esp.cea9d904@192.1.3.33 Sep 21 07:25:11.427351: | get_sa_info esp.a9c17fa2@192.1.2.23 Sep 21 07:25:11.427358: "northnet-eastnets/0x2" #3: ESP traffic information: in=168B out=168B Sep 21 07:25:11.427361: | #3 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:11.427364: | Opening output PBS informational exchange delete request Sep 21 07:25:11.427367: | **emit ISAKMP Message: Sep 21 07:25:11.427370: | initiator cookie: Sep 21 07:25:11.427372: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:11.427374: | responder cookie: Sep 21 07:25:11.427376: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.427379: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:11.427382: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:11.427384: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:11.427387: | flags: none (0x0) Sep 21 07:25:11.427389: | Message ID: 0 (0x0) Sep 21 07:25:11.427392: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:11.427395: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:11.427398: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.427400: | flags: none (0x0) Sep 21 07:25:11.427403: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:11.427406: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.427409: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:11.427417: | ****emit IKEv2 Delete Payload: Sep 21 07:25:11.427420: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.427422: | flags: none (0x0) Sep 21 07:25:11.427424: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:11.427427: | SPI size: 4 (0x4) Sep 21 07:25:11.427429: | number of SPIs: 1 (0x1) Sep 21 07:25:11.427432: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:11.427435: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.427438: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:11.427440: | local spis a9 c1 7f a2 Sep 21 07:25:11.427443: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:11.427445: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:11.427449: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:11.427452: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:11.427456: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:11.427458: | emitting length of ISAKMP Message: 69 Sep 21 07:25:11.427482: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #3) Sep 21 07:25:11.427485: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.427488: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:25:11.427490: | 85 cc 12 ce 95 ec bc 47 0f be d8 19 8a 1e 3d b7 Sep 21 07:25:11.427492: | 46 2e 1c 8d 68 20 f7 b8 3b 27 18 1d 2a fa 99 2c Sep 21 07:25:11.427494: | 08 38 a8 c0 7b Sep 21 07:25:11.427539: | Message ID: IKE #1 sender #3 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:25:11.427543: | Message ID: IKE #1 sender #3 in send_delete hacking around record ' send Sep 21 07:25:11.427548: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:25:11.427551: | state #3 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:11.427556: | libevent_free: release ptr-libevent@0x7f9fd4006b90 Sep 21 07:25:11.427558: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f9fd8002b20 Sep 21 07:25:11.427752: | running updown command "ipsec _updown" for verb down Sep 21 07:25:11.427758: | command executing down-client Sep 21 07:25:11.427814: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050707' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' P Sep 21 07:25:11.427821: | popen cmd is 1298 chars long Sep 21 07:25:11.427824: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets: Sep 21 07:25:11.427827: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : Sep 21 07:25:11.427830: | cmd( 160):PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=ea: Sep 21 07:25:11.427832: | cmd( 240):st.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='19: Sep 21 07:25:11.427835: | cmd( 320):2.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.: Sep 21 07:25:11.427838: | cmd( 400):0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE=: Sep 21 07:25:11.427840: | cmd( 480):'ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libr: Sep 21 07:25:11.427843: | cmd( 560):eswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.: Sep 21 07:25:11.427845: | cmd( 640):libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0: Sep 21 07:25:11.427848: | cmd( 720):' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL: Sep 21 07:25:11.427850: | cmd( 800):='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050707' PLUTO_CONN: Sep 21 07:25:11.427853: | cmd( 880):_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO: Sep 21 07:25:11.427855: | cmd( 960):' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLU: Sep 21 07:25:11.427860: | cmd(1040):TO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER: Sep 21 07:25:11.427863: | cmd(1120):_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI: Sep 21 07:25:11.427866: | cmd(1200):_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xcea9d904 SPI_OUT=0xa9c17fa2 : Sep 21 07:25:11.427868: | cmd(1280):ipsec _updown 2>&1: Sep 21 07:25:11.442804: | shunt_eroute() called for connection 'northnet-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.22.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:11.442829: | netlink_shunt_eroute for proto 0, and source 192.0.22.