Sep 21 07:25:28.988644: FIPS Product: YES Sep 21 07:25:28.988683: FIPS Kernel: NO Sep 21 07:25:28.988686: FIPS Mode: NO Sep 21 07:25:28.988689: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:25:28.988848: Initializing NSS Sep 21 07:25:28.988854: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:25:29.038219: NSS initialized Sep 21 07:25:29.038231: NSS crypto library initialized Sep 21 07:25:29.038234: FIPS HMAC integrity support [enabled] Sep 21 07:25:29.038236: FIPS mode disabled for pluto daemon Sep 21 07:25:29.085781: FIPS HMAC integrity verification self-test FAILED Sep 21 07:25:29.085940: libcap-ng support [enabled] Sep 21 07:25:29.085948: Linux audit support [enabled] Sep 21 07:25:29.085978: Linux audit activated Sep 21 07:25:29.085986: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:7805 Sep 21 07:25:29.085990: core dump dir: /tmp Sep 21 07:25:29.085992: secrets file: /etc/ipsec.secrets Sep 21 07:25:29.085994: leak-detective disabled Sep 21 07:25:29.085995: NSS crypto [enabled] Sep 21 07:25:29.085997: XAUTH PAM support [enabled] Sep 21 07:25:29.086070: | libevent is using pluto's memory allocator Sep 21 07:25:29.086077: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:25:29.086091: | libevent_malloc: new ptr-libevent@0x563fe543b500 size 40 Sep 21 07:25:29.086113: | libevent_malloc: new ptr-libevent@0x563fe543c7b0 size 40 Sep 21 07:25:29.086116: | libevent_malloc: new ptr-libevent@0x563fe543c7e0 size 40 Sep 21 07:25:29.086119: | creating event base Sep 21 07:25:29.086121: | libevent_malloc: new ptr-libevent@0x563fe543c770 size 56 Sep 21 07:25:29.086124: | libevent_malloc: new ptr-libevent@0x563fe543c810 size 664 Sep 21 07:25:29.086135: | libevent_malloc: new ptr-libevent@0x563fe543cab0 size 24 Sep 21 07:25:29.086140: | libevent_malloc: new ptr-libevent@0x563fe542e270 size 384 Sep 21 07:25:29.086151: | libevent_malloc: new ptr-libevent@0x563fe543cad0 size 16 Sep 21 07:25:29.086155: | libevent_malloc: new ptr-libevent@0x563fe543caf0 size 40 Sep 21 07:25:29.086158: | libevent_malloc: new ptr-libevent@0x563fe543cb20 size 48 Sep 21 07:25:29.086165: | libevent_realloc: new ptr-libevent@0x563fe53c0370 size 256 Sep 21 07:25:29.086168: | libevent_malloc: new ptr-libevent@0x563fe543cb60 size 16 Sep 21 07:25:29.086174: | libevent_free: release ptr-libevent@0x563fe543c770 Sep 21 07:25:29.086178: | libevent initialized Sep 21 07:25:29.086182: | libevent_realloc: new ptr-libevent@0x563fe543cb80 size 64 Sep 21 07:25:29.086189: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:25:29.086204: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:25:29.086207: NAT-Traversal support [enabled] Sep 21 07:25:29.086210: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:25:29.086216: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:25:29.086220: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:25:29.086261: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:25:29.086265: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:25:29.086269: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:25:29.086330: Encryption algorithms: Sep 21 07:25:29.086337: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:25:29.086341: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:25:29.086345: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:25:29.086349: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:25:29.086352: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:25:29.086374: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:25:29.086378: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:25:29.086382: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:25:29.086385: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:25:29.086388: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:25:29.086392: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:25:29.086395: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:25:29.086399: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:25:29.086402: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:25:29.086406: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:25:29.086409: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:25:29.086412: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:25:29.086423: Hash algorithms: Sep 21 07:25:29.086426: MD5 IKEv1: IKE IKEv2: Sep 21 07:25:29.086429: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:25:29.086432: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:25:29.086435: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:25:29.086438: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:25:29.086451: PRF algorithms: Sep 21 07:25:29.086454: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:25:29.086457: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:25:29.086461: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:25:29.086464: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:25:29.086467: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:25:29.086470: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:25:29.086494: Integrity algorithms: Sep 21 07:25:29.086497: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:25:29.086501: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:25:29.086504: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:25:29.086508: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:25:29.086512: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:25:29.086515: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:25:29.086518: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:25:29.086520: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:25:29.086523: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:25:29.086535: DH algorithms: Sep 21 07:25:29.086539: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:25:29.086541: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:25:29.086543: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:25:29.086549: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:25:29.086552: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:25:29.086554: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:25:29.086557: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:25:29.086560: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:25:29.086563: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:25:29.086566: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:25:29.086569: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:25:29.086571: testing CAMELLIA_CBC: Sep 21 07:25:29.086573: Camellia: 16 bytes with 128-bit key Sep 21 07:25:29.086704: Camellia: 16 bytes with 128-bit key Sep 21 07:25:29.086739: Camellia: 16 bytes with 256-bit key Sep 21 07:25:29.086773: Camellia: 16 bytes with 256-bit key Sep 21 07:25:29.086823: testing AES_GCM_16: Sep 21 07:25:29.086843: empty string Sep 21 07:25:29.086870: one block Sep 21 07:25:29.086895: two blocks Sep 21 07:25:29.086922: two blocks with associated data Sep 21 07:25:29.086948: testing AES_CTR: Sep 21 07:25:29.086952: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:25:29.086978: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:25:29.087007: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:25:29.087035: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:25:29.087061: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:25:29.087088: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:25:29.087116: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:25:29.087145: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:25:29.087170: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:25:29.087198: testing AES_CBC: Sep 21 07:25:29.087202: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:25:29.087228: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:25:29.087256: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:25:29.087285: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:25:29.087320: testing AES_XCBC: Sep 21 07:25:29.087324: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:25:29.087471: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:25:29.087610: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:25:29.087742: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:25:29.087884: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:25:29.088036: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:25:29.088138: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:25:29.088313: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:25:29.088396: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:25:29.088480: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:25:29.088640: testing HMAC_MD5: Sep 21 07:25:29.088643: RFC 2104: MD5_HMAC test 1 Sep 21 07:25:29.088755: RFC 2104: MD5_HMAC test 2 Sep 21 07:25:29.088883: RFC 2104: MD5_HMAC test 3 Sep 21 07:25:29.089025: 8 CPU cores online Sep 21 07:25:29.089029: starting up 7 crypto helpers Sep 21 07:25:29.089060: started thread for crypto helper 0 Sep 21 07:25:29.089066: | starting up helper thread 0 Sep 21 07:25:29.089080: started thread for crypto helper 1 Sep 21 07:25:29.089090: | starting up helper thread 1 Sep 21 07:25:29.089108: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:25:29.089116: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:29.089125: | starting up helper thread 2 Sep 21 07:25:29.089125: started thread for crypto helper 2 Sep 21 07:25:29.089080: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:25:29.089146: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:29.089134: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:25:29.089153: | crypto helper 2 waiting (nothing to do) Sep 21 07:25:29.089158: started thread for crypto helper 3 Sep 21 07:25:29.089183: started thread for crypto helper 4 Sep 21 07:25:29.089196: | starting up helper thread 4 Sep 21 07:25:29.089202: started thread for crypto helper 5 Sep 21 07:25:29.089247: | starting up helper thread 5 Sep 21 07:25:29.089253: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:25:29.089256: | crypto helper 5 waiting (nothing to do) Sep 21 07:25:29.089277: started thread for crypto helper 6 Sep 21 07:25:29.089287: | checking IKEv1 state table Sep 21 07:25:29.089296: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089299: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:25:29.089302: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089305: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:25:29.089308: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:25:29.089310: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:25:29.089311: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:29.089313: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:29.089314: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:25:29.089316: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:25:29.089317: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:29.089319: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:29.089320: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:25:29.089322: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:29.089323: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:29.089324: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:29.089326: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:25:29.089327: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:29.089331: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:29.089332: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:29.089334: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:25:29.089335: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089339: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:25:29.089344: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089347: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089349: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:25:29.089352: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089354: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:29.089357: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:29.089360: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:25:29.089362: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:29.089365: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:29.089368: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:25:29.089370: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089373: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:25:29.089376: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089378: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:25:29.089381: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:25:29.089383: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:25:29.089386: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:25:29.089389: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:25:29.089392: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:25:29.089394: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:25:29.089397: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089400: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:25:29.089402: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089405: | INFO: category: informational flags: 0: Sep 21 07:25:29.089411: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089414: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:25:29.089416: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089419: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:25:29.089421: | -> XAUTH_R1 EVENT_NULL Sep 21 07:25:29.089423: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:25:29.089425: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:29.089428: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:25:29.089430: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:25:29.089433: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:25:29.089435: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:25:29.089437: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:25:29.089440: | -> UNDEFINED EVENT_NULL Sep 21 07:25:29.089442: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:25:29.089444: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:29.089447: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:25:29.089449: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:25:29.089452: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:25:29.089454: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:25:29.089460: | checking IKEv2 state table Sep 21 07:25:29.089466: | PARENT_I0: category: ignore flags: 0: Sep 21 07:25:29.089468: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:25:29.089470: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089472: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:25:29.089474: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:25:29.089477: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:25:29.089479: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:25:29.089482: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:25:29.089485: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:25:29.089487: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:25:29.089490: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:25:29.089493: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:25:29.089495: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:25:29.089498: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:25:29.089501: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:25:29.089503: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:25:29.089506: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089508: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:25:29.089511: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:25:29.089514: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:25:29.089516: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:25:29.089519: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:25:29.089522: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:25:29.089524: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:25:29.089527: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:25:29.089529: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:25:29.089532: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:25:29.089535: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:25:29.089537: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:25:29.089545: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:25:29.089548: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:25:29.089550: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:29.089553: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:25:29.089556: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:25:29.089558: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:25:29.089561: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:25:29.089563: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:25:29.089566: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:25:29.089569: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:25:29.089571: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:25:29.089573: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:29.089576: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:25:29.089579: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:25:29.089582: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:25:29.089584: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:25:29.089587: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:25:29.089589: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:25:29.089668: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:25:29.089206: | starting up helper thread 3 Sep 21 07:25:29.089243: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:25:29.089720: | crypto helper 4 waiting (nothing to do) Sep 21 07:25:29.089726: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:25:29.089728: | crypto helper 3 waiting (nothing to do) Sep 21 07:25:29.089837: | Hard-wiring algorithms Sep 21 07:25:29.089848: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:25:29.089853: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:25:29.089854: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:25:29.089856: | adding 3DES_CBC to kernel algorithm db Sep 21 07:25:29.089858: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:25:29.089859: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:25:29.089861: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:25:29.089862: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:25:29.089863: | adding AES_CTR to kernel algorithm db Sep 21 07:25:29.089865: | adding AES_CBC to kernel algorithm db Sep 21 07:25:29.089866: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:25:29.089868: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:25:29.089870: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:25:29.089873: | adding NULL to kernel algorithm db Sep 21 07:25:29.089878: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:25:29.089882: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:25:29.089883: | starting up helper thread 6 Sep 21 07:25:29.089884: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:25:29.089896: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:25:29.089908: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:25:29.089914: | crypto helper 6 waiting (nothing to do) Sep 21 07:25:29.089922: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:25:29.089931: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:25:29.089935: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:25:29.089938: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:25:29.089942: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:25:29.089945: | adding NONE to kernel algorithm db Sep 21 07:25:29.089978: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:25:29.089988: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:25:29.089991: | setup kernel fd callback Sep 21 07:25:29.089996: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563fe5446f30 Sep 21 07:25:29.090000: | libevent_malloc: new ptr-libevent@0x563fe544e400 size 128 Sep 21 07:25:29.090004: | libevent_malloc: new ptr-libevent@0x563fe543ccc0 size 16 Sep 21 07:25:29.090012: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563fe54417d0 Sep 21 07:25:29.090016: | libevent_malloc: new ptr-libevent@0x563fe544e490 size 128 Sep 21 07:25:29.090019: | libevent_malloc: new ptr-libevent@0x563fe5441720 size 16 Sep 21 07:25:29.090220: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:25:29.090229: selinux support is enabled. Sep 21 07:25:29.090304: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:25:29.090485: | unbound context created - setting debug level to 5 Sep 21 07:25:29.090522: | /etc/hosts lookups activated Sep 21 07:25:29.090543: | /etc/resolv.conf usage activated Sep 21 07:25:29.090587: | outgoing-port-avoid set 0-65535 Sep 21 07:25:29.090604: | outgoing-port-permit set 32768-60999 Sep 21 07:25:29.090606: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:25:29.090608: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:25:29.090610: | Setting up events, loop start Sep 21 07:25:29.090613: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563fe5441520 Sep 21 07:25:29.090615: | libevent_malloc: new ptr-libevent@0x563fe5458a00 size 128 Sep 21 07:25:29.090617: | libevent_malloc: new ptr-libevent@0x563fe5458a90 size 16 Sep 21 07:25:29.090622: | libevent_realloc: new ptr-libevent@0x563fe53be5b0 size 256 Sep 21 07:25:29.090624: | libevent_malloc: new ptr-libevent@0x563fe5458ab0 size 8 Sep 21 07:25:29.090626: | libevent_realloc: new ptr-libevent@0x563fe544d700 size 144 Sep 21 07:25:29.090628: | libevent_malloc: new ptr-libevent@0x563fe5458ad0 size 152 Sep 21 07:25:29.090630: | libevent_malloc: new ptr-libevent@0x563fe5458b70 size 16 Sep 21 07:25:29.090633: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:25:29.090634: | libevent_malloc: new ptr-libevent@0x563fe5458b90 size 8 Sep 21 07:25:29.090636: | libevent_malloc: new ptr-libevent@0x563fe5458bb0 size 152 Sep 21 07:25:29.090638: | signal event handler PLUTO_SIGTERM installed Sep 21 07:25:29.090640: | libevent_malloc: new ptr-libevent@0x563fe5458c50 size 8 Sep 21 07:25:29.090641: | libevent_malloc: new ptr-libevent@0x563fe5458c70 size 152 Sep 21 07:25:29.090643: | signal event handler PLUTO_SIGHUP installed Sep 21 07:25:29.090645: | libevent_malloc: new ptr-libevent@0x563fe5458d10 size 8 Sep 21 07:25:29.090646: | libevent_realloc: release ptr-libevent@0x563fe544d700 Sep 21 07:25:29.090648: | libevent_realloc: new ptr-libevent@0x563fe5458d30 size 256 Sep 21 07:25:29.090650: | libevent_malloc: new ptr-libevent@0x563fe544d700 size 152 Sep 21 07:25:29.090651: | signal event handler PLUTO_SIGSYS installed Sep 21 07:25:29.090914: | created addconn helper (pid:7897) using fork+execve Sep 21 07:25:29.090927: | forked child 7897 Sep 21 07:25:29.090957: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:29.090971: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:29.090976: listening for IKE messages Sep 21 07:25:29.091007: | Inspecting interface lo Sep 21 07:25:29.091011: | found lo with address 127.0.0.1 Sep 21 07:25:29.091013: | Inspecting interface eth0 Sep 21 07:25:29.091016: | found eth0 with address 192.0.2.254 Sep 21 07:25:29.091017: | Inspecting interface eth1 Sep 21 07:25:29.091020: | found eth1 with address 192.1.2.23 Sep 21 07:25:29.091060: Kernel supports NIC esp-hw-offload Sep 21 07:25:29.091073: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:25:29.091099: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:29.091110: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:29.091114: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:29.091142: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:25:29.091163: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:29.091166: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:29.091168: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:29.091187: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:25:29.091204: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:29.091206: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:29.091209: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:25:29.091274: | no interfaces to sort Sep 21 07:25:29.091277: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:29.091283: | add_fd_read_event_handler: new ethX-pe@0x563fe54422a0 Sep 21 07:25:29.091285: | libevent_malloc: new ptr-libevent@0x563fe54590a0 size 128 Sep 21 07:25:29.091287: | libevent_malloc: new ptr-libevent@0x563fe5459130 size 16 Sep 21 07:25:29.091292: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:29.091294: | add_fd_read_event_handler: new ethX-pe@0x563fe5459150 Sep 21 07:25:29.091296: | libevent_malloc: new ptr-libevent@0x563fe5459190 size 128 Sep 21 07:25:29.091297: | libevent_malloc: new ptr-libevent@0x563fe5459220 size 16 Sep 21 07:25:29.091300: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:29.091302: | add_fd_read_event_handler: new ethX-pe@0x563fe5459240 Sep 21 07:25:29.091303: | libevent_malloc: new ptr-libevent@0x563fe5459280 size 128 Sep 21 07:25:29.091305: | libevent_malloc: new ptr-libevent@0x563fe5459310 size 16 Sep 21 07:25:29.091308: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:29.091309: | add_fd_read_event_handler: new ethX-pe@0x563fe5459330 Sep 21 07:25:29.091311: | libevent_malloc: new ptr-libevent@0x563fe5459370 size 128 Sep 21 07:25:29.091313: | libevent_malloc: new ptr-libevent@0x563fe5459400 size 16 Sep 21 07:25:29.091315: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:29.091317: | add_fd_read_event_handler: new ethX-pe@0x563fe5459420 Sep 21 07:25:29.091319: | libevent_malloc: new ptr-libevent@0x563fe5459460 size 128 Sep 21 07:25:29.091320: | libevent_malloc: new ptr-libevent@0x563fe54594f0 size 16 Sep 21 07:25:29.091323: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:29.091325: | add_fd_read_event_handler: new ethX-pe@0x563fe5459510 Sep 21 07:25:29.091327: | libevent_malloc: new ptr-libevent@0x563fe5459550 size 128 Sep 21 07:25:29.091328: | libevent_malloc: new ptr-libevent@0x563fe54595e0 size 16 Sep 21 07:25:29.091331: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:29.091334: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:29.091336: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:29.091351: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:29.091359: | Processing PSK at line 1: passed Sep 21 07:25:29.091361: | certs and keys locked by 'process_secret' Sep 21 07:25:29.091363: | certs and keys unlocked by 'process_secret' Sep 21 07:25:29.091367: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:29.091373: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:29.091378: | spent 0.427 milliseconds in whack Sep 21 07:25:29.117072: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:29.117092: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:29.117096: listening for IKE messages Sep 21 07:25:29.117125: | Inspecting interface lo Sep 21 07:25:29.117129: | found lo with address 127.0.0.1 Sep 21 07:25:29.117131: | Inspecting interface eth0 Sep 21 07:25:29.117134: | found eth0 with address 192.0.2.254 Sep 21 07:25:29.117140: | Inspecting interface eth1 Sep 21 07:25:29.117142: | found eth1 with address 192.1.2.23 Sep 21 07:25:29.117205: | no interfaces to sort Sep 21 07:25:29.117212: | libevent_free: release ptr-libevent@0x563fe54590a0 Sep 21 07:25:29.117214: | free_event_entry: release EVENT_NULL-pe@0x563fe54422a0 Sep 21 07:25:29.117216: | add_fd_read_event_handler: new ethX-pe@0x563fe54422a0 Sep 21 07:25:29.117218: | libevent_malloc: new ptr-libevent@0x563fe54590a0 size 128 Sep 21 07:25:29.117224: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:29.117226: | libevent_free: release ptr-libevent@0x563fe5459190 Sep 21 07:25:29.117228: | free_event_entry: release EVENT_NULL-pe@0x563fe5459150 Sep 21 07:25:29.117229: | add_fd_read_event_handler: new ethX-pe@0x563fe5459150 Sep 21 07:25:29.117231: | libevent_malloc: new ptr-libevent@0x563fe5459190 size 128 Sep 21 07:25:29.117234: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:29.117236: | libevent_free: release ptr-libevent@0x563fe5459280 Sep 21 07:25:29.117238: | free_event_entry: release EVENT_NULL-pe@0x563fe5459240 Sep 21 07:25:29.117239: | add_fd_read_event_handler: new ethX-pe@0x563fe5459240 Sep 21 07:25:29.117241: | libevent_malloc: new ptr-libevent@0x563fe5459280 size 128 Sep 21 07:25:29.117243: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:29.117246: | libevent_free: release ptr-libevent@0x563fe5459370 Sep 21 07:25:29.117247: | free_event_entry: release EVENT_NULL-pe@0x563fe5459330 Sep 21 07:25:29.117249: | add_fd_read_event_handler: new ethX-pe@0x563fe5459330 Sep 21 07:25:29.117250: | libevent_malloc: new ptr-libevent@0x563fe5459370 size 128 Sep 21 07:25:29.117253: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:29.117255: | libevent_free: release ptr-libevent@0x563fe5459460 Sep 21 07:25:29.117257: | free_event_entry: release EVENT_NULL-pe@0x563fe5459420 Sep 21 07:25:29.117258: | add_fd_read_event_handler: new ethX-pe@0x563fe5459420 Sep 21 07:25:29.117260: | libevent_malloc: new ptr-libevent@0x563fe5459460 size 128 Sep 21 07:25:29.117262: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:29.117265: | libevent_free: release ptr-libevent@0x563fe5459550 Sep 21 07:25:29.117266: | free_event_entry: release EVENT_NULL-pe@0x563fe5459510 Sep 21 07:25:29.117267: | add_fd_read_event_handler: new ethX-pe@0x563fe5459510 Sep 21 07:25:29.117269: | libevent_malloc: new ptr-libevent@0x563fe5459550 size 128 Sep 21 07:25:29.117272: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:29.117274: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:29.117275: forgetting secrets Sep 21 07:25:29.117280: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:29.117291: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:29.117296: | Processing PSK at line 1: passed Sep 21 07:25:29.117298: | certs and keys locked by 'process_secret' Sep 21 07:25:29.117299: | certs and keys unlocked by 'process_secret' Sep 21 07:25:29.117302: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:29.117307: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:29.117311: | spent 0.247 milliseconds in whack Sep 21 07:25:29.117661: | processing signal PLUTO_SIGCHLD Sep 21 07:25:29.117677: | waitpid returned pid 7897 (exited with status 0) Sep 21 07:25:29.117681: | reaped addconn helper child (status 0) Sep 21 07:25:29.117686: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:29.117691: | spent 0.019 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:29.190135: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:29.190163: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:29.190166: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:29.190169: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:29.190171: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:29.190175: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:29.190188: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:29.190243: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:29.190249: | from whack: got --esp= Sep 21 07:25:29.190278: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:29.190325: | counting wild cards for (none) is 15 Sep 21 07:25:29.190332: | counting wild cards for @east is 0 Sep 21 07:25:29.190340: | based upon policy, the connection is a template. Sep 21 07:25:29.190347: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:25:29.190351: | new hp@0x563fe5425a30 Sep 21 07:25:29.190356: added connection description "eastnet-any" Sep 21 07:25:29.190368: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:29.190379: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Sep 21 07:25:29.190386: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:29.190393: | spent 0.234 milliseconds in whack Sep 21 07:25:30.397587: | spent 0.00278 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:30.397614: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:25:30.397617: | 1d 6d 17 28 01 df d9 ba 00 00 00 00 00 00 00 00 Sep 21 07:25:30.397619: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:25:30.397620: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:25:30.397622: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:25:30.397623: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:25:30.397624: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:25:30.397626: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:25:30.397627: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:25:30.397628: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:25:30.397630: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:25:30.397631: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:25:30.397632: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:25:30.397634: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:25:30.397635: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:25:30.397637: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:25:30.397638: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:25:30.397639: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:25:30.397641: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:25:30.397642: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:25:30.397643: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:25:30.397645: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:25:30.397646: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:25:30.397647: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:25:30.397649: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:25:30.397650: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:25:30.397652: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:25:30.397653: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:25:30.397654: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:25:30.397658: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:25:30.397660: | 28 00 01 08 00 0e 00 00 76 08 f8 d0 0f 00 47 33 Sep 21 07:25:30.397661: | 45 01 9e 66 0e 02 63 1f 04 fb 8f e8 9d 33 69 f3 Sep 21 07:25:30.397662: | 62 b8 42 d7 d0 d7 e4 2f e1 c2 5b cb a9 1a 62 a8 Sep 21 07:25:30.397664: | 31 ec e1 1a 78 0a 44 09 6e d1 2d 92 f8 72 99 e5 Sep 21 07:25:30.397665: | a2 eb 10 47 b1 c4 ad 4b 79 33 e7 fe 0c d3 19 20 Sep 21 07:25:30.397667: | 75 16 72 af 71 be 7e 35 46 f7 4c ec cd 5f 54 41 Sep 21 07:25:30.397668: | fe 6f 54 bf 57 9a a0 00 c5 1b 85 ee ef 12 f2 e7 Sep 21 07:25:30.397669: | c5 cd 6d f8 43 d9 e7 0c ef 6a 05 bb 68 48 c0 e1 Sep 21 07:25:30.397671: | f2 f2 a3 51 ed 21 6a 09 dc cd 73 17 47 3b 59 76 Sep 21 07:25:30.397672: | 4d d7 cc b9 ff c1 93 6b 87 85 36 23 33 0b f6 e0 Sep 21 07:25:30.397673: | 6c 6b a8 f2 b5 d9 9f 3a 23 33 d3 25 88 c1 38 5a Sep 21 07:25:30.397675: | 39 41 60 08 e5 28 0f 95 15 a7 17 8f ab 31 58 29 Sep 21 07:25:30.397676: | 27 19 b6 f4 ea e2 14 9d c3 1f fb 1e f3 08 c3 4b Sep 21 07:25:30.397678: | 22 26 ae 5a 43 0d b9 99 db d3 16 f7 d7 b8 5b c4 Sep 21 07:25:30.397679: | 7d ba 66 4a e5 7e 04 bf 22 6d d0 38 24 29 ab db Sep 21 07:25:30.397680: | 03 84 ae 3b e8 70 58 d6 ac 48 91 2f 2d be 0e 48 Sep 21 07:25:30.397682: | d9 ae b3 7d ad 7b 0a 2a 29 00 00 24 90 68 7b af Sep 21 07:25:30.397683: | f3 69 07 2f 0f c0 09 ce 05 3e 27 30 09 25 91 af Sep 21 07:25:30.397684: | 2a 78 e8 14 6e 66 c0 b7 55 75 8a 80 29 00 00 08 Sep 21 07:25:30.397686: | 00 00 40 2e 29 00 00 1c 00 00 40 04 cf f3 6f 94 Sep 21 07:25:30.397687: | 38 fc 63 b0 bf e4 d8 4b 83 e9 bc 79 2d 8e 62 4f Sep 21 07:25:30.397688: | 00 00 00 1c 00 00 40 05 f3 0b d9 46 dd 2f 67 e5 Sep 21 07:25:30.397690: | a6 c5 df 1d c5 0c b0 cb e2 45 fd 0b Sep 21 07:25:30.397694: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:25:30.397697: | **parse ISAKMP Message: Sep 21 07:25:30.397699: | initiator cookie: Sep 21 07:25:30.397700: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.397702: | responder cookie: Sep 21 07:25:30.397703: | 00 00 00 00 00 00 00 00 Sep 21 07:25:30.397705: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:30.397707: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:30.397708: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:30.397710: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:30.397711: | Message ID: 0 (0x0) Sep 21 07:25:30.397713: | length: 828 (0x33c) Sep 21 07:25:30.397715: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:25:30.397717: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:25:30.397720: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:25:30.397722: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:30.397724: | ***parse IKEv2 Security Association Payload: Sep 21 07:25:30.397725: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:30.397727: | flags: none (0x0) Sep 21 07:25:30.397728: | length: 436 (0x1b4) Sep 21 07:25:30.397730: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:25:30.397732: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:30.397733: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:25:30.397735: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:30.397736: | flags: none (0x0) Sep 21 07:25:30.397738: | length: 264 (0x108) Sep 21 07:25:30.397739: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.397741: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:30.397742: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:30.397744: | ***parse IKEv2 Nonce Payload: Sep 21 07:25:30.397745: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:30.397747: | flags: none (0x0) Sep 21 07:25:30.397748: | length: 36 (0x24) Sep 21 