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:11.442835: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:11.442840: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:11.442910: | delete esp.cea9d904@192.1.3.33 Sep 21 07:25:11.443197: | netlink response for Del SA esp.cea9d904@192.1.3.33 included non-error error Sep 21 07:25:11.443204: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:11.443213: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:11.443268: | raw_eroute result=success Sep 21 07:25:11.443273: | delete esp.a9c17fa2@192.1.2.23 Sep 21 07:25:11.443361: | netlink response for Del SA esp.a9c17fa2@192.1.2.23 included non-error error Sep 21 07:25:11.443370: | stop processing: connection "northnet-eastnets/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:25:11.443374: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:25:11.443376: | in connection_discard for connection northnet-eastnets/0x2 Sep 21 07:25:11.443379: | State DB: deleting IKEv2 state #3 in V2_IPSEC_R Sep 21 07:25:11.443383: | child state #3: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:11.443404: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:11.443413: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:11.443415: | state #2 Sep 21 07:25:11.443420: | start processing: state #2 connection "northnet-eastnets/0x1" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:11.443424: | pstats #2 ikev2.child deleted completed Sep 21 07:25:11.443428: | [RE]START processing: state #2 connection "northnet-eastnets/0x1" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:11.443432: "northnet-eastnets/0x1" #2: deleting state (STATE_V2_IPSEC_R) aged 4.284s and sending notification Sep 21 07:25:11.443435: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:11.443439: | get_sa_info esp.559b2361@192.1.3.33 Sep 21 07:25:11.443448: | get_sa_info esp.c8a37905@192.1.2.23 Sep 21 07:25:11.443455: "northnet-eastnets/0x1" #2: ESP traffic information: in=168B out=168B Sep 21 07:25:11.443459: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:11.443462: | Opening output PBS informational exchange delete request Sep 21 07:25:11.443466: | **emit ISAKMP Message: Sep 21 07:25:11.443468: | initiator cookie: Sep 21 07:25:11.443471: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:11.443473: | responder cookie: Sep 21 07:25:11.443475: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.443478: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:11.443481: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:11.443483: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:11.443486: | flags: none (0x0) Sep 21 07:25:11.443488: | Message ID: 1 (0x1) Sep 21 07:25:11.443492: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:11.443495: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:11.443498: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.443500: | flags: none (0x0) Sep 21 07:25:11.443503: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:11.443510: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.443514: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:11.443523: | ****emit IKEv2 Delete Payload: Sep 21 07:25:11.443525: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.443528: | flags: none (0x0) Sep 21 07:25:11.443531: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:11.443534: | SPI size: 4 (0x4) Sep 21 07:25:11.443538: | number of SPIs: 1 (0x1) Sep 21 07:25:11.443542: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:11.443546: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.443550: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:11.443554: | local spis c8 a3 79 05 Sep 21 07:25:11.443557: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:11.443561: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:11.443566: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:11.443570: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:11.443574: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:11.443577: | emitting length of ISAKMP Message: 69 Sep 21 07:25:11.443602: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:25:11.443606: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.443610: | 2e 20 25 00 00 00 00 01 00 00 00 45 2a 00 00 29 Sep 21 07:25:11.443613: | 9a d7 df 1c a4 db fb 68 18 1b 75 ad 15 4c c5 c5 Sep 21 07:25:11.443616: | c3 a4 e8 9a 42 e8 5a 88 f9 d6 16 14 6c c2 18 9f Sep 21 07:25:11.443619: | 7e a7 12 b6 1b Sep 21 07:25:11.443693: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:25:11.443698: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:25:11.443706: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:25:11.443713: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:25:11.443717: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:11.443725: | libevent_free: release ptr-libevent@0x55d43f5d9bd0 Sep 21 07:25:11.443729: | free_event_entry: release EVENT_SA_REKEY-pe@0x55d43f5da130 Sep 21 07:25:11.443834: | running updown command "ipsec _updown" for verb down Sep 21 07:25:11.443845: | command executing down-client Sep 21 07:25:11.443905: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050707' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLU Sep 21 07:25:11.443914: | popen cmd is 1296 chars long Sep 21 07:25:11.443918: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets: Sep 21 07:25:11.443922: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : Sep 21 07:25:11.443926: | cmd( 160):PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=ea: Sep 21 07:25:11.443930: | cmd( 240):st.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='19: Sep 21 07:25:11.443933: | cmd( 320):2.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0': Sep 21 07:25:11.443937: | cmd( 400): PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='E: Sep 21 07:25:11.443940: | cmd( 480):SP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libres: Sep 21 07:25:11.443944: | cmd( 560):wan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.li: Sep 21 07:25:11.443948: | cmd( 640):breswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Sep 21 07:25:11.443951: | cmd( 720):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Sep 21 07:25:11.443955: | cmd( 800):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050707' PLUTO_CONN_P: Sep 21 07:25:11.443958: | cmd( 880):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' : Sep 21 07:25:11.443962: | cmd( 960):PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Sep 21 07:25:11.443966: | cmd(1040):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Sep 21 07:25:11.443969: | cmd(1120):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Sep 21 07:25:11.443973: | cmd(1200):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x559b2361 SPI_OUT=0xc8a37905 ip: Sep 21 07:25:11.443976: | cmd(1280):sec _updown 2>&1: Sep 21 07:25:11.458994: | shunt_eroute() called for connection 'northnet-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:11.459006: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:11.459010: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:11.459014: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:11.459052: | delete esp.559b2361@192.1.3.33 Sep 21 07:25:11.459079: | netlink response for Del SA esp.559b2361@192.1.3.33 included non-error error Sep 21 07:25:11.459084: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:11.459090: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:11.459132: | raw_eroute result=success Sep 21 07:25:11.459137: | delete esp.c8a37905@192.1.2.23 Sep 21 07:25:11.459160: | netlink response for Del SA esp.c8a37905@192.1.2.23 included non-error error Sep 21 07:25:11.459168: | in connection_discard for connection northnet-eastnets/0x1 Sep 21 07:25:11.459173: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:25:11.459178: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:11.459185: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:11.459193: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:11.459196: | state #1 Sep 21 07:25:11.459199: | pass 1 Sep 21 07:25:11.459202: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:11.459204: | state #1 Sep 21 07:25:11.459211: | start processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:11.459215: | pstats #1 ikev2.ike deleted completed Sep 21 07:25:11.459222: | #1 spent 26.5 milliseconds in total Sep 21 07:25:11.459229: | [RE]START processing: state #1 connection "northnet-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:11.459233: "northnet-eastnets/0x2" #1: deleting state (STATE_PARENT_R2) aged 4.356s and sending notification Sep 21 07:25:11.459237: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:25:11.459298: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:25:11.459304: | Opening output PBS informational exchange delete request Sep 21 07:25:11.459307: | **emit ISAKMP Message: Sep 21 07:25:11.459310: | initiator cookie: Sep 21 07:25:11.459313: | 9e f0 dc 87 3c 6f c0 43 Sep 21 07:25:11.459316: | responder cookie: Sep 21 07:25:11.459318: | 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.459321: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:11.459325: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:11.459328: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:11.459331: | flags: none (0x0) Sep 21 07:25:11.459334: | Message ID: 2 (0x2) Sep 21 07:25:11.459338: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:11.459341: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:11.459345: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.459347: | flags: none (0x0) Sep 21 07:25:11.459352: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:11.459355: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.459359: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:11.459369: | ****emit IKEv2 Delete Payload: Sep 21 07:25:11.459373: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:11.459375: | flags: none (0x0) Sep 21 07:25:11.459379: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:25:11.459381: | SPI size: 0 (0x0) Sep 21 07:25:11.459384: | number of SPIs: 0 (0x0) Sep 21 07:25:11.459388: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:11.459392: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:11.459395: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:25:11.459398: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:11.459405: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:11.459408: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:11.459411: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:25:11.459413: | emitting length of ISAKMP Message: 65 Sep 21 07:25:11.459436: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:11.459440: | 9e f0 dc 87 3c 6f c0 43 3c e7 fa 06 4d 25 7b d7 Sep 21 07:25:11.459442: | 2e 20 25 00 00 00 00 02 00 00 00 41 2a 00 00 25 Sep 21 07:25:11.459444: | 8a 67 2a 71 77 a8 ee 00 2b 50 75 96 b9 f4 6f 26 Sep 21 07:25:11.459446: | cb 7e 78 af 0a a8 2d 04 4d ad ba 39 6a 21 7c 27 Sep 21 07:25:11.459448: | 02 Sep 21 07:25:11.459503: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=2->3 and sender msgid=1->2 Sep 21 07:25:11.459507: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:25:11.459510: | Message ID: #1 XXX: expecting sender.wip.initiator 1 == -1 - suspect record'n'send out-of-order?); initiator.sent=2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=2 wip.responder=-1 Sep 21 07:25:11.459513: | Message ID: sent #1 request 2; ike: initiator.sent=1->2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1->2 wip.responder=-1 Sep 21 07:25:11.459517: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:11.459521: | libevent_free: release ptr-libevent@0x55d43f5b6390 Sep 21 07:25:11.459523: | free_event_entry: release EVENT_SA_REKEY-pe@0x55d43f5cc550 Sep 21 07:25:11.459526: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:25:11.459528: | in connection_discard for connection northnet-eastnets/0x2 Sep 21 07:25:11.459529: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:25:11.459532: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:25:11.459540: | unreference key: 0x55d43f5b4390 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 2-- Sep 21 07:25:11.459551: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:11.459557: | unreference key: 0x55d43f5b4390 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:11.459561: | unreference key: 0x55d43f5bef70 user-north@testing.libreswan.org cnt 1-- Sep 21 07:25:11.459564: | unreference key: 0x55d43f5c9970 @north.testing.libreswan.org cnt 1-- Sep 21 07:25:11.459576: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:11.459581: | shunt_eroute() called for connection 'northnet-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.22.