07:25:30.397751: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:30.397752: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:30.397754: | ***parse IKEv2 Notify Payload: Sep 21 07:25:30.397755: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:30.397757: | flags: none (0x0) Sep 21 07:25:30.397758: | length: 8 (0x8) Sep 21 07:25:30.397760: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.397761: | SPI size: 0 (0x0) Sep 21 07:25:30.397763: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:30.397765: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:25:30.397766: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:30.397767: | ***parse IKEv2 Notify Payload: Sep 21 07:25:30.397769: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:30.397770: | flags: none (0x0) Sep 21 07:25:30.397772: | length: 28 (0x1c) Sep 21 07:25:30.397773: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.397774: | SPI size: 0 (0x0) Sep 21 07:25:30.397776: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:30.397778: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:30.397779: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:30.397780: | ***parse IKEv2 Notify Payload: Sep 21 07:25:30.397782: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.397804: | flags: none (0x0) Sep 21 07:25:30.397806: | length: 28 (0x1c) Sep 21 07:25:30.397807: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.397809: | SPI size: 0 (0x0) Sep 21 07:25:30.397810: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:30.397812: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:30.397814: | DDOS disabled and no cookie sent, continuing Sep 21 07:25:30.397818: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397820: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:30.397821: | find_next_host_connection returns empty Sep 21 07:25:30.397824: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397828: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:25:30.397829: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:30.397832: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:25:30.397834: | find_next_host_connection returns empty Sep 21 07:25:30.397836: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:25:30.397839: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397840: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:30.397842: | find_next_host_connection returns empty Sep 21 07:25:30.397844: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397847: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:25:30.397848: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:30.397850: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:25:30.397852: | find_next_host_connection returns empty Sep 21 07:25:30.397854: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:25:30.397857: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397858: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:30.397860: | find_next_host_connection returns empty Sep 21 07:25:30.397862: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:25:30.397866: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:25:30.397868: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:30.397870: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Sep 21 07:25:30.397871: | find_next_host_connection returns eastnet-any Sep 21 07:25:30.397873: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:30.397874: | find_next_host_connection returns empty Sep 21 07:25:30.397876: | rw_instantiate Sep 21 07:25:30.397881: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Sep 21 07:25:30.397884: | new hp@0x563fe53ebe20 Sep 21 07:25:30.397887: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.45 for 192.1.2.45 Sep 21 07:25:30.397889: | found connection: eastnet-any[1] 192.1.2.45 with policy PSK+IKEV2_ALLOW Sep 21 07:25:30.397892: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:25:30.397912: | creating state object #1 at 0x563fe545cd10 Sep 21 07:25:30.397914: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:25:30.397919: | pstats #1 ikev2.ike started Sep 21 07:25:30.397921: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:25:30.397923: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:25:30.397939: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:30.397946: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:30.397948: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:30.397951: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:30.397953: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:25:30.397956: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:25:30.397958: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:25:30.397960: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:25:30.397962: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:25:30.397964: | Now let's proceed with state specific processing Sep 21 07:25:30.397965: | calling processor Respond to IKE_SA_INIT Sep 21 07:25:30.397969: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:30.397971: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Sep 21 07:25:30.397977: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:30.397982: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:30.397984: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:30.397988: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:30.397990: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:30.397993: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:30.397995: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:30.398000: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:30.398006: "eastnet-any"[1] 192.1.2.45: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:30.398009: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:25:30.398011: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:30.398012: | local proposal 1 type PRF has 2 transforms Sep 21 07:25:30.398014: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:30.398015: | local proposal 1 type DH has 8 transforms Sep 21 07:25:30.398017: | local proposal 1 type ESN has 0 transforms Sep 21 07:25:30.398019: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:30.398020: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:30.398022: | local proposal 2 type PRF has 2 transforms Sep 21 07:25:30.398023: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:30.398025: | local proposal 2 type DH has 8 transforms Sep 21 07:25:30.398026: | local proposal 2 type ESN has 0 transforms Sep 21 07:25:30.398028: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:30.398029: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:30.398030: | local proposal 3 type PRF has 2 transforms Sep 21 07:25:30.398032: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:30.398033: | local proposal 3 type DH has 8 transforms Sep 21 07:25:30.398035: | local proposal 3 type ESN has 0 transforms Sep 21 07:25:30.398036: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:30.398038: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:30.398039: | local proposal 4 type PRF has 2 transforms Sep 21 07:25:30.398041: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:30.398042: | local proposal 4 type DH has 8 transforms Sep 21 07:25:30.398044: | local proposal 4 type ESN has 0 transforms Sep 21 07:25:30.398045: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:30.398047: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.398049: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.398050: | length: 100 (0x64) Sep 21 07:25:30.398052: | prop #: 1 (0x1) Sep 21 07:25:30.398053: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:30.398054: | spi size: 0 (0x0) Sep 21 07:25:30.398056: | # transforms: 11 (0xb) Sep 21 07:25:30.398058: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:30.398060: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398062: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398063: | length: 12 (0xc) Sep 21 07:25:30.398064: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.398066: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.398067: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.398069: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.398070: | length/value: 256 (0x100) Sep 21 07:25:30.398073: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:30.398076: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398077: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398079: | length: 8 (0x8) Sep 21 07:25:30.398080: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398082: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:30.398084: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:25:30.398086: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:25:30.398087: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:25:30.398089: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:25:30.398091: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398092: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398094: | length: 8 (0x8) Sep 21 07:25:30.398095: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398096: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:30.398098: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398099: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398101: | length: 8 (0x8) Sep 21 07:25:30.398102: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398103: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.398105: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:30.398107: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:30.398109: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:30.398111: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:30.398112: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398114: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398115: | length: 8 (0x8) Sep 21 07:25:30.398116: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398118: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:30.398119: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398121: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398122: | length: 8 (0x8) Sep 21 07:25:30.398124: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398125: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:30.398127: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398128: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398129: | length: 8 (0x8) Sep 21 07:25:30.398131: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398132: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:30.398134: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398135: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398136: | length: 8 (0x8) Sep 21 07:25:30.398138: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398139: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:30.398141: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398142: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398144: | length: 8 (0x8) Sep 21 07:25:30.398145: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398146: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:30.398148: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398149: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398151: | length: 8 (0x8) Sep 21 07:25:30.398152: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398154: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:30.398155: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398158: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.398159: | length: 8 (0x8) Sep 21 07:25:30.398160: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398162: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:30.398164: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:25:30.398167: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:25:30.398168: | remote proposal 1 matches local proposal 1 Sep 21 07:25:30.398170: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.398171: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.398173: | length: 100 (0x64) Sep 21 07:25:30.398174: | prop #: 2 (0x2) Sep 21 07:25:30.398176: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:30.398177: | spi size: 0 (0x0) Sep 21 07:25:30.398178: | # transforms: 11 (0xb) Sep 21 07:25:30.398180: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.398182: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398183: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398185: | length: 12 (0xc) Sep 21 07:25:30.398186: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.398187: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.398189: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.398190: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.398192: | length/value: 128 (0x80) Sep 21 07:25:30.398193: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398195: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398196: | length: 8 (0x8) Sep 21 07:25:30.398198: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398199: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:30.398201: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398202: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398203: | length: 8 (0x8) Sep 21 07:25:30.398205: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398206: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:30.398208: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398209: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398210: | length: 8 (0x8) Sep 21 07:25:30.398212: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398213: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.398215: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398216: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398218: | length: 8 (0x8) Sep 21 07:25:30.398219: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398220: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:30.398222: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398223: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398225: | length: 8 (0x8) Sep 21 07:25:30.398226: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398227: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:30.398229: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398230: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398232: | length: 8 (0x8) Sep 21 07:25:30.398233: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398235: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:30.398236: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398237: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398239: | length: 8 (0x8) Sep 21 07:25:30.398240: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398242: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:30.398245: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398247: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398248: | length: 8 (0x8) Sep 21 07:25:30.398250: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398251: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:30.398253: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398254: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398255: | length: 8 (0x8) Sep 21 07:25:30.398257: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398258: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:30.398260: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398261: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.398262: | length: 8 (0x8) Sep 21 07:25:30.398264: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398265: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:30.398267: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:25:30.398269: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:25:30.398271: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.398272: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.398273: | length: 116 (0x74) Sep 21 07:25:30.398275: | prop #: 3 (0x3) Sep 21 07:25:30.398276: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:30.398277: | spi size: 0 (0x0) Sep 21 07:25:30.398279: | # transforms: 13 (0xd) Sep 21 07:25:30.398281: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.398282: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398284: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398285: | length: 12 (0xc) Sep 21 07:25:30.398286: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.398301: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:30.398302: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.398304: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.398305: | length/value: 256 (0x100) Sep 21 07:25:30.398307: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398309: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398310: | length: 8 (0x8) Sep 21 07:25:30.398311: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398313: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:30.398314: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398316: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398317: | length: 8 (0x8) Sep 21 07:25:30.398319: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398320: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:30.398322: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398323: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398324: | length: 8 (0x8) Sep 21 07:25:30.398326: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.398327: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:30.398329: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398331: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398332: | length: 8 (0x8) Sep 21 07:25:30.398333: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.398335: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:30.398336: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398338: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398339: | length: 8 (0x8) Sep 21 07:25:30.398341: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398342: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.398344: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398346: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398347: | length: 8 (0x8) Sep 21 07:25:30.398362: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398363: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:30.398365: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398366: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398368: | length: 8 (0x8) Sep 21 07:25:30.398369: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398370: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:30.398372: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398373: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398375: | length: 8 (0x8) Sep 21 