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:11.459584: | netlink_shunt_eroute for proto 0, and source 192.0.22.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:11.459586: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:11.459613: | priority calculation of connection "northnet-eastnets/0x2" is 0xfe7e7 Sep 21 07:25:11.459627: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:11.459633: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:11.459637: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:11.459641: | conn northnet-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:11.459644: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:11.459648: | route owner of "northnet-eastnets/0x2" unrouted: "northnet-eastnets/0x1" prospective erouted Sep 21 07:25:11.459653: | flush revival: connection 'northnet-eastnets/0x2' wasn't on the list Sep 21 07:25:11.459657: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:25:11.459667: | start processing: connection "northnet-eastnets/0x1" (in delete_connection() at connections.c:189) Sep 21 07:25:11.459671: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:11.459674: | pass 0 Sep 21 07:25:11.459677: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:11.459681: | pass 1 Sep 21 07:25:11.459685: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:11.459691: | shunt_eroute() called for connection 'northnet-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:11.459696: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:11.459700: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:11.459728: | priority calculation of connection "northnet-eastnets/0x1" is 0xfe7e7 Sep 21 07:25:11.459743: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:11.459748: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:25:11.459752: | conn northnet-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:11.459755: | route owner of "northnet-eastnets/0x1" unrouted: NULL Sep 21 07:25:11.459759: | running updown command "ipsec _updown" for verb unroute Sep 21 07:25:11.459762: | command executing unroute-client Sep 21 07:25:11.459804: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO Sep 21 07:25:11.459812: | popen cmd is 1277 chars long Sep 21 07:25:11.459814: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Sep 21 07:25:11.459816: | cmd( 80):ets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.2: Sep 21 07:25:11.459818: | cmd( 160):3' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN: Sep 21 07:25:11.459819: | cmd( 240):=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT=: Sep 21 07:25:11.459821: | cmd( 320):'192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255: Sep 21 07:25:11.459823: | cmd( 400):.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE: Sep 21 07:25:11.459824: | cmd( 480):='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Li: Sep 21 07:25:11.459826: | cmd( 560):breswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testin: Sep 21 07:25:11.459827: | cmd( 640):g.libreswan.org' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Sep 21 07:25:11.459829: | cmd( 720):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Sep 21 07:25:11.459831: | cmd( 800):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Sep 21 07:25:11.459832: | cmd( 880):='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO: Sep 21 07:25:11.459834: | cmd( 960):_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:25:11.459836: | cmd(1040):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:25:11.459837: | cmd(1120):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:25:11.459839: | cmd(1200):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:11.470909: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470927: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470932: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470948: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470962: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470975: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.470991: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471004: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471017: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471030: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471043: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471060: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471073: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471087: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471099: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471112: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471127: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471152: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471165: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471177: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471190: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471204: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471216: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471229: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471241: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471253: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471268: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471280: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471292: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471304: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471316: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471330: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471343: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471355: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471367: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471379: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471393: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471406: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471418: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471430: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471442: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471458: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471471: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471599: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471611: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471624: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471639: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471651: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471664: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471676: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471688: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471717: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471730: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471742: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471754: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471767: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471786: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471800: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471813: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471825: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471838: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471852: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471865: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471878: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471890: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471903: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471917: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471930: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471943: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471956: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471968: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471983: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.471996: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472010: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472023: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472036: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472050: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472064: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472076: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472089: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472103: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472117: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472130: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472143: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472156: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472169: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472185: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472197: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472210: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472222: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472235: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472249: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472261: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472274: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472287: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472299: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472313: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472327: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472339: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472352: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472364: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472380: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472392: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472405: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472417: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472430: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472444: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472457: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472470: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472483: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472495: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472509: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472522: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472535: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472548: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472561: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472576: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472589: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472601: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472614: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472626: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472641: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.472655: "northnet-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:11.483238: | free hp@0x55d43f5ba7d0 Sep 21 07:25:11.483251: | flush revival: connection 'northnet-eastnets/0x1' wasn't on the list Sep 21 07:25:11.483256: | stop processing: connection "northnet-eastnets/0x1" (in discard_connection() at connections.c:249) Sep 21 07:25:11.483283: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:25:11.483286: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:25:11.483297: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:25:11.483301: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:25:11.483304: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:11.483307: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:25:11.483310: shutting down interface eth0/eth0 192.0.22.254:4500 Sep 21 07:25:11.483313: shutting down interface eth0/eth0 192.0.22.254:500 Sep 21 07:25:11.483316: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:11.483319: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:25:11.483323: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:25:11.483331: | libevent_free: release ptr-libevent@0x55d43f5b38b0 Sep 21 07:25:11.483334: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3870 Sep 21 07:25:11.483345: | libevent_free: release ptr-libevent@0x55d43f5b39a0 Sep 21 07:25:11.483348: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3960 Sep 21 07:25:11.483354: | libevent_free: release ptr-libevent@0x55d43f5b3a90 Sep 21 07:25:11.483357: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3a50 Sep 21 07:25:11.483363: | libevent_free: release ptr-libevent@0x55d43f5b3b80 Sep 21 07:25:11.483365: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3b40 Sep 21 07:25:11.483372: | libevent_free: release ptr-libevent@0x55d43f5b3c70 Sep 21 07:25:11.483375: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3c30 Sep 21 07:25:11.483380: | libevent_free: release ptr-libevent@0x55d43f5b3d60 Sep 21 07:25:11.483383: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3d20 Sep 21 07:25:11.483389: | libevent_free: release ptr-libevent@0x55d43f5b4480 Sep 21 07:25:11.483391: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3e10 Sep 21 07:25:11.483397: | libevent_free: release ptr-libevent@0x55d43f5b4510 Sep 21 07:25:11.483400: | free_event_entry: release EVENT_NULL-pe@0x55d43f5b3e70 Sep 21 07:25:11.483405: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:11.483951: | libevent_free: release ptr-libevent@0x55d43f5b2f70 Sep 21 07:25:11.483960: | free_event_entry: release EVENT_NULL-pe@0x55d43f59bb00 Sep 21 07:25:11.483965: | libevent_free: release ptr-libevent@0x55d43f5a89f0 Sep 21 07:25:11.483968: | free_event_entry: release EVENT_NULL-pe@0x55d43f59bd40 Sep 21 07:25:11.483972: | libevent_free: release ptr-libevent@0x55d43f5a8960 Sep 21 07:25:11.483974: | free_event_entry: release EVENT_NULL-pe@0x55d43f5a1890 Sep 21 07:25:11.483977: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:25:11.483980: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:25:11.483983: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:25:11.483985: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:25:11.483987: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:25:11.483989: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:25:11.483992: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:25:11.483994: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:25:11.483996: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:25:11.484001: | libevent_free: release ptr-libevent@0x55d43f5b3150 Sep 21 07:25:11.484004: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:25:11.484007: | libevent_free: release ptr-libevent@0x55d43f5b3230 Sep 21 07:25:11.484010: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:25:11.484015: | libevent_free: release ptr-libevent@0x55d43f5b32f0 Sep 21 07:25:11.484018: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:25:11.484021: | libevent_free: release ptr-libevent@0x55d43f5a7c60 Sep 21 07:25:11.484023: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:25:11.484025: | releasing event base Sep 21 07:25:11.484038: | libevent_free: release ptr-libevent@0x55d43f5b33b0 Sep 21 07:25:11.484042: | libevent_free: release ptr-libevent@0x55d43f550480 Sep 21 07:25:11.484045: | libevent_free: release ptr-libevent@0x55d43f596ef0 Sep 21 07:25:11.484048: | libevent_free: release ptr-libevent@0x55d43f590da0 Sep 21 07:25:11.484050: | libevent_free: release ptr-libevent@0x55d43f596f10 Sep 21 07:25:11.484053: | libevent_free: release ptr-libevent@0x55d43f5b3000 Sep 21 07:25:11.484055: | libevent_free: release ptr-libevent@0x55d43f5b31f0 Sep 21 07:25:11.484057: | libevent_free: release ptr-libevent@0x55d43f5970b0 Sep 21 07:25:11.484060: | libevent_free: release ptr-libevent@0x55d43f5a17f0 Sep 21 07:25:11.484062: | libevent_free: release ptr-libevent@0x55d43f5a17d0 Sep 21 07:25:11.484064: | libevent_free: release ptr-libevent@0x55d43f5b3eb0 Sep 21 07:25:11.484067: | libevent_free: release ptr-libevent@0x55d43f5b3e50 Sep 21 07:25:11.484069: | libevent_free: release ptr-libevent@0x55d43f5b3df0 Sep 21 07:25:11.484071: | libevent_free: release ptr-libevent@0x55d43f5b3d00 Sep 21 07:25:11.484073: | libevent_free: release ptr-libevent@0x55d43f5b3c10 Sep 21 07:25:11.484076: | libevent_free: release ptr-libevent@0x55d43f5b3b20 Sep 21 07:25:11.484078: | libevent_free: release ptr-libevent@0x55d43f5b3a30 Sep 21 07:25:11.484080: | libevent_free: release ptr-libevent@0x55d43f5b3940 Sep 21 07:25:11.484083: | libevent_free: release ptr-libevent@0x55d43f596fa0 Sep 21 07:25:11.484085: | libevent_free: release ptr-libevent@0x55d43f5b32d0 Sep 21 07:25:11.484087: | libevent_free: release ptr-libevent@0x55d43f5b3210 Sep 21 07:25:11.484089: | libevent_free: release ptr-libevent@0x55d43f5b3130 Sep 21 07:25:11.484092: | libevent_free: release ptr-libevent@0x55d43f5b3390 Sep 21 07:25:11.484094: | libevent_free: release ptr-libevent@0x55d43f5b3020 Sep 21 07:25:11.484097: | libevent_free: release ptr-libevent@0x55d43f596f30 Sep 21 07:25:11.484099: | libevent_free: release ptr-libevent@0x55d43f596f60 Sep 21 07:25:11.484102: | libevent_free: release ptr-libevent@0x55d43f596c50 Sep 21 07:25:11.484104: | releasing global libevent data Sep 21 07:25:11.484107: | libevent_free: release ptr-libevent@0x55d43f595440 Sep 21 07:25:11.484109: | libevent_free: release ptr-libevent@0x55d43f595470 Sep 21 07:25:11.484112: | libevent_free: release ptr-libevent@0x55d43f596c20