07:25:30.398376: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398377: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:30.398379: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398380: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398382: | length: 8 (0x8) Sep 21 07:25:30.398383: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398385: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:30.398386: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398388: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398389: | length: 8 (0x8) Sep 21 07:25:30.398390: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398392: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:30.398393: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398395: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398396: | length: 8 (0x8) Sep 21 07:25:30.398397: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398399: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:30.398400: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398402: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.398403: | length: 8 (0x8) Sep 21 07:25:30.398404: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398406: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:30.398408: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:30.398410: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:30.398411: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.398413: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:30.398414: | length: 116 (0x74) Sep 21 07:25:30.398415: | prop #: 4 (0x4) Sep 21 07:25:30.398417: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:30.398418: | spi size: 0 (0x0) Sep 21 07:25:30.398419: | # transforms: 13 (0xd) Sep 21 07:25:30.398421: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.398423: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398424: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398425: | length: 12 (0xc) Sep 21 07:25:30.398427: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.398428: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:30.398430: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.398431: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.398432: | length/value: 128 (0x80) Sep 21 07:25:30.398434: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398435: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398437: | length: 8 (0x8) Sep 21 07:25:30.398438: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398440: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:30.398441: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398443: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398445: | length: 8 (0x8) Sep 21 07:25:30.398446: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.398447: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:30.398449: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398450: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398452: | length: 8 (0x8) Sep 21 07:25:30.398453: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.398455: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:30.398456: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398458: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398459: | length: 8 (0x8) Sep 21 07:25:30.398460: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.398462: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:30.398463: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398465: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398466: | length: 8 (0x8) Sep 21 07:25:30.398467: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398469: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.398470: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398472: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398473: | length: 8 (0x8) Sep 21 07:25:30.398475: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398476: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:30.398477: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398479: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398480: | length: 8 (0x8) Sep 21 07:25:30.398482: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398483: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:30.398485: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398486: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398487: | length: 8 (0x8) Sep 21 07:25:30.398489: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398490: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:30.398492: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398493: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398494: | length: 8 (0x8) Sep 21 07:25:30.398496: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398497: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:30.398499: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398500: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398502: | length: 8 (0x8) Sep 21 07:25:30.398503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398504: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:30.398506: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398507: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.398509: | length: 8 (0x8) Sep 21 07:25:30.398510: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398511: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:30.398513: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.398514: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.398516: | length: 8 (0x8) Sep 21 07:25:30.398517: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.398519: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:30.398521: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:30.398522: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:30.398525: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:25:30.398529: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:25:30.398530: | converting proposal to internal trans attrs Sep 21 07:25:30.398533: | natd_hash: rcookie is zero Sep 21 07:25:30.398542: | natd_hash: hasher=0x563fe40b67a0(20) Sep 21 07:25:30.398544: | natd_hash: icookie= 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.398545: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:30.398546: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:30.398548: | natd_hash: port= 01 f4 Sep 21 07:25:30.398549: | natd_hash: hash= f3 0b d9 46 dd 2f 67 e5 a6 c5 df 1d c5 0c b0 cb Sep 21 07:25:30.398551: | natd_hash: hash= e2 45 fd 0b Sep 21 07:25:30.398552: | natd_hash: rcookie is zero Sep 21 07:25:30.398556: | natd_hash: hasher=0x563fe40b67a0(20) Sep 21 07:25:30.398558: | natd_hash: icookie= 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.398559: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:30.398561: | natd_hash: ip= c0 01 02 2d Sep 21 07:25:30.398562: | natd_hash: port= 01 f4 Sep 21 07:25:30.398563: | natd_hash: hash= cf f3 6f 94 38 fc 63 b0 bf e4 d8 4b 83 e9 bc 79 Sep 21 07:25:30.398565: | natd_hash: hash= 2d 8e 62 4f Sep 21 07:25:30.398566: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:25:30.398567: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:25:30.398569: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:25:30.398571: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Sep 21 07:25:30.398574: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:25:30.398576: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563fe545ee80 Sep 21 07:25:30.398579: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:30.398581: | libevent_malloc: new ptr-libevent@0x563fe545eec0 size 128 Sep 21 07:25:30.398589: | #1 spent 0.62 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:25:30.398607: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:30.398609: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:30.398611: | suspending state #1 and saving MD Sep 21 07:25:30.398612: | #1 is busy; has a suspended MD Sep 21 07:25:30.398612: | crypto helper 1 resuming Sep 21 07:25:30.398615: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:30.398624: | crypto helper 1 starting work-order 1 for state #1 Sep 21 07:25:30.398626: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:30.398628: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:25:30.398629: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:30.398636: | #1 spent 1.02 milliseconds in ikev2_process_packet() Sep 21 07:25:30.398639: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:25:30.398641: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:30.398642: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:30.398645: | spent 1.03 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:30.399287: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000659 seconds Sep 21 07:25:30.399296: | (#1) spent 0.665 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:25:30.399298: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Sep 21 07:25:30.399300: | scheduling resume sending helper answer for #1 Sep 21 07:25:30.399302: | libevent_malloc: new ptr-libevent@0x7f1634006900 size 128 Sep 21 07:25:30.399308: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:30.399316: | processing resume sending helper answer for #1 Sep 21 07:25:30.399327: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:25:30.399332: | crypto helper 1 replies to request ID 1 Sep 21 07:25:30.399335: | calling continuation function 0x563fe3fe0630 Sep 21 07:25:30.399337: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:25:30.399366: | **emit ISAKMP Message: Sep 21 07:25:30.399369: | initiator cookie: Sep 21 07:25:30.399372: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.399374: | responder cookie: Sep 21 07:25:30.399376: | 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.399379: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:30.399381: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:30.399384: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:30.399386: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:30.399388: | Message ID: 0 (0x0) Sep 21 07:25:30.399391: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:30.399394: | Emitting ikev2_proposal ... Sep 21 07:25:30.399396: | ***emit IKEv2 Security Association Payload: Sep 21 07:25:30.399399: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.399401: | flags: none (0x0) Sep 21 07:25:30.399404: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:30.399407: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399410: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.399412: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:30.399415: | prop #: 1 (0x1) Sep 21 07:25:30.399417: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:30.399420: | spi size: 0 (0x0) Sep 21 07:25:30.399422: | # transforms: 3 (0x3) Sep 21 07:25:30.399425: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:30.399428: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:30.399430: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.399433: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.399435: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.399438: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:30.399441: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.399444: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.399447: | length/value: 256 (0x100) Sep 21 07:25:30.399450: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:30.399452: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:30.399455: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.399457: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:30.399459: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:30.399463: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.399466: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:30.399470: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:30.399473: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:30.399476: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.399478: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:30.399481: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.399484: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.399487: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:30.399489: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:30.399492: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:25:30.399494: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:30.399497: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:25:30.399499: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:30.399503: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:25:30.399505: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.399508: | flags: none (0x0) Sep 21 07:25:30.399510: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:30.399514: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:30.399516: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399520: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:30.399523: | ikev2 g^x 88 67 46 1b 73 c6 6b 73 ca d4 65 65 6e 14 c3 3a Sep 21 07:25:30.399525: | ikev2 g^x 5a d3 11 d7 92 cc 2c 55 f9 19 d4 b8 e2 2b 20 b9 Sep 21 07:25:30.399528: | ikev2 g^x ea 64 9c 1b 5c 82 83 b9 3d 51 2a 49 40 6d 35 9f Sep 21 07:25:30.399530: | ikev2 g^x 65 f8 48 f0 e9 4b d8 ff 8e ee 83 84 be 26 ad 2b Sep 21 07:25:30.399532: | ikev2 g^x 06 36 2f a2 c4 9e f3 96 05 70 07 17 2b 62 f1 e6 Sep 21 07:25:30.399535: | ikev2 g^x ae 23 4d 9f 2c a9 ff 6a 59 e2 38 b7 bc 97 8c 92 Sep 21 07:25:30.399537: | ikev2 g^x 42 60 b2 d6 28 f3 ec 33 ad 0e 39 f7 7b 88 f8 5d Sep 21 07:25:30.399539: | ikev2 g^x 74 01 d2 3d 5b e8 b7 11 44 73 07 e5 f3 48 0e 52 Sep 21 07:25:30.399542: | ikev2 g^x 8f 74 4a ca fc 2e 91 55 1d 21 6d 17 bb 1f f2 46 Sep 21 07:25:30.399544: | ikev2 g^x 8c e4 06 f2 bd f4 8f f2 e6 83 d1 f2 ff 9c ad 7f Sep 21 07:25:30.399546: | ikev2 g^x 74 52 df 20 91 c6 93 19 d7 79 50 3e 85 dc df 80 Sep 21 07:25:30.399548: | ikev2 g^x 91 de e1 94 c7 00 bc a7 73 41 0c e3 20 7e 2c d7 Sep 21 07:25:30.399551: | ikev2 g^x 06 15 ae 3e 13 9f b4 bb 9b f4 b6 31 0c ce 93 a7 Sep 21 07:25:30.399553: | ikev2 g^x 9a b6 c2 77 64 71 90 3b 23 72 2e 41 db 53 5f 98 Sep 21 07:25:30.399555: | ikev2 g^x 0e a6 96 26 7e c5 61 08 85 6c 93 f7 dd 8d 7b 9f Sep 21 07:25:30.399557: | ikev2 g^x e7 62 5f 64 78 0e ce 21 ba eb 96 55 fe a0 78 ef Sep 21 07:25:30.399560: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:30.399563: | ***emit IKEv2 Nonce Payload: Sep 21 07:25:30.399565: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:30.399567: | flags: none (0x0) Sep 21 07:25:30.399570: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:25:30.399573: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:30.399575: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399580: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:30.399583: | IKEv2 nonce a1 fe 8b 76 18 7e 58 0b 6d d2 1e e2 71 79 4f ef Sep 21 07:25:30.399585: | IKEv2 nonce 10 1a 7c 4b d3 a1 95 bd f4 2b a5 70 23 61 7e b2 Sep 21 07:25:30.399587: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:30.399589: | Adding a v2N Payload Sep 21 07:25:30.399591: | ***emit IKEv2 Notify Payload: Sep 21 07:25:30.399594: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.399596: | flags: none (0x0) Sep 21 07:25:30.399598: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.399600: | SPI size: 0 (0x0) Sep 21 07:25:30.399603: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:30.399606: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:30.399609: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399611: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:25:30.399614: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:25:30.399626: | natd_hash: hasher=0x563fe40b67a0(20) Sep 21 07:25:30.399628: | natd_hash: icookie= 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.399630: | natd_hash: rcookie= 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.399632: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:30.399634: | natd_hash: port= 01 f4 Sep 21 07:25:30.399637: | natd_hash: hash= 0e 3f e9 f0 86 4b ba d5 08 24 ef 29 ef b5 eb 0e Sep 21 07:25:30.399639: | natd_hash: hash= 5e 9c 64 6e Sep 21 07:25:30.399641: | Adding a v2N Payload Sep 21 07:25:30.399643: | ***emit IKEv2 Notify Payload: Sep 21 07:25:30.399646: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.399648: | flags: none (0x0) Sep 21 07:25:30.399650: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.399652: | SPI size: 0 (0x0) Sep 21 07:25:30.399655: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:30.399657: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:30.399660: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399662: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:30.399665: | Notify data 0e 3f e9 f0 86 4b ba d5 08 24 ef 29 ef b5 eb 0e Sep 21 07:25:30.399667: | Notify data 5e 9c 64 6e Sep 21 07:25:30.399670: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:30.399675: | natd_hash: hasher=0x563fe40b67a0(20) Sep 21 07:25:30.399678: | natd_hash: icookie= 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.399680: | natd_hash: rcookie= 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.399682: | natd_hash: ip= c0 01 02 2d Sep 21 07:25:30.399684: | natd_hash: port= 01 f4 Sep 21 07:25:30.399687: | natd_hash: hash= 90 ac 38 92 56 ce 5c c8 ea c7 a5 68 f3 e9 dc 08 Sep 21 07:25:30.399689: | natd_hash: hash= ad 69 d1 1d Sep 21 07:25:30.399691: | Adding a v2N Payload Sep 21 07:25:30.399693: | ***emit IKEv2 Notify Payload: Sep 21 07:25:30.399696: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.399698: | flags: none (0x0) Sep 21 07:25:30.399700: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:30.399702: | SPI size: 0 (0x0) Sep 21 07:25:30.399705: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:30.399708: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:30.399711: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.399714: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:30.399716: | Notify data 90 ac 38 92 56 ce 5c c8 ea c7 a5 68 f3 e9 dc 08 Sep 21 07:25:30.399718: | Notify data ad 69 d1 1d Sep 21 07:25:30.399721: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:30.399725: | emitting length of ISAKMP Message: 432 Sep 21 07:25:30.399733: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:30.399737: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:25:30.399739: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:25:30.399742: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:25:30.399745: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:25:30.399750: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:25:30.399755: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:25:30.399761: "eastnet-any"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:25:30.399765: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:25:30.399771: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:25:30.399776: | 1d 6d 17 28 01 df d9 ba 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.399778: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:25:30.399780: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:25:30.399789: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:25:30.399794: | 04 00 00 0e 28 00 01 08 00 0e 00 00 88 67 46 1b Sep 21 07:25:30.399797: | 73 c6 6b 73 ca d4 65 65 6e 14 c3 3a 5a d3 11 d7 Sep 21 07:25:30.399799: | 92 cc 2c 55 f9 19 d4 b8 e2 2b 20 b9 ea 64 9c 1b Sep 21 07:25:30.399801: | 5c 82 83 b9 3d 51 2a 49 40 6d 35 9f 65 f8 48 f0 Sep 21 07:25:30.399803: | e9 4b d8 ff 8e ee 83 84 be 26 ad 2b 06 36 2f a2 Sep 21 07:25:30.399805: | c4 9e f3 96 05 70 07 17 2b 62 f1 e6 ae 23 4d 9f Sep 21 07:25:30.399830: | 2c a9 ff 6a 59 e2 38 b7 bc 97 8c 92 42 60 b2 d6 Sep 21 07:25:30.399832: | 28 f3 ec 33 ad 0e 39 f7 7b 88 f8 5d 74 01 d2 3d Sep 21 07:25:30.399835: | 5b e8 b7 11 44 73 07 e5 f3 48 0e 52 8f 74 4a ca Sep 21 07:25:30.399837: | fc 2e 91 55 1d 21 6d 17 bb 1f f2 46 8c e4 06 f2 Sep 21 07:25:30.399839: | bd f4 8f f2 e6 83 d1 f2 ff 9c ad 7f 74 52 df 20 Sep 21 07:25:30.399841: | 91 c6 93 19 d7 79 50 3e 85 dc df 80 91 de e1 94 Sep 21 07:25:30.399844: | c7 00 bc a7 73 41 0c e3 20 7e 2c d7 06 15 ae 3e Sep 21 07:25:30.399846: | 13 9f b4 bb 9b f4 b6 31 0c ce 93 a7 9a b6 c2 77 Sep 21 07:25:30.399848: | 64 71 90 3b 23 72 2e 41 db 53 5f 98 0e a6 96 26 Sep 21 07:25:30.399851: | 7e c5 61 08 85 6c 93 f7 dd 8d 7b 9f e7 62 5f 64 Sep 21 07:25:30.399853: | 78 0e ce 21 ba eb 96 55 fe a0 78 ef 29 00 00 24 Sep 21 07:25:30.399868: | a1 fe 8b 76 18 7e 58 0b 6d d2 1e e2 71 79 4f ef Sep 21 07:25:30.399870: | 10 1a 7c 4b d3 a1 95 bd f4 2b a5 70 23 61 7e b2 Sep 21 07:25:30.399873: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:25:30.399875: | 0e 3f e9 f0 86 4b ba d5 08 24 ef 29 ef b5 eb 0e Sep 21 07:25:30.399877: | 5e 9c 64 6e 00 00 00 1c 00 00 40 05 90 ac 38 92 Sep 21 07:25:30.399880: | 56 ce 5c c8 ea c7 a5 68 f3 e9 dc 08 ad 69 d1 1d Sep 21 07:25:30.399914: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:30.399919: | libevent_free: release ptr-libevent@0x563fe545eec0 Sep 21 07:25:30.399922: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563fe545ee80 Sep 21 07:25:30.399925: | event_schedule: new EVENT_SO_DISCARD-pe@0x563fe545ee80 Sep 21 07:25:30.399929: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:25:30.399932: | libevent_malloc: new ptr-libevent@0x563fe545eec0 size 128 Sep 21 07:25:30.399936: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:30.399946: | #1 spent 0.59 milliseconds in resume sending helper answer Sep 21 07:25:30.399953: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:25:30.399956: | libevent_free: release ptr-libevent@0x7f1634006900 Sep 21 07:25:30.402690: | spent 0.00253 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:30.402708: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Sep 21 07:25:30.402710: | 1d 6d 17 28 01 df d9 ba 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.402712: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Sep 21 07:25:30.402714: | ff bc bc ac 15 ea 77 6a c3 b3 5d 70 ee df 7d 6e Sep 21 07:25:30.402715: | a4 03 27 1f 61 01 09 4d 09 58 67 8b 93 32 00 38 Sep 21 07:25:30.402716: | 5d cd a7 26 08 7a 41 08 a6 ea 98 e2 d5 a6 4d 23 Sep 21 07:25:30.402718: | 09 7f 77 dc 92 b8 62 c0 8a aa 3e 8d 10 a8 ea 78 Sep 21 07:25:30.402719: | 6d d6 46 8d ed 03 2d bc 7f 1b e3 b5 1f ec ce 03 Sep 21 07:25:30.402720: | 6a 67 aa b9 5f 74 8d 38 43 e1 04 17 c4 4d 71 e5 Sep 21 07:25:30.402722: | 98 51 15 be 16 4e a8 10 27 0c 0e d2 4b 63 e4 20 Sep 21 07:25:30.402723: | 6e d3 c1 66 f6 e7 9b bd ba 5e e5 64 94 99 b2 c5 Sep 21 07:25:30.402725: | a9 b7 36 16 8d d8 33 ad 52 25 8d 70 14 c1 45 78 Sep 21 07:25:30.402726: | 04 3b f5 ee 16 80 11 69 c6 f2 4e 22 b9 e0 19 68 Sep 21 07:25:30.402727: | 08 9f d5 8a 5c 46 1a 8e 6a b1 03 cc 71 a2 50 c7 Sep 21 07:25:30.402729: | 06 7e 4b e9 5f 09 7c bd 2a b0 83 f9 a2 de 84 b3 Sep 21 07:25:30.402730: | ee 8b 81 85 69 3b 05 0c 92 56 5e e8 de d0 ce f2 Sep 21 07:25:30.402732: | 31 5b a2 06 9f 68 d0 ed 9e a3 52 3e 32 2d 0e f1 Sep 21 07:25:30.402733: | 3a dd a3 0f 52 60 48 87 1b 83 e1 26 73 78 b6 43 Sep 21 07:25:30.402734: | f3 13 9a ce ec 4c eb 24 3b 9c 56 c4 33 3c e9 92 Sep 21 07:25:30.402736: | b7 20 d6 d7 f7 7f e6 69 59 44 23 c0 96 4e 9d d2 Sep 21 07:25:30.402737: | 84 af 64 e9 c1 1e 9e 6b f9 2c a3 4d 18 43 d7 1e Sep 21 07:25:30.402738: | 68 9d 43 bc 45 96 92 25 ad 9e e2 46 38 03 45 c1 Sep 21 07:25:30.402740: | 96 4f 5e 86 79 6b d6 80 04 82 01 40 7c 0c 97 cf Sep 21 07:25:30.402741: | d8 b5 59 49 27 ef 7b 50 33 fc 8f a2 f9 Sep 21 07:25:30.402745: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Sep 21 07:25:30.402747: | **parse ISAKMP Message: Sep 21 07:25:30.402749: | initiator cookie: Sep 21 07:25:30.402750: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.402752: | responder cookie: Sep 21 07:25:30.402753: | 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.402755: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:25:30.402756: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:30.402758: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:30.402760: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:30.402761: | Message ID: 1 (0x1) Sep 21 07:25:30.402763: | length: 365 (0x16d) Sep 21 07:25:30.402765: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:30.402767: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:30.402770: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:30.402774: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:30.402777: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:30.402780: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:30.402782: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:30.402791: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:25:30.402792: | unpacking clear payload Sep 21 07:25:30.402794: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:25:30.402798: | ***parse IKEv2 Encryption Payload: Sep 21 07:25:30.402800: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:25:30.402802: | flags: none (0x0) Sep 21 07:25:30.402803: | length: 337 (0x151) Sep 21 07:25:30.402805: | processing payload: ISAKMP_NEXT_v2SK (len=333) Sep 21 07:25:30.402808: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:30.402809: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:30.402812: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:30.402813: | Now let's proceed with state specific processing Sep 21 07:25:30.402815: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:30.402817: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:25:30.402820: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:25:30.402822: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:25:30.402824: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:25:30.402826: | libevent_free: release ptr-libevent@0x563fe545eec0 Sep 21 07:25:30.402828: | free_event_entry: release EVENT_SO_DISCARD-pe@0x563fe545ee80 Sep 21 07:25:30.402830: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563fe545ee80 Sep 21 07:25:30.402833: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:30.402834: | libevent_malloc: new ptr-libevent@0x563fe545eec0 size 128 Sep 21 07:25:30.402842: | #1 spent 0.0238 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:25:30.402846: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:30.402848: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:30.402850: | suspending state #1 and saving MD Sep 21 07:25:30.402854: | #1 is busy; has a suspended MD Sep 21 07:25:30.402859: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:30.402849: | crypto helper 0 resuming Sep 21 07:25:30.402873: | crypto helper 0 starting work-order 2 for state #1 Sep 21 07:25:30.402879: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:25:30.402863: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:30.402932: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:30.402938: | #1 spent 0.227 milliseconds in ikev2_process_packet() Sep 21 07:25:30.402941: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Sep 21 07:25:30.402943: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:30.402945: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:30.402948: | spent 0.238 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:30.403500: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:25:30.403795: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000917 seconds Sep 21 07:25:30.403804: | (#1) spent 0.922 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:25:30.403806: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Sep 21 07:25:30.403821: | scheduling resume sending helper answer for #1 Sep 21 07:25:30.403823: | libevent_malloc: new ptr-libevent@0x7f162c006b90 size 128 Sep 21 07:25:30.403829: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:30.403858: | processing resume sending helper answer for #1 Sep 21 07:25:30.403882: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Sep 21 07:25:30.403886: | crypto helper 0 replies to request ID 2 Sep 21 07:25:30.403887: | calling continuation function 0x563fe3fe0630 Sep 21 07:25:30.403890: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:25:30.403892: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:30.403902: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:25:30.403904: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:25:30.403906: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:25:30.403908: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:30.403910: | flags: none (0x0) Sep 21 07:25:30.403911: | length: 12 (0xc) Sep 21 07:25:30.403913: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:25:30.403914: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:25:30.403916: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:25:30.403917: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:25:30.403919: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:25:30.403920: | flags: none (0x0) Sep 21 07:25:30.403922: | length: 12 (0xc) Sep 21 07:25:30.403923: | ID type: ID_FQDN (0x2) Sep 21 07:25:30.403925: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:25:30.403926: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:25:30.403928: | **parse IKEv2 Authentication Payload: Sep 21 07:25:30.403929: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:30.403931: | flags: none (0x0) Sep 21 07:25:30.403932: | length: 72 (0x48) Sep 21 07:25:30.403934: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:25:30.403935: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:25:30.403937: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:30.403938: | **parse IKEv2 Security Association Payload: Sep 21 07:25:30.403940: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:30.403941: | flags: none (0x0) Sep 21 07:25:30.403943: | length: 164 (0xa4) Sep 21 07:25:30.403944: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:25:30.403945: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:30.403947: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:30.403949: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:30.403950: | flags: none (0x0) Sep 21 07:25:30.403951: | length: 24 (0x18) Sep 21 07:25:30.403953: | number of TS: 1 (0x1) Sep 21 07:25:30.403954: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:30.403956: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:30.403957: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:30.403959: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.403960: | flags: none (0x0) Sep 21 07:25:30.403961: | length: 24 (0x18) Sep 21 07:25:30.403963: | number of TS: 1 (0x1) Sep 21 07:25:30.403964: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:30.403966: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:25:30.403967: | Now let's proceed with state specific processing Sep 21 07:25:30.403969: | calling processor Responder: process IKE_AUTH request Sep 21 07:25:30.403973: "eastnet-any"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:25:30.403976: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:30.403979: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:25:30.403980: | peer ID c0 01 02 2d Sep 21 07:25:30.403982: | received IDr payload - extracting our alleged ID Sep 21 07:25:30.403985: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.45 Sep 21 07:25:30.403988: | match_id a=192.1.2.45 Sep 21 07:25:30.403990: | b=192.1.2.45 Sep 21 07:25:30.403995: | results matched Sep 21 07:25:30.403999: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:25:30.404000: | Warning: not switching back to template of current instance Sep 21 07:25:30.404002: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:25:30.404004: | This connection's local id is @east (ID_FQDN) Sep 21 07:25:30.404007: | refine_host_connection: checked eastnet-any[1] 192.1.2.45 against eastnet-any[1] 192.1.2.45, now for see if best Sep 21 07:25:30.404010: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404012: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404014: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:30.404017: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404019: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404021: | line 1: match=002 Sep 21 07:25:30.404023: | match 002 beats previous best_match 000 match=0x563fe544e5e0 (line=1) Sep 21 07:25:30.404024: | concluding with best_match=002 best=0x563fe544e5e0 (lineno=1) Sep 21 07:25:30.404026: | returning because exact peer id match Sep 21 07:25:30.404027: | offered CA: '%none' Sep 21 07:25:30.404030: "eastnet-any"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' Sep 21 07:25:30.404043: | verifying AUTH payload Sep 21 07:25:30.404046: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:25:30.404048: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404050: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404052: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:30.404054: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404056: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404058: | line 1: match=002 Sep 21 07:25:30.404059: | match 002 beats previous best_match 000 match=0x563fe544e5e0 (line=1) Sep 21 07:25:30.404061: | concluding with best_match=002 best=0x563fe544e5e0 (lineno=1) Sep 21 07:25:30.404099: "eastnet-any"[1] 192.1.2.45 #1: Authenticated using authby=secret Sep 21 07:25:30.404102: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:25:30.404106: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:30.404107: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:30.404109: | libevent_free: release ptr-libevent@0x563fe545eec0 Sep 21 07:25:30.404111: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563fe545ee80 Sep 21 07:25:30.404113: | event_schedule: new EVENT_SA_REKEY-pe@0x563fe545ee80 Sep 21 07:25:30.404115: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:25:30.404117: | libevent_malloc: new ptr-libevent@0x563fe545eec0 size 128 Sep 21 07:25:30.404202: | pstats #1 ikev2.ike established Sep 21 07:25:30.404208: | **emit ISAKMP Message: Sep 21 07:25:30.404210: | initiator cookie: Sep 21 07:25:30.404211: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:30.404213: | responder cookie: Sep 21 07:25:30.404214: | 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.404216: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:30.404218: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:30.404219: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:30.404221: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:30.404223: | Message ID: 1 (0x1) Sep 21 07:25:30.404224: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:30.404226: | IKEv2 CERT: send a certificate? Sep 21 07:25:30.404229: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:25:30.404230: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:30.404232: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.404235: | flags: none (0x0) Sep 21 07:25:30.404250: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:30.404252: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.404254: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:30.404259: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:30.404268: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:25:30.404270: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.404271: | flags: none (0x0) Sep 21 07:25:30.404273: | ID type: ID_FQDN (0x2) Sep 21 07:25:30.404275: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:25:30.404277: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.404278: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:25:30.404280: | my identity 65 61 73 74 Sep 21 07:25:30.404282: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:25:30.404286: | assembled IDr payload Sep 21 07:25:30.404288: | CHILD SA proposals received Sep 21 07:25:30.404289: | going to assemble AUTH payload Sep 21 07:25:30.404291: | ****emit IKEv2 Authentication Payload: Sep 21 07:25:30.404292: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:30.404294: | flags: none (0x0) Sep 21 07:25:30.404295: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:25:30.404297: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:25:30.404299: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:25:30.404301: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.404302: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:25:30.404305: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404307: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Sep 21 07:25:30.404309: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:30.404312: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404314: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Sep 21 07:25:30.404315: | line 1: match=002 Sep 21 07:25:30.404317: | match 002 beats previous best_match 000 match=0x563fe544e5e0 (line=1) Sep 21 07:25:30.404318: | concluding with best_match=002 best=0x563fe544e5e0 (lineno=1) Sep 21 07:25:30.404351: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:25:30.404353: | PSK auth b3 fe 87 14 14 ea 4b 5e 73 73 75 39 2f 4c 1e 36 Sep 21 07:25:30.404354: | PSK auth 7f 65 7f ad 81 f1 22 db ef 58 84 9f 52 2a 46 c7 Sep 21 07:25:30.404356: | PSK auth d1 82 bd ba e0 0b ac 6d 6d 3a 6e ac 69 72 24 b2 Sep 21 07:25:30.404357: | PSK auth 27 83 c2 c7 99 ea 42 56 3d 66 40 df 6a 12 0a 08 Sep 21 07:25:30.404359: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:25:30.404361: | creating state object #2 at 0x563fe5460390 Sep 21 07:25:30.404363: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:25:30.404366: | pstats #2 ikev2.child started Sep 21 07:25:30.404368: | duplicating state object #1 "eastnet-any"[1] 192.1.2.45 as #2 for IPSEC SA Sep 21 07:25:30.404371: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:30.404374: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:30.404379: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:30.404381: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:30.404383: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:25:30.404385: | TSi: parsing 1 traffic selectors Sep 21 07:25:30.404387: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:30.404388: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:30.404390: | IP Protocol ID: 0 (0x0) Sep 21 07:25:30.404391: | length: 16 (0x10) Sep 21 07:25:30.404393: | start port: 0 (0x0) Sep 21 07:25:30.404394: | end port: 65535 (0xffff) Sep 21 07:25:30.404396: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:30.404397: | TS low c0 00 01 00 Sep 21 07:25:30.404399: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:30.404400: | TS high c0 00 01 ff Sep 21 07:25:30.404402: | TSi: parsed 1 traffic selectors Sep 21 07:25:30.404403: | TSr: parsing 1 traffic selectors Sep 21 07:25:30.404405: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:30.404406: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:30.404408: | IP Protocol ID: 0 (0x0) Sep 21 07:25:30.404409: | length: 16 (0x10) Sep 21 07:25:30.404410: | start port: 0 (0x0) Sep 21 07:25:30.404412: | end port: 65535 (0xffff) Sep 21 07:25:30.404413: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:30.404414: | TS low c0 00 02 00 Sep 21 07:25:30.404416: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:30.404417: | TS high c0 00 02 ff Sep 21 07:25:30.404419: | TSr: parsed 1 traffic selectors Sep 21 07:25:30.404420: | looking for best SPD in current connection Sep 21 07:25:30.404424: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:30.404427: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:30.404431: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:25:30.404433: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:30.404435: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:30.404436: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:30.404438: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:30.404441: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:30.404444: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:30.404446: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:30.404447: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:30.404449: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:30.404450: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:30.404452: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:30.404454: | found better spd route for TSi[0],TSr[0] Sep 21 07:25:30.404455: | looking for better host pair Sep 21 07:25:30.404460: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Sep 21 07:25:30.404464: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Sep 21 07:25:30.404466: | investigating connection "eastnet-any" as a better match Sep 21 07:25:30.404469: | match_id a=192.1.2.45 Sep 21 07:25:30.404472: | b=192.1.2.45 Sep 21 07:25:30.404474: | results matched Sep 21 07:25:30.404480: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:30.404485: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:30.404490: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Sep 21 07:25:30.404495: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:30.404497: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:30.404499: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:30.404502: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:30.404506: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:30.404512: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:30.404514: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:30.404517: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:30.404519: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:30.404522: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:30.404524: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:30.404527: | did not find a better connection using host pair Sep 21 07:25:30.404529: | printing contents struct traffic_selector Sep 21 07:25:30.404532: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:30.404534: | ipprotoid: 0 Sep 21 07:25:30.404536: | port range: 0-65535 Sep 21 07:25:30.404540: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:25:30.404542: | printing contents struct traffic_selector Sep 21 07:25:30.404544: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:30.404545: | ipprotoid: 0 Sep 21 07:25:30.404547: | port range: 0-65535 Sep 21 07:25:30.404551: | ip range: 192.0.1.0-192.0.1.255 Sep 21 07:25:30.404555: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:25:30.404561: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:30.404566: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:30.404569: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:30.404573: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:30.404576: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:30.404580: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:30.404583: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:30.404587: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:30.404596: "eastnet-any"[1] 192.1.2.45: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:30.404599: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:30.404605: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:30.404607: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:30.404610: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:30.404612: | local proposal 1 type DH has 1 transforms Sep 21 07:25:30.404614: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:30.404617: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:30.404620: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:30.404622: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:30.404625: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:30.404627: | local proposal 2 type DH has 1 transforms Sep 21 07:25:30.404629: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:30.404632: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:30.404636: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:30.404639: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:30.404641: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:30.404643: | local proposal 3 type DH has 1 transforms Sep 21 07:25:30.404646: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:30.404649: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:30.404651: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:30.404654: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:30.404671: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:30.404673: | local proposal 4 type DH has 1 transforms Sep 21 07:25:30.404676: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:30.404679: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:30.404682: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.404684: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.404687: | length: 32 (0x20) Sep 21 07:25:30.404690: | prop #: 1 (0x1) Sep 21 07:25:30.404692: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:30.404695: | spi size: 4 (0x4) Sep 21 07:25:30.404697: | # transforms: 2 (0x2) Sep 21 07:25:30.404700: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:30.404703: | remote SPI 0a ab 0e 55 Sep 21 07:25:30.404706: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:30.404709: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.404715: | length: 12 (0xc) Sep 21 07:25:30.404717: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.404720: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.404722: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.404725: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.404728: | length/value: 256 (0x100) Sep 21 07:25:30.404732: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:30.404735: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404738: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.404741: | length: 8 (0x8) Sep 21 07:25:30.404743: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:30.404746: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:30.404749: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:30.404753: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:30.404756: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:30.404760: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:30.404763: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:25:30.404768: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:25:30.404770: | remote proposal 1 matches local proposal 1 Sep 21 07:25:30.404773: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.404776: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.404779: | length: 32 (0x20) Sep 21 07:25:30.404781: | prop #: 2 (0x2) Sep 21 07:25:30.404792: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:30.404794: | spi size: 4 (0x4) Sep 21 07:25:30.404796: | # transforms: 2 (0x2) Sep 21 07:25:30.404800: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:30.404802: | remote SPI 0a ab 0e 55 Sep 21 07:25:30.404818: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.404820: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404825: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.404827: | length: 12 (0xc) Sep 21 07:25:30.404829: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.404832: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.404835: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.404837: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.404839: | length/value: 128 (0x80) Sep 21 07:25:30.404842: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404845: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.404847: | length: 8 (0x8) Sep 21 07:25:30.404849: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:30.404852: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:30.404856: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:25:30.404859: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:25:30.404861: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.404864: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:30.404866: | length: 48 (0x30) Sep 21 07:25:30.404868: | prop #: 3 (0x3) Sep 21 07:25:30.404870: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:30.404873: | spi size: 4 (0x4) Sep 21 07:25:30.404875: | # transforms: 4 (0x4) Sep 21 07:25:30.404878: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:30.404880: | remote SPI 0a ab 0e 55 Sep 21 07:25:30.404883: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.404886: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404888: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.404890: | length: 12 (0xc) Sep 21 07:25:30.404893: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.404895: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:30.404897: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.404900: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.404902: | length/value: 256 (0x100) Sep 21 07:25:30.404905: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404907: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.404910: | length: 8 (0x8) Sep 21 07:25:30.404912: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.404915: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:30.404918: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404920: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.404922: | length: 8 (0x8) Sep 21 07:25:30.404924: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.404927: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:30.404944: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.404946: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.404949: | length: 8 (0x8) Sep 21 07:25:30.404951: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:30.404954: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:30.404957: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:30.404960: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:30.404963: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.404965: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:30.404980: | length: 48 (0x30) Sep 21 07:25:30.404982: | prop #: 4 (0x4) Sep 21 07:25:30.404984: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:30.404986: | spi size: 4 (0x4) Sep 21 07:25:30.404989: | # transforms: 4 (0x4) Sep 21 07:25:30.404991: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:30.404994: | remote SPI 0a ab 0e 55 Sep 21 07:25:30.404996: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:30.405001: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405003: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.405006: | length: 12 (0xc) Sep 21 07:25:30.405008: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.405010: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:30.405012: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.405015: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.405017: | length/value: 128 (0x80) Sep 21 07:25:30.405020: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405022: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.405025: | length: 8 (0x8) Sep 21 07:25:30.405027: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.405029: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:30.405032: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405034: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.405037: | length: 8 (0x8) Sep 21 07:25:30.405039: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:30.405041: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:30.405044: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405046: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.405048: | length: 8 (0x8) Sep 21 07:25:30.405051: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:30.405053: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:30.405057: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:30.405059: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:30.405066: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:ESP:SPI=0aab0e55;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:25:30.405071: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=0aab0e55;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:25:30.405074: | converting proposal to internal trans attrs Sep 21 07:25:30.405106: | netlink_get_spi: allocated 0x2f625d0 for esp.0@192.1.2.23 Sep 21 07:25:30.405109: | Emitting ikev2_proposal ... Sep 21 07:25:30.405112: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:30.405114: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.405117: | flags: none (0x0) Sep 21 07:25:30.405121: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:30.405123: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.405126: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:30.405128: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:30.405130: | prop #: 1 (0x1) Sep 21 07:25:30.405133: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:30.405135: | spi size: 4 (0x4) Sep 21 07:25:30.405137: | # transforms: 2 (0x2) Sep 21 07:25:30.405140: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:30.405143: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:30.405146: | our spi 02 f6 25 d0 Sep 21 07:25:30.405148: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405151: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.405153: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:30.405155: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:30.405158: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:30.405163: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:30.405165: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:30.405168: | length/value: 256 (0x100) Sep 21 07:25:30.405171: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:30.405173: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:30.405175: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:30.405177: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:30.405180: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:30.405182: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:30.405185: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:30.405187: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:30.405189: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:25:30.405192: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:30.405194: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:25:30.405197: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:30.405199: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:30.405202: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.405204: | flags: none (0x0) Sep 21 07:25:30.405206: | number of TS: 1 (0x1) Sep 21 07:25:30.405209: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:30.405212: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.405214: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:30.405216: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:30.405218: | IP Protocol ID: 0 (0x0) Sep 21 07:25:30.405221: | start port: 0 (0x0) Sep 21 07:25:30.405223: | end port: 65535 (0xffff) Sep 21 07:25:30.405226: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:30.405241: | IP start c0 00 01 00 Sep 21 07:25:30.405243: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:30.405245: | IP end c0 00 01 ff Sep 21 07:25:30.405247: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:30.405264: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:30.405267: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:30.405269: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:30.405271: | flags: none (0x0) Sep 21 07:25:30.405274: | number of TS: 1 (0x1) Sep 21 07:25:30.405277: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:30.405280: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:30.405282: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:30.405285: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:30.405287: | IP Protocol ID: 0 (0x0) Sep 21 07:25:30.405289: | start port: 0 (0x0) Sep 21 07:25:30.405291: | end port: 65535 (0xffff) Sep 21 07:25:30.405294: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:30.405296: | IP start c0 00 02 00 Sep 21 07:25:30.405298: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:30.405300: | IP end c0 00 02 ff Sep 21 07:25:30.405303: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:30.405307: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:30.405309: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:30.405313: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:30.405486: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:25:30.405493: | #1 spent 1.52 milliseconds Sep 21 07:25:30.405495: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:25:30.405497: | could_route called for eastnet-any (kind=CK_INSTANCE) Sep 21 07:25:30.405499: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:30.405501: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:30.405503: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:30.405504: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:30.405506: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:30.405511: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Sep 21 07:25:30.405513: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:30.405516: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:30.405517: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:30.405532: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:30.405534: | setting IPsec SA replay-window to 32 Sep 21 07:25:30.405536: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:25:30.405539: | netlink: enabling tunnel mode Sep 21 07:25:30.405540: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:30.405542: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:30.405637: | netlink response for Add SA esp.aab0e55@192.1.2.45 included non-error error Sep 21 07:25:30.405640: | set up outgoing SA, ref=0/0 Sep 21 07:25:30.405643: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:30.405649: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:30.405653: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:30.405656: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:30.405660: | setting IPsec SA replay-window to 32 Sep 21 07:25:30.405664: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Sep 21 07:25:30.405667: | netlink: enabling tunnel mode Sep 21 07:25:30.405670: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:30.405673: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:30.405719: | netlink response for Add SA esp.2f625d0@192.1.2.23 included non-error error Sep 21 07:25:30.405724: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:30.405732: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:30.405736: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:30.405781: | raw_eroute result=success Sep 21 07:25:30.405792: | set up incoming SA, ref=0/0 Sep 21 07:25:30.405796: | sr for #2: unrouted Sep 21 07:25:30.405799: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:30.405802: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:30.405806: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:30.405808: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:30.405823: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:30.405825: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:30.405828: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Sep 21 07:25:30.405830: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:25:30.405832: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:30.405837: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Sep 21 07:25:30.405839: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:30.405860: | raw_eroute result=success Sep 21 07:25:30.405878: | running updown command "ipsec _updown" for verb up Sep 21 07:25:30.405880: | command executing up-client Sep 21 07:25:30.405908: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaab0e55 SPI Sep 21 07:25:30.405912: | popen cmd is 1029 chars long Sep 21 07:25:30.405915: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Sep 21 07:25:30.405917: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': Sep 21 07:25:30.405918: | cmd( 160):@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_C: Sep 21 07:25:30.405920: | cmd( 240):LIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQI: Sep 21 07:25:30.405921: | cmd( 320):D='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45': Sep 21 07:25:30.405923: | cmd( 400): PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_C: Sep 21 07:25:30.405924: | cmd( 480):LIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEE: Sep 21 07:25:30.405926: | cmd( 560):R_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TU: Sep 21 07:25:30.405928: | cmd( 640):NNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INST: Sep 21 07:25:30.405929: | cmd( 720):ANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Sep 21 07:25:30.405931: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Sep 21 07:25:30.405932: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Sep 21 07:25:30.405934: | cmd( 960):VTI_SHARED='no' SPI_IN=0xaab0e55 SPI_OUT=0x2f625d0 ipsec _updown 2>&1: Sep 21 07:25:30.413343: | route_and_eroute: firewall_notified: true Sep 21 07:25:30.413354: | running updown command "ipsec _updown" for verb prepare Sep 21 07:25:30.413357: | command executing prepare-client Sep 21 07:25:30.413377: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xa Sep 21 07:25:30.413382: | popen cmd is 1034 chars long Sep 21 07:25:30.413385: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:25:30.413386: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:25:30.413388: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Sep 21 07:25:30.413389: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Sep 21 07:25:30.413391: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.: Sep 21 07:25:30.413392: | cmd( 400):2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Sep 21 07:25:30.413394: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:25:30.413396: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Sep 21 07:25:30.413397: | cmd( 640):PT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK: Sep 21 07:25:30.413399: | cmd( 720):_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Sep 21 07:25:30.413400: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Sep 21 07:25:30.413402: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Sep 21 07:25:30.413403: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0xaab0e55 SPI_OUT=0x2f625d0 ipsec _updown 2>&1: Sep 21 07:25:30.421477: | running updown command "ipsec _updown" for verb route Sep 21 07:25:30.421489: | command executing route-client Sep 21 07:25:30.421509: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaab0e Sep 21 07:25:30.421512: | popen cmd is 1032 chars long Sep 21 07:25:30.421514: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Sep 21 07:25:30.421516: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Sep 21 07:25:30.421517: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Sep 21 07:25:30.421519: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Sep 21 07:25:30.421520: | cmd( 320):EQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.: Sep 21 07:25:30.421522: | cmd( 400):45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Sep 21 07:25:30.421524: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:25:30.421525: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Sep 21 07:25:30.421527: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Sep 21 07:25:30.421528: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Sep 21 07:25:30.421530: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Sep 21 07:25:30.421534: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Sep 21 07:25:30.421536: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0xaab0e55 SPI_OUT=0x2f625d0 ipsec _updown 2>&1: Sep 21 07:25:30.433499: | route_and_eroute: instance "eastnet-any"[1] 192.1.2.45, setting eroute_owner {spd=0x563fe545c5d0,sr=0x563fe545c5d0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:25:30.433606: | #1 spent 0.908 milliseconds in install_ipsec_sa() Sep 21 07:25:30.433613: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:25:30.433617: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:30.433620: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:30.433623: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:30.433626: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:25:30.433629: | emitting length of ISAKMP Message: 225 Sep 21 07:25:30.433651: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:25:30.433658: | #1 spent 2.48 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:25:30.433665: | suspend processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:30.433672: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:30.433677: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:25:30.433680: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:25:30.433684: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:30.433687: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:25:30.433693: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:30.433698: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:30.433701: | pstats #2 ikev2.child established Sep 21 07:25:30.433710: "eastnet-any"[1] 192.1.2.45 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Sep 21 07:25:30.433715: | NAT-T: encaps is 'auto' Sep 21 07:25:30.433719: "eastnet-any"[1] 192.1.2.45 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x0aab0e55 <0x02f625d0 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:25:30.433723: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Sep 21 07:25:30.433726: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:25:30.433728: | 1d 6d 17 28 01 df d9 ba 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:30.433730: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Sep 21 07:25:30.433731: | e7 5a 3d 84 5c 9c 66 c3 1c c1 ff fc 9d ec 9d a9 Sep 21 07:25:30.433732: | 34 19 ed 95 26 61 26 0e e3 a5 55 de 19 f4 c6 f7 Sep 21 07:25:30.433734: | 17 6f b7 55 0a a1 b3 6e cf 33 5d 97 87 72 57 c0 Sep 21 07:25:30.433735: | 30 c3 ea 73 4d b6 91 7e d2 6a 34 28 13 86 f4 90 Sep 21 07:25:30.433736: | 09 66 93 76 f7 2e 26 a2 15 35 53 ea 55 20 8b 2f Sep 21 07:25:30.433738: | 2a 76 e1 07 7c 45 bf a1 33 9a 17 e6 c8 69 f6 62 Sep 21 07:25:30.433739: | f4 80 c9 55 78 2e 2e 75 59 88 f2 61 cb fe c0 39 Sep 21 07:25:30.433741: | 6d 10 71 84 f6 d0 6e 14 2e 6b e4 8d 78 11 80 76 Sep 21 07:25:30.433742: | c7 69 56 47 fb 9e ed 95 9a 1a 52 a5 57 cf b2 a2 Sep 21 07:25:30.433743: | 42 47 f9 e8 11 03 52 0b 74 fc 61 db 40 c0 58 fb Sep 21 07:25:30.433748: | 13 0e f7 02 c2 86 14 e2 ca 0b 06 52 ee aa 7b 41 Sep 21 07:25:30.433749: | 31 eb 9c b2 c6 c1 64 bc b4 92 f9 f6 9a 44 43 93 Sep 21 07:25:30.433750: | 01 Sep 21 07:25:30.433788: | releasing whack for #2 (sock=fd@-1) Sep 21 07:25:30.433794: | releasing whack and unpending for parent #1 Sep 21 07:25:30.433797: | unpending state #1 connection "eastnet-any"[1] 192.1.2.45 Sep 21 07:25:30.433800: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:30.433802: | event_schedule: new EVENT_SA_REKEY-pe@0x7f1634002b20 Sep 21 07:25:30.433804: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:25:30.433807: | libevent_malloc: new ptr-libevent@0x563fe5463d80 size 128 Sep 21 07:25:30.433811: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:30.433815: | #1 spent 2.7 milliseconds in resume sending helper answer Sep 21 07:25:30.433819: | stop processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Sep 21 07:25:30.433822: | libevent_free: release ptr-libevent@0x7f162c006b90 Sep 21 07:25:30.433831: | processing signal PLUTO_SIGCHLD Sep 21 07:25:30.433835: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:30.433838: | spent 0.00389 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:30.433839: | processing signal PLUTO_SIGCHLD Sep 21 07:25:30.433841: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:30.433844: | spent 0.00228 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:30.433845: | processing signal PLUTO_SIGCHLD Sep 21 07:25:30.433847: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:30.433849: | spent 0.00224 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:31.716976: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:31.716999: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:25:31.717004: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:31.717012: | get_sa_info esp.2f625d0@192.1.2.23 Sep 21 07:25:31.717029: | get_sa_info esp.aab0e55@192.1.2.45 Sep 21 07:25:31.717048: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:31.717055: | spent 0.0878 milliseconds in whack Sep 21 07:25:31.827160: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:31.827506: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:31.827510: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:31.827582: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:31.827584: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:31.827595: | get_sa_info esp.2f625d0@192.1.2.23 Sep 21 07:25:31.827608: | get_sa_info esp.aab0e55@192.1.2.45 Sep 21 07:25:31.827623: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:31.827629: | spent 0.488 milliseconds in whack Sep 21 07:25:32.566452: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.566473: shutting down Sep 21 07:25:32.566482: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:25:32.566485: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:25:32.566490: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:32.566492: forgetting secrets Sep 21 07:25:32.566495: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:32.566501: | start processing: connection "eastnet-any"[1] 192.1.2.45 (in delete_connection() at connections.c:189) Sep 21 07:25:32.566506: "eastnet-any"[1] 192.1.2.45: deleting connection "eastnet-any"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#1/ipsec=#2} Sep 21 07:25:32.566509: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:32.566511: | pass 0 Sep 21 07:25:32.566514: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:32.566519: | state #2 Sep 21 07:25:32.566524: | suspend processing: connection "eastnet-any"[1] 192.1.2.45 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:32.566530: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:32.566533: | pstats #2 ikev2.child deleted completed Sep 21 07:25:32.566538: | [RE]START processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:25:32.566543: "eastnet-any"[1] 192.1.2.45 #2: deleting state (STATE_V2_IPSEC_R) aged 2.162s and sending notification Sep 21 07:25:32.566547: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:32.566551: | get_sa_info esp.aab0e55@192.1.2.45 Sep 21 07:25:32.566563: | get_sa_info esp.2f625d0@192.1.2.23 Sep 21 07:25:32.566569: "eastnet-any"[1] 192.1.2.45 #2: ESP traffic information: in=168B out=168B Sep 21 07:25:32.566572: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:32.566574: | Opening output PBS informational exchange delete request Sep 21 07:25:32.566576: | **emit ISAKMP Message: Sep 21 07:25:32.566578: | initiator cookie: Sep 21 07:25:32.566579: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:32.566581: | responder cookie: Sep 21 07:25:32.566583: | 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:32.566585: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:32.566587: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.566589: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:32.566592: | flags: none (0x0) Sep 21 07:25:32.566593: | Message ID: 0 (0x0) Sep 21 07:25:32.566595: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:32.566597: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:32.566599: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.566601: | flags: none (0x0) Sep 21 07:25:32.566603: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:32.566605: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:32.566607: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:32.566616: | ****emit IKEv2 Delete Payload: Sep 21 07:25:32.566618: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.566620: | flags: none (0x0) Sep 21 07:25:32.566623: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:32.566624: | SPI size: 4 (0x4) Sep 21 07:25:32.566626: | number of SPIs: 1 (0x1) Sep 21 07:25:32.566628: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:32.566630: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:32.566633: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:32.566635: | local spis 02 f6 25 d0 Sep 21 07:25:32.566637: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:32.566639: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:32.566642: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:32.566644: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:32.566646: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:32.566647: | emitting length of ISAKMP Message: 69 Sep 21 07:25:32.566669: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Sep 21 07:25:32.566672: | 1d 6d 17 28 01 df d9 ba 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:32.566675: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:25:32.566676: | b5 74 df dc eb 4d 6d 55 df 91 c7 2b 22 67 04 1a Sep 21 07:25:32.566679: | 2f b6 8d c3 43 76 a9 f2 5f 28 50 26 bf e9 a6 fc Sep 21 07:25:32.566681: | 12 de 0b 2e be Sep 21 07:25:32.566717: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:25:32.566720: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:25:32.566725: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:25:32.566728: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:32.566732: | libevent_free: release ptr-libevent@0x563fe5463d80 Sep 21 07:25:32.566734: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f1634002b20 Sep 21 07:25:32.566818: | running updown command "ipsec _updown" for verb down Sep 21 07:25:32.566830: | command executing down-client Sep 21 07:25:32.566866: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050730' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Sep 21 07:25:32.566870: | popen cmd is 1042 chars long Sep 21 07:25:32.566874: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Sep 21 07:25:32.566877: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Sep 21 07:25:32.566882: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Sep 21 07:25:32.566887: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Sep 21 07:25:32.566890: | cmd( 320):QID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.4: Sep 21 07:25:32.566893: | cmd( 400):5' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER: Sep 21 07:25:32.566895: | cmd( 480):_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_P: Sep 21 07:25:32.566898: | cmd( 560):EER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050730' PLUTO_CONN_POLICY='PSK: Sep 21 07:25:32.566900: | cmd( 640):+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Sep 21 07:25:32.566902: | cmd( 720):ND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Sep 21 07:25:32.566905: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Sep 21 07:25:32.566908: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Sep 21 07:25:32.566910: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0xaab0e55 SPI_OUT=0x2f625d0 ipsec _updown 2>: Sep 21 07:25:32.566913: | cmd(1040):&1: Sep 21 07:25:32.577157: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:25:32.577177: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:25:32.577181: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:32.577185: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:32.577306: | delete esp.aab0e55@192.1.2.45 Sep 21 07:25:32.577398: | netlink response for Del SA esp.aab0e55@192.1.2.45 included non-error error Sep 21 07:25:32.577404: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:32.577412: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:32.577564: | raw_eroute result=success Sep 21 07:25:32.577571: | delete esp.2f625d0@192.1.2.23 Sep 21 07:25:32.577652: | netlink response for Del SA esp.2f625d0@192.1.2.23 included non-error error Sep 21 07:25:32.577663: | stop processing: connection "eastnet-any"[1] 192.1.2.45 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:25:32.577667: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:25:32.577670: | in connection_discard for connection eastnet-any Sep 21 07:25:32.577673: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:25:32.577677: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:32.577683: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:25:32.577689: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:32.577692: | state #1 Sep 21 07:25:32.577695: | pass 1 Sep 21 07:25:32.577697: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:32.577699: | state #1 Sep 21 07:25:32.577706: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:32.577709: | pstats #1 ikev2.ike deleted completed Sep 21 07:25:32.577714: | #1 spent 6.13 milliseconds in total Sep 21 07:25:32.577720: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Sep 21 07:25:32.577725: "eastnet-any"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R2) aged 2.179s and sending notification Sep 21 07:25:32.577729: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:25:32.577892: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:25:32.577900: | Opening output PBS informational exchange delete request Sep 21 07:25:32.577904: | **emit ISAKMP Message: Sep 21 07:25:32.577906: | initiator cookie: Sep 21 07:25:32.577909: | 1d 6d 17 28 01 df d9 ba Sep 21 07:25:32.577911: | responder cookie: Sep 21 07:25:32.577914: | 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:32.577917: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:32.577920: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.577923: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:32.577925: | flags: none (0x0) Sep 21 07:25:32.577928: | Message ID: 1 (0x1) Sep 21 07:25:32.577931: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:32.577935: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:32.577937: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.577940: | flags: none (0x0) Sep 21 07:25:32.577943: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:32.577946: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:32.577950: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:32.577960: | ****emit IKEv2 Delete Payload: Sep 21 07:25:32.577963: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.577966: | flags: none (0x0) Sep 21 07:25:32.577968: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:25:32.577971: | SPI size: 0 (0x0) Sep 21 07:25:32.577973: | number of SPIs: 0 (0x0) Sep 21 07:25:32.577976: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:32.577980: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:32.577985: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:25:32.577988: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:32.577991: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:32.577994: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:32.577997: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:25:32.577999: | emitting length of ISAKMP Message: 65 Sep 21 07:25:32.578020: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Sep 21 07:25:32.578023: | 1d 6d 17 28 01 df d9 ba 4d 8f 7c 89 91 cc 50 f1 Sep 21 07:25:32.578026: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:25:32.578028: | ad a7 0b 24 a6 da d7 54 18 91 5d cd 5b 9c 4c e1 Sep 21 07:25:32.578031: | 10 9c 14 46 59 e1 b5 69 0a 44 2c 7d c6 d0 6f bd Sep 21 07:25:32.578033: | 23 Sep 21 07:25:32.578067: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:25:32.578070: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:25:32.578076: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Sep 21 07:25:32.578081: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Sep 21 07:25:32.578084: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:32.578089: | libevent_free: release ptr-libevent@0x563fe545eec0 Sep 21 07:25:32.578092: | free_event_entry: release EVENT_SA_REKEY-pe@0x563fe545ee80 Sep 21 07:25:32.578095: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:25:32.578098: | in connection_discard for connection eastnet-any Sep 21 07:25:32.578101: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:25:32.578104: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:25:32.578122: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Sep 21 07:25:32.578137: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:32.578144: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Sep 21 07:25:32.578149: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Sep 21 07:25:32.578152: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:32.578180: | priority calculation of connection "eastnet-any" is 0xfe7e7 Sep 21 07:25:32.578253: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:32.578258: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.578261: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:32.578264: | conn eastnet-any mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.578267: | conn eastnet-any mark 0/00000000, 0/00000000 Sep 21 07:25:32.578270: | route owner of "eastnet-any" unrouted: NULL Sep 21 07:25:32.578273: | running updown command "ipsec _updown" for verb unroute Sep 21 07:25:32.578276: | command executing unroute-client Sep 21 07:25:32.578350: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Sep 21 07:25:32.578358: | popen cmd is 1025 chars long Sep 21 07:25:32.578361: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Sep 21 07:25:32.578364: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:25:32.578367: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Sep 21 07:25:32.578370: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Sep 21 07:25:32.578372: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1: Sep 21 07:25:32.578375: | cmd( 400):.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Sep 21 07:25:32.578378: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Sep 21 07:25:32.578380: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Sep 21 07:25:32.578383: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Sep 21 07:25:32.578386: | cmd( 720):K_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Sep 21 07:25:32.578388: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Sep 21 07:25:32.578391: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Sep 21 07:25:32.578393: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:32.592858: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.592887: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.592914: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.592929: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.592941: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593041: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593047: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593049: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593052: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593054: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593061: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593088: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593114: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593591: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593602: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593614: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593632: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593640: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593652: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593665: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593676: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593690: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593702: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593715: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593729: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593742: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593757: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593769: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593780: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593811: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593848: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593879: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593906: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593920: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593932: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593944: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593959: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593971: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593982: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.593996: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594008: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594022: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594034: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594046: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594058: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594071: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594086: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594098: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594110: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594122: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594134: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594147: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594159: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594172: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594184: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594196: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594210: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594223: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594235: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594247: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594259: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594273: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594324: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594345: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594358: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594370: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594384: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594396: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594409: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594427: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594438: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594451: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594462: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594474: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594486: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594497: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594511: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594522: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594534: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594547: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594558: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594571: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594586: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594597: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594611: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594623: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594636: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594648: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594660: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594673: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594686: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594700: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.594712: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:32.601526: | free hp@0x563fe53ebe20 Sep 21 07:25:32.601542: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:25:32.601545: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:25:32.601551: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Sep 21 07:25:32.601554: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:32.601557: | pass 0 Sep 21 07:25:32.601559: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:32.601562: | pass 1 Sep 21 07:25:32.601564: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:32.601567: | free hp@0x563fe5425a30 Sep 21 07:25:32.601569: | flush revival: connection 'eastnet-any' wasn't on the list Sep 21 07:25:32.601572: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Sep 21 07:25:32.601578: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:25:32.601581: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:25:32.601591: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:25:32.601595: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:25:32.601598: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:32.601601: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:25:32.601605: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:32.601608: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:25:32.601612: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:25:32.601619: | libevent_free: release ptr-libevent@0x563fe54590a0 Sep 21 07:25:32.601622: | free_event_entry: release EVENT_NULL-pe@0x563fe54422a0 Sep 21 07:25:32.601632: | libevent_free: release ptr-libevent@0x563fe5459190 Sep 21 07:25:32.601635: | free_event_entry: release EVENT_NULL-pe@0x563fe5459150 Sep 21 07:25:32.601641: | libevent_free: release ptr-libevent@0x563fe5459280 Sep 21 07:25:32.601644: | free_event_entry: release EVENT_NULL-pe@0x563fe5459240 Sep 21 07:25:32.601653: | libevent_free: release ptr-libevent@0x563fe5459370 Sep 21 07:25:32.601656: | free_event_entry: release EVENT_NULL-pe@0x563fe5459330 Sep 21 07:25:32.601662: | libevent_free: release ptr-libevent@0x563fe5459460 Sep 21 07:25:32.601664: | free_event_entry: release EVENT_NULL-pe@0x563fe5459420 Sep 21 07:25:32.601670: | libevent_free: release ptr-libevent@0x563fe5459550 Sep 21 07:25:32.601673: | free_event_entry: release EVENT_NULL-pe@0x563fe5459510 Sep 21 07:25:32.601678: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:32.602135: | libevent_free: release ptr-libevent@0x563fe5458a00 Sep 21 07:25:32.602142: | free_event_entry: release EVENT_NULL-pe@0x563fe5441520 Sep 21 07:25:32.602146: | libevent_free: release ptr-libevent@0x563fe544e490 Sep 21 07:25:32.602148: | free_event_entry: release EVENT_NULL-pe@0x563fe54417d0 Sep 21 07:25:32.602152: | libevent_free: release ptr-libevent@0x563fe544e400 Sep 21 07:25:32.602154: | free_event_entry: release EVENT_NULL-pe@0x563fe5446f30 Sep 21 07:25:32.602157: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:25:32.602160: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:25:32.602162: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:25:32.602165: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:25:32.602167: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:25:32.602169: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:25:32.602172: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:25:32.602174: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:25:32.602176: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:25:32.602181: | libevent_free: release ptr-libevent@0x563fe5458ad0 Sep 21 07:25:32.602183: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:25:32.602186: | libevent_free: release ptr-libevent@0x563fe5458bb0 Sep 21 07:25:32.602188: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:25:32.602191: | libevent_free: release ptr-libevent@0x563fe5458c70 Sep 21 07:25:32.602193: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:25:32.602196: | libevent_free: release ptr-libevent@0x563fe544d700 Sep 21 07:25:32.602199: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:25:32.602201: | releasing event base Sep 21 07:25:32.602213: | libevent_free: release ptr-libevent@0x563fe5458d30 Sep 21 07:25:32.602215: | libevent_free: release ptr-libevent@0x563fe542e270 Sep 21 07:25:32.602220: | libevent_free: release ptr-libevent@0x563fe543cab0 Sep 21 07:25:32.602222: | libevent_free: release ptr-libevent@0x563fe543cb80 Sep 21 07:25:32.602225: | libevent_free: release ptr-libevent@0x563fe543cad0 Sep 21 07:25:32.602227: | libevent_free: release ptr-libevent@0x563fe5458a90 Sep 21 07:25:32.602230: | libevent_free: release ptr-libevent@0x563fe5458b70 Sep 21 07:25:32.602232: | libevent_free: release ptr-libevent@0x563fe543cb60 Sep 21 07:25:32.602234: | libevent_free: release ptr-libevent@0x563fe543ccc0 Sep 21 07:25:32.602237: | libevent_free: release ptr-libevent@0x563fe5441720 Sep 21 07:25:32.602239: | libevent_free: release ptr-libevent@0x563fe54595e0 Sep 21 07:25:32.602241: | libevent_free: release ptr-libevent@0x563fe54594f0 Sep 21 07:25:32.602244: | libevent_free: release ptr-libevent@0x563fe5459400 Sep 21 07:25:32.602246: | libevent_free: release ptr-libevent@0x563fe5459310 Sep 21 07:25:32.602248: | libevent_free: release ptr-libevent@0x563fe5459220 Sep 21 07:25:32.602250: | libevent_free: release ptr-libevent@0x563fe5459130 Sep 21 07:25:32.602253: | libevent_free: release ptr-libevent@0x563fe53c0370 Sep 21 07:25:32.602255: | libevent_free: release ptr-libevent@0x563fe5458c50 Sep 21 07:25:32.602257: | libevent_free: release ptr-libevent@0x563fe5458b90 Sep 21 07:25:32.602260: | libevent_free: release ptr-libevent@0x563fe5458ab0 Sep 21 07:25:32.602262: | libevent_free: release ptr-libevent@0x563fe5458d10 Sep 21 07:25:32.602264: | libevent_free: release ptr-libevent@0x563fe53be5b0 Sep 21 07:25:32.602267: | libevent_free: release ptr-libevent@0x563fe543caf0 Sep 21 07:25:32.602273: | libevent_free: release ptr-libevent@0x563fe543cb20 Sep 21 07:25:32.602275: | libevent_free: release ptr-libevent@0x563fe543c810 Sep 21 07:25:32.602278: | releasing global libevent data Sep 21 07:25:32.602281: | libevent_free: release ptr-libevent@0x563fe543b500 Sep 21 07:25:32.602283: | libevent_free: release ptr-libevent@0x563fe543c7b0 Sep 21 07:25:32.602286: | libevent_free: release ptr-libevent@0x563fe543